Reports
Actions for Service NSW's handling of personal information
Service NSW's handling of personal information
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.
The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.
The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.
The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.
Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.
Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.
Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.
The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.
In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.
In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.
This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.
This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.
It addressed the following:
- Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
- Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
- Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?
ConclusionService NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring. Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies. The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred. There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system. Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies. Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents. |
1. Key findings
Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020
Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.
Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.
One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.
This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.
It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.
Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers
There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.
In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.
A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.
Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.
Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies
Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.
The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.
Service NSW's privacy management plan has not been updated to include new programs and governance changes
Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.
The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).
Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes
Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.
Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.
Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks
Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.
The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.
While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.
2. Recommendations
Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.
As a matter of urgency, Service NSW should:
1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies
2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.
By March 2021, Service NSW should:
3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:
- to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
- to better reflect the full scope and complexity of personal information handled by Service NSW
- to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
- to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information
5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:
- ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
- ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:
6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:
- establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
- enable partitioning and role based access restrictions to personal information collected for different programs
- provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
- enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:
7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:
- the content and provision of privacy collection notices
- the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
- steps that will be taken by each agency to ensure that personal information is kept secure
- the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
- how identified breaches of privacy will be handled between agencies
8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:
- are identified as high risk and have not previously had a privacy impact assessment
- have had major changes or updates since the privacy impact assessment was completed.
Appendix one – Responses from agencies
Appendix two – About the audit
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Central Agencies 2020
Central Agencies 2020
This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
Audit opinions and timeliness of reporting |
Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified. All agencies met statutory deadlines for submitting |
Agencies were financially impacted by recent emergency events | The NSW Government allocated $1.4 billion to provide small business support and bushfire recovery relief, support COVID-19 quarantine compliance management, recruit more staff to respond to increased customer demand, and meet additional COVID-19 cleaning requirements. Agencies spent $901 million (64 per cent of the allocated funding) for the financial year ended 30 June 2020. NSW Self Insurance Corporation reported an increase of $850 million in its liability for claims related to emergency events. |
AASB 16 'Leases' resulted in significant changes to agencies' financial position | The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected. |
Implementation of new revenue standards | NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue, which have been corrected in the final financial statements. |
2. Audit observations
Management letter findings and repeat issues | Our 2019–20 audits identified nine high risk and 122 moderate risk issues across central agencies and the Legislature. The high risk issues were identified in the audits of:
High risk findings include:
Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records. |
Grants administration for disaster relief | Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by emergency events for the financial year ended 30 June 2020. A performance audit of grants administration for disaster relief is planned for 2020–21. It will assess whether grants programs administered under the Small Business Support Fund were effectively designed and implemented to provide disaster relief. |
Internal controls at GovConnect NSW service providers require enhancement |
GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued:
These may impact on the ability of agencies to detect and respond to a cyber incident. Recommendation: We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority. |
The NSW Public Sector's cyber security resilience needs to improve |
The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8. Repeat recommendation: Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency |
Three Insurance and Care NSW (icare) entities had net asset deficiencies at 30 June 2020 | The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. These icare entities did not hold sufficient assets to meet the estimated present value of all of their future payment obligations at 30 June 2020. The deterioration in net assets was largely due to increases in outstanding claims liabilities. Notwithstanding the overall net asset deficiencies, the financial statements for these entities were prepared on a going concern basis. This is because future payment obligations are not all due within the next 12 months. Settlement is instead expected to occur over years into the future, depending on the nature of the benefits provided by each scheme. |
icare has not been able to demonstrate that its allocation of costs reflects the actual costs incurred by the Workers Compensation Nominal Insurer and other schemes |
Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements. Recommendation: icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs. |
icare did not comply with GIPA requirements | icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20 and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020. |
Implementation of Machinery of Government (MoG) changes | MoG changes impacted the governance and business processes of some agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG implementation processes at Infrastructure NSW and in the Customer Service cluster. |
This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.
Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.
Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines:
- our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
- our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.
Section highlights
|
Actions for Internal controls and governance 2020
Internal controls and governance 2020
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for State Finances 2020
State Finances 2020
The Auditor-General for New South Wales, Margaret Crawford, released her report today on State Finances for the year ended 30 June 2020.
‘I am pleased to once again report that I issued an unmodified audit opinion on the State’s consolidated financial statements,’ the Auditor-General said.
The report acknowledges this has been a challenging year, with New South Wales impacted by natural disasters and the COVID-19 pandemic.
The State’s Budget Result, reported in the financial statements, was a deficit of $6.9 billion. This is different to the 2019-20 budget forecast surplus of $1.0 billion and is an outcome of the government’s significant response to bushfires and COVID-19.
The report summarises a number of audit and accounting matters arising from the audit of the Total State Sector Accounts, a sector that comprises 291 entities controlled by the NSW Government with total assets of $495 billion and total liabilities of $256 billion.
Our audit opinion on the State’s 2019–20 financial statements was unmodified
An unmodified audit opinion was issued on the State’s 2019–20 consolidated financial statements.
The State extended signing its financial statements by six weeks.
Natural disasters, the COVID-19 pandemic and other factors impacted the State’s 2019–20 reporting timetable. The State extended signing its financial statements by six weeks, compared with 2018–19.
All agencies were also given a two-week extension to prepare their financial statements compared with 2018–19. Further extensions beyond two weeks were subsequently approved for the following 11 agencies (7 in 2018–19) to submit completed financial statements for audit:
- Department of Communities and Justice
- Department of Customer Service
- Department of Planning, Industry and Environment
- Department of Regional NSW
- Department of Transport
- Environment Protection Authority
- Infrastructure NSW
- Lord Howe Island Board
- NSW Crown Holiday Parks Land Manager
- Service NSW
- Water Administration Ministerial Corporation.
The extensions reflected that the COVID-19 pandemic impacted agencies’ work environments during the first six months of 2020. This was at a time when many were still implementing machinery of government changes and preparing to implement three significant new accounting standards:
- AASB 15 Revenue from Contracts with Customers (issued December 2014, effective 1 July 2019)
- AASB 16 Leases (issued February 2016, effective 1 July 2019)
- AASB 1058 Income of Not-for-profit entities (issued December 2016, effective 1 July 2019).
These new accounting standards were issued some years before they became effective, to allow reporting entities sufficient time to prepare for implementation. Notwithstanding this, some agencies had not fully implemented the new accounting standards in time for early close procedures, and the unforeseen impact of COVID-19 further complicated the year-end financial reporting processes for the State and its agencies.
The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.
In 2019–20, agency financial statements presented for audit contained 19 errors exceeding $20 million (six in 2018–19). The total value of these errors increased to $1.4 billion ($927 million in 2018–19).
The errors resulted from:
- incorrectly applying Australian Accounting Standards and Treasury Policies
- incorrect judgements and assumptions when valuing noncurrent physical assets and liabilities
- incorrectly interpreting the accounting treatment for unspent stimulus funding.
Errors in agency financial statements exceeding $20m (2016–2020)
$4.1 billion in stimulus funding was allocated in 2019–20
The government implemented an economic stimulus package primarily to mitigate the impacts of the COVID-19 pandemic on New South Wales.
The COVID-19 pandemic and bushfires had a significant impact on the State’s finances, reducing its revenue and increasing its expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health.
The government announced a $4.1 billion health and economic stimulus package in 2019–20. This primarily included:
- $2.2 billion in health measures including purchases of essential medical equipment and increasing clinical health capacity (like intensive care spaces)
- $1.0 billion in small business and land tax relief
- $355 million in extra cleaning services and quarantine costs.
Cluster agencies had spent $3.0 billion (just under 75 per cent) of the COVID-19 stimulus package by 30 June 2020.
The Health cluster incurred most of this expenditure.
Total spend relating to bushfires was $1.3 billion in 2019–20.
The graph below shows the total allocation and spend by cluster to 30 June 2020.
Economic stimulus allocation and spend by cluster to 30 June 2020
Deficit of $6.9 billion compared with a budgeted surplus of $1.0 billion
An outcome of the government’s overall activity and policies is its net operating balance (Budget Result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.
The General Government Sector, which comprises 199 entities, generally provides goods and services funded centrally by the State.
The Non-General Government Sector, which comprises 92 government businesses, generally provides goods and services, such as water, electricity and financial services that consumers pay for directly.
The Budget Result for the 2019–20 financial year was a deficit of $6.9 billion. The original budget forecast, set before the COVID-19 pandemic and bushfires, was a $1.0 billion surplus. The main driver of the change in result was:
- $1.3 billion of higher employee costs, mainly due to:
- increased workers compensation claims
- additional personnel required (mainly in the Health sector) to respond to the COVID-19 pandemic
- $2.3 billion of higher operating expenses, mainly due to:
- $828 million from first time recognition of a child abuse claim liability
- $507 million from additional insurance claims from the NSW bushfires
- $343 million from COVID-19 claims by agencies for loss of revenue.
- $1.8 billion in higher grants and subsidy expenses, mainly due to:
- small business grants
- COVID-19 quarantine compliance measures
- costs incurred in response to the 2019–20 bushfires, drought and disaster relief payments
- third party-controlled assets that were subsequently transferred to councils and utility providers, mainly arising from construction of the CBD and South East Light Rail.
The deficit was further driven by:
- $1.9 billion less taxation revenue, mainly resulting from:
- $1.3 billion less in payroll tax due to relief measures introduced by the government as part of its COVID-19 economic stimulus
- $424 million less in gambling and betting taxes, due to venue closures required by COVID-19 public health orders
- $523 million less in dividends and income tax revenue from the Non-General Government Sector, due to lower dividends received from NSW Treasury Corporation and from the State’s other commercial government businesses
- lower fines, regulatory fees and other revenue, due to a $305 million decrease in mining royalties, largely driven by lower coal prices.
Main drivers of the 2019–20 actual vs. budget variance
Revenues increased $209 million to $86.3 billion
In 2019–20, the State’s total revenues increased by $209 million to $86.3 billion, 0.2 per cent higher than in 2018–19. COVID-19 impacted taxation revenue, which fell by $1.1 billion and revenue from the sale of goods and services, which fell by $1.1 billion. These falls were offset by a $2.5 billion (7.7 per cent) increase in grants and subsidies from the Australian Government, mainly in the form of additional stimulus funding.
Taxation revenue fell 3.5 per cent
Taxation revenue fell by $1.1 billion, mainly due to a:
- $861 million fall in payroll tax as a result of COVID-19 relief (reduced payroll tax payments for eligible small businesses)
- $430 million fall in stamp duty collections, driven by lower than expected growth in the property market
- $427 million decline in gambling and betting taxes, mainly due to venue closures driven by COVID-19 public health orders.
Stamp duties of $8.8 billion were the largest source of taxation revenue, $473 million higher than payroll tax, the second-largest source of taxation revenue.
Australian Government grants and subsidies
The State received $34.2 billion in grants and subsides which are mainly from the Australian Government, $2.4 billion more than in 2018–19.
The increase was driven by a $1.1 billion increase in Commonwealth Specific Purpose Payments to support the Health cluster respond to the COVID-19 pandemic. Commonwealth National Partnership Payments increased by a similar amount to provide the State with Natural Disaster relief.
Sales of goods and services
In 2019–20, sales of goods and services fell $1.1 billion. This was due to the COVID-19 pandemic reducing:
- patronage and related transport passenger revenue
- health billing activities with elective surgery being put on hold
Fines, regulatory fees and other revenues
Fines, regulatory fees and other revenues fell $505 million. This was mainly due to a $409 million decrease in mining royalties attributed to a drop in thermal coal prices during 2019–20.
Other dividends and distributions
Other dividends and distributions rose by $616 million due to higher distributions received from the State’s investments. This was due to an additional $1.3 billion held in the State’s investment portfolio compared with last year.
Expenses increased $8.2 billion to $96.0 billion
The State’s expenses increased 9.3 per cent compared with 2018–19. Most of the increase was due to higher employee expenses, other operating costs and grants and subsidies.
Employee expenses, including superannuation, increased 5.7 per cent to $42.6 billion.
Salaries and wages increased to $42.6 billion from $40.3 billion in 2018–19. This was mainly due to increases in staff numbers and a 2.5 per cent increase in pay rates across the sector. Salaries and wages for the Education and Health sectors increased by $659 million and $732 million in each sector respectively.
The Health sector employed an additional 2,763 full time staff in 2019–20. It also incurred more overtime in response to COVID-19. Education increased staff numbers by 4,866 full time equivalents and paid a one off 11 per cent pay rise to school administration staff in 2019–20. Historically, the government wages policy aims to limit growth in employee remuneration and other employee related costs to no more than 2.5 per cent per annum.
Operating expenses increased 8.7 per cent to $27.0 billion.
Operating expenses increased to $27.0 billion in 2019–20 ($24.8 billion in 2018–19) due to higher operating activities in Health. The higher level of activities and related costs is attributed to a full year of operations at the Northern Beaches Hospital (opened November 2018), and responding to COVID-19. The response to COVID-19 involved the State providing viability payments to private hospitals, higher visiting medical officer costs due to additional overtime hours and spending more on equipment to set up COVID-19 testing clinics.
Insurance claims increased by $2.0 billion. This was mainly due to NSW Self Insurance Corporation (SiCorp) recognising a liability for child abuse claims incurred but not reported for the first time, and claims for the 2019–20 bushfires, floods and COVID-19.
Health costs remain the State’s highest expense.
Total expenses of the State were $96 billion ($87.8 billion in 2018–19). Traditionally, the following clusters have the highest expenses as a percentage of total government expenses:
- Health – 24.3 per cent (25.8 per cent in 2018–19)
- Education – 17.6 per cent (19.3 per cent in 2018–19)
- Transport - 12.8 per cent (12.6 per cent in 2018–19).
General public service expenses as a percentage of total State expenses is higher due to a $2.0 billion increase in SiCorp’s accrued claim expenses.
Other expenses increased due to additional grant funding by the State for drought relief and COVID-19 stimulus spend.
Health expenses increased by $632 million compared with 2018–19 but fell as a proportion of total State expenses.
Education expenses remained stable compared with last year due to savings in student transportation costs primarily driven by COVID-19. This led to a decrease in the proportion of the State’s costs relating to education activities.
Grants and subsidies increased $2.5 billion to $14.1 billion.
The increase in grants and subsidies was due to payments the State made to support businesses and local communities in the face of COVID-19 and bushfires. In addition, the State transferred CBD and South East Light Rail assets to councils and utility providers during 2019–20 as it no longer controlled these.
Depreciation expense increased $1.0 billion to $9.2 billion.
Depreciation increased to $9.2 billion from $8.0 billion in 2018–19. At 1 July 2019, the State implemented the new leases standard recognising a right of use (ROU) asset and related lease liability in its financial statements. The value of ROU assets are amortised over the term of the lease. This contributed to $980 million of the increase in 2019–20 depreciation expense. Last year, these costs were previously reported within other operating expenses.
Assets grew by $28.0 billion to $495 billion
The State’s assets primarily include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $28.0 billion to $495 billion. This was a six per cent increase compared with 2018–19, mostly due to changes in asset carrying values.
Of the State’s $28.0 billion increase in asset values, $9.3 billion was due to a new accounting standard requirement for operating leases to be valued and recorded on balance sheet for the first time.
AASB 16 Leases requires entities recognise values for right-ofuse assets (ROU) for the first time. An ROU asset is a lessee’s right to use an asset, the value of which is amortised over the term of the lease. This standard came into effect from 1 July 2019.
Valuing the State’s physical assets
State’s physical assets valued at $365 billion. |
The value of the State’s physical assets increased by $14.1 billion to $365 billion in 2019–20. The assets include land and buildings ($168 billion), infrastructure ($180 billion) and plant and equipment ($16.7 billion). A prior period error relating to the valuation of RMS infrastructure assets reduced the reported values by $1.0 billion from $352 billion to $351 billion at 30 June 2019.
The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include reclassification of physical assets leased under finance leases to right of use assets upon adoption of AASB 16 Leases on 1 July 2019.
Movements in physical asset values
Liabilities increased $38.4 billion to $256 billion
The State borrowed additional funds in response to natural disasters and COVID-19.
The State’s borrowings rose by $33.9 billion to $113.8 billion at 30 June 2020. This accounted for most of the increase in the State’s total liabilities.
The value of TCorp bonds on issue increased by $25.2 billion to $97.0 billion to largely fund capital expenditure and costs associated with the bushfires, drought and COVID-19.
TCorp bonds are actively traded in financial markets and are guaranteed by the NSW Government.
Over 2019–20, TCorp continued to take advantage of lower interest rates, buying back short-term bonds and replacing them with longer dated debt. This lengthens the portfolio matching liabilities with the funding requirements for infrastructure assets.
With effect from 1 July 2019, AASB 16 Leases required the State to recognise liabilities for operating leases for the first time. This increased total lease liabilities from $5.3 billion at 30 June 2019 to $11.8 billion at 30 June 2020.
More than a third of the State’s liabilities relate to its employees. They include unfunded superannuation and employee benefits, such as long service and recreation leave.
Valuing these obligations involves complex estimation techniques and significant judgements. Small changes in assumptions and other variables, such as a lower discount rate, can materially impact the valuation of liability balances in the financial statements.
The State’s unfunded superannuation liability rose $300 million from $70.7 billion to $71.0 billion at 30 June 2020. This was mainly due to a lower discount rate of 0.87 per cent (1.32 per cent in 2018–19). The State’s unfunded superannuation liability represents the value of its obligations to past and present employees less the value of assets set aside to fund those obligations.
The State maintained its AAA credit rating
The object of the Fiscal Responsibility Act 2012 is to maintain the State’s AAA credit rating.
The government manages New South Wales’ finances in accordance with the Fiscal Responsibility Act 2012 (the Act).
The Act establishes the framework for fiscal responsibility and the strategy to maintain the State’s AAA credit rating and service delivery to the people of New South Wales.
The legislation sets out targets and principles for financial management to achieve this.
This year, the State’s credit rating from Standard & Poor’s changed from AAA/Stable to AAA/Negative. Moody’s Investors Service credit rating of Aaa/Stable did not change from the previous year.
The fiscal target for achieving this objective is that General Government annual expenditure growth should be lower than long term average revenue growth.
The State did not achieve its fiscal target of maintaining annual expenditure growth below the long-term revenue growth rate target of 5.6 per cent.
In 2019–20, General Government expenditure grew by 9.7 per cent (5.5 per cent in 2018–19).
Expenditure items that contributed most to the growth rate include:
- recurrent grants and subsidies (20.4 per cent)
- other operating expenses (9.5 per cent)
- employee costs (including superannuation) (5.6 per cent)
Recurrent grant and subsidy expenses increased by $2.8 billion in 2019–20 mainly due to the COVID-19 and natural disaster payments. Other operating expenses increased mainly due to a $2.0 billion increase in SiCorp insurance claims. This included the $828 million provision for child abuse claims incurred but not reported. The bushfires and COVID-19 pandemic also increased the number and cost of claims in 2019–20.
Superannuation funding position since inception of the Act - AASB 1056 Valuation
Actions for Integrity of data in the Births, Deaths and Marriages Register
Integrity of data in the Births, Deaths and Marriages Register
This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.
The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.
The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.
The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.
The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.
BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.
This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:
- Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
- Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?
ConclusionBD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register. BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required. BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected. BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls. |
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #330 - released 7 April 2020.
Actions for Government Advertising 2017-18
Government Advertising 2017-18
The State Insurance Regulatory Authority’s (SIRA) ‘green slip refund’ campaign, and the TAFE semester one 2018 student recruitment campaign, complied with most requirements of the Government Advertising Act 2011 and the Government Advertising Guidelines, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford.
The Government Advertising Act 2011 (the Act) requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit assesses whether a government agency or agencies has carried out activities in relation to government advertising in an effective, economical and efficient manner and in compliance with the Act, the regulations, other laws and the Government Advertising Guidelines (the Guidelines).
This audit examined two campaigns conducted in 2017–18:
- the 'Green slip refund' campaign run by the State Insurance Regulatory Authority (SIRA)
- the semester one component of the 'TAFE NSW 2018 Student Recruitment Annual Campaign Program' run by the NSW TAFE Commission (TAFE).
Section 6 of the Act prohibits political advertising. Under this section, material that is part of a government advertising campaign must not contain the name, voice or image of a minister, member of parliament or a candidate nominated for election to parliament or the name, logo or any slogan of a political party. Further, a campaign must not be designed to influence (directly or indirectly) support for a political party.
The State Insurance Regulatory Authority (SIRA) conducted the 'Green slip refund' campaign between March and June 2018. SIRA ran this campaign to raise awareness of the Compulsory Third Party (CTP) refunds and reforms after the Motor Accidents Injuries Act 2017 commenced in December 2017. SIRA's view is that the reforms include a reduced cost for CTP insurance, benefits for at-fault drivers, reduced opportunity for fraud and attempts to lower insurance company profits. Green slip holders are also able to claim partial refunds on their 2017 green slip insurance premium. The campaign aimed to make green slip holders aware of the refunds available, encourage them to claim online and to inform people about the changes to the green slip scheme. The campaign focused on the first two of these objectives. The total cost of the campaign was $1.9 million. See Appendix two for more details on this campaign.
Campaign materials we reviewed did not breach section 6 of the Act
Section 6 of the Act prohibits political advertising as part of a government advertising campaign. A government advertising campaign must not:
- be designed to influence (directly or indirectly) support for a political party
- contain the name, voice or image of a minister, a member of parliament or a candidate nominated for election to parliament
- contain the name, logo, slogan or any other reference to a political party.
The audit team found no breaches of section 6 of the Act in the campaign material we reviewed.
Before the start of the campaign, SIRA conducted a survey which asked people whether they agreed ‘that the NSW Government is helping to reduce the cost of living by making positive reforms to:
- reduce the cost of green slips
- reduce the cost of health insurance
- increase the number of jobs
- increase investment in the state.'
SIRA's initial submission to peer review listed one of the campaign objectives as improving the perception of the government as a positive reformer. DPC advised SIRA that this should not be included. SIRA removed this objective.
Even though SIRA appropriately removed this objective, the post-campaign evaluation still measured agreement with the above statements, three of which did not relate to this campaign or SIRA's responsibilities. SIRA advised that these three additional statements were included to provide a broader context for any change in the green slip campaign survey results. For example, if all four measures reported an increase in positive responses of roughly the same size, then the increase may have been due to factors other than the advertising campaign.
This is not an appropriate use of the post-campaign evaluation, which should measure the success of the campaign against its stated objectives. The Guidelines list the purposes that government advertising may serve and none of these relate to improving the perception of the government. The inclusion of the above questions in SIRA's post-campaign evaluation creates a risk that the results may be used for party political purposes.
The campaign met most targets, however some were not challenging to achieve
The post-campaign evaluation demonstrated that the campaign met the targets for 12 of its 13 objectives including the targets relating to raising awareness of the refunds and the proportion of people claiming their refunds online. A fourteenth objective, the percentage of people aware that they should contact SIRA after a road accident injury, did not have a target set, meaning that it is not possible to say whether the campaign had the desired impact in this case.
In August 2017, before the campaign commenced, SIRA conducted a survey to determine the baselines for some of its objectives. This is a good practice to support an effective post campaign evaluation process. The survey found that 20 per cent of people were aware of the green slip reforms. SIRA's objective was to raise this to 25 per cent, which represents a small gain relative to the proposed campaign expenditure. The campaign aimed for 40 per cent of motorists to be aware of refunds, which is very low given that this was the primary focus of the campaign. SIRA followed the advice of its survey provider when setting these targets.
In the survey carried out after the campaign, 66 per cent of people were aware of the availability of green slip refunds for most motorists. The campaign also aimed to get 83 per cent of motorists to claim their refunds via online channels. It met this target, with a total of 84 per cent. Finally, 62 per cent of people in the post-campaign survey were aware of the green slip reforms. This result is discussed further below.
The overall target for total number of refunds claimed is 85 per cent of eligible drivers, that is to say CTP holders. SIRA will evaluate the results of this objective after the conclusion of the refund period in June 2019.
The campaign did little to inform the public about the broader green slip reforms
One objective of the green slip refund campaign was to inform the public about the green slip reforms. The final campaign creative material focused almost entirely on the green slip refunds rather than the range of other reforms. This was because the peer review raised concerns that the creative material was attempting to deliver too many messages.
The campaign submission stated that the advertising campaign would raise awareness of the broader reforms to the CTP scheme, citing several examples such as reduced opportunities for fraud and reduced insurer profits. SIRA also advised the Minister for Finance, Services and Property that secondary messaging in the campaign would benefit public understanding of the reforms.
Some of the television and radio advertisements referred to ‘more protection’ or ‘better protection’ for people injured on New South Wales roads, however advertisements did not refer to other elements of the reforms. Other campaign creative materials contained messages solely relating to the green slip refund and made no further reference to the broader reforms. SIRA used other communication channels, such as giving wallet cards to health service providers, to spread these messages to people, particularly those who had been injured.
Sixty two per cent of people in the post-campaign survey were aware of the green slip reforms. SIRA asked these people which benefits they associated with the reforms. The results of this survey are in Exhibit 4. Seventy-one per cent of this sample identified the reduced costs of green slips as one of the changes, but awareness of other elements of the reforms remains low. Though 29 per cent of people perceive the reforms to make the green slip scheme ‘fairer’, no more than 15 per cent of people could list a specific benefit which did not relate to insurance prices.
Perceived benefit | Percentage aware of this benefit |
---|---|
Reduced costs of green slips for vehicle owners | 71% |
A fairer scheme for all people | 29% |
Reduced costs of comprehensive vehicle insurance | 20% |
Better support for people injured on our roads | 15% |
Less chances of fraudulent claims | 15% |
Lowering insurance company profits | 13% |
Quicker payment of claims to injured people | 10% |
Another campaign target was to ensure that people understood that they should contact SIRA in case of an injury. None of the campaign creative materials contained this information. SIRA did some limited work to inform the public about this through its social media channels. One of the pieces of creative material directed the reader to SIRA's website for further information on the reforms, which contained this information. During the campaign period, there was an increase in the number of calls received by SIRA's CTP Assist phone line. However, in the post-campaign evaluation, only two per cent of surveyed people identified that they should contact SIRA in case of an injury.
The media plan allowed sufficient time for cost-efficient media placement
During the peer review process, DPC provides advice to agencies about the time they should allow to ensure cost-efficient media placement. For example, DPC advise that agencies book television advertising six to 12 weeks in advance and that agencies book radio advertising two to eight weeks in advance.
SIRA allowed sufficient time between the completion of the peer review process and the commencement of the first advertising. SIRA signed the agreement with the approved Media Agency Services provider eight weeks before the campaign started, meaning that it could achieve cost-efficient media placement for all types of media used in this campaign.
SIRA directly negotiated with a single supplier, making it difficult to demonstrate value for money
SIRA directly negotiated with a single supplier to procure the campaign's creative material. A direct negotiation occurs when an agency negotiates with a proponent without first undergoing a competitive process. It is difficult to demonstrate value for money using direct negotiation due to the lack of competition.
ICAC's 'Guidelines for managing risks in direct negotiations' (ICAC Guidelines) provide guidance on how to undertake direct negotiations. SIRA has a direct negotiation checklist that aligns to the ICAC Guidelines. The SIRA checklist advises that staff should confirm that existing New South Wales prequalification schemes cannot provide the procurement before undertaking a direct negotiation. SIRA did not do this.
To procure creative materials, agencies can access the Advertising and Digital Communication Services prequalification scheme (the prequalification scheme). Using the prequalification scheme allows agencies to quickly seek quotes from suppliers who have a demonstrated track record and expertise. While agencies are not required to use the prequalification scheme, the NSW Procurement Board advises that agencies should use prequalification schemes where they are available to promote competition.
By using direct negotiation when the prequalification scheme was available, and by not seeking quotes from other suppliers, SIRA was acting in a way that reduced competition. This increases the risk that SIRA did not achieve value for money in its procurement of creative materials.
SIRA advised that it sought to ensure value for money by comparing the quote from its selected supplier with the amount spent on creative materials in other campaigns of similar size. SIRA did not document this analysis at the time or include it as part of the briefing note staff used to seek approval for undertaking direct negotiation. As a result, decision-makers were not fully informed when approving this engagement.
SIRA reported in a briefing note that it engaged in direct negotiations because:
- it believed that the original timeframe did not allow for a competitive tender process
- the supplier had done previous work on a related campaign for SIRA
- the supplier provided sample work which received positive feedback from focus groups.
In July 2017, when peer review commenced, SIRA planned to launch the campaign in November 2017 to coincide with the beginning of the green slip reforms. SIRA believed that this timeframe was narrow enough to warrant entering direct negotiations. The ICAC Guidelines advise that a narrow timeframe is not a valid reason to enter into a direct negotiation. In late October 2017, the campaign launch was delayed until March 2018 to stagger the demand on the resources of Service NSW, which is administering the refund.
The ICAC Guidelines also advise against re-appointing a supplier because it has performed previous work. Instead, agencies could consider previous experience as one of several factors when deciding between quotes. In cases where an agency asks a supplier to provide sample work, the ICAC Guidelines advise that agencies should request sample work from multiple potential suppliers to promote competition.
The campaign's cost benefit analysis complied with the Act and Guidelines
The Act requires a cost benefit analysis (CBA) for any government advertising campaign likely to exceed $1.0 million in value. Section six of the Guidelines set out the requirements for a government advertising CBA. The campaign's CBA complied with the requirements of the Act and the Guidelines.
The campaign CBA could have demonstrated further cost effectiveness if it considered alternative media mixes as outlined in NSW Treasury's 'Cost Benefit Analysis Framework for Government Advertising and Information Campaigns'. This would also have been consistent with the Handbook.
The cluster Secretary signed the compliance certificate instead of the head of SIRA
The Act requires the head of the agency running the campaign to sign a compliance certificate.
The Secretary of the Department of Finance, Services and Innovation, the cluster to which SIRA belongs, signed the campaign's compliance certificate. However, section 17(2) of the State Insurance and Care Governance Act 2015 states that SIRA is ‘for the purposes of any Act, a NSW Government agency.’ Given this, the Chief Executive of SIRA was responsible for signing the compliance certificate for this campaign.
This is a minor non-compliance with the Act because the Chief Executive had reviewed the campaign and recommended that the Secretary sign the compliance certificate.
The NSW TAFE Commission (TAFE) ran the 'TAFE NSW 2018 Student Recruitment Annual Campaign Program' from November 2017 to September 2018. The aim of the campaign was to assist TAFE in achieving its 2018 student enrolment target by improving the perception of TAFE's brand and generating student enquiries. This is the first state-wide campaign run by TAFE operating under the One TAFE model. Previously, each TAFE Institute ran its own campaigns. The total budget of the campaign was $19.5 million. This audit examined only the semester one 2018 component of the campaign, which ran from November 2017 to April 2018 at a total cost of $9.5 million. See Appendix two for more details on this campaign.
TAFE was able to place most of its campaign media within cost-efficient timeframes. TAFE also achieved efficiencies by re-using many creative materials from a previous campaign.
The campaign materials we reviewed did not breach section 6 of the Act
Section 6 of the Act prohibits political advertising as part of a government advertising campaign. A government advertising campaign must not:
- be designed to influence (directly or indirectly) support for a political party
- contain the name, voice or image of a minister, a member of parliament or a candidate nominated for election to parliament
- contain the name, logo, slogan or any other reference to a political party.
The audit team found no breaches of section 6 of the Act in the campaign material we reviewed.
The campaign achieved 16 of 24 objectives, but did not reach its enrolment target
The campaign had 24 objectives which had a target for semester one. TAFE set these targets using a combination of previous experience, corporate objectives and brand surveys.
The overall objective of the combined semester one and two campaigns was to support TAFE achieving its 2018 total enrolment target of 549,636. TAFE's semester one target was 361,350, which it did not achieve. This indicates that the campaign was not fully effective.
The campaign achieved 11 of its 16 output objectives. The output targets related to TAFE's media placements and ability to reach an audience efficiently. TAFE tracked progress against many of the campaign's output objectives daily. TAFE altered its media channels throughout the campaign meaning that some of the output objectives were not met because TAFE decided to focus on alternative media channels. The campaign also achieved all seven of its outcome objectives. The outcome objectives related to changing the public perception of TAFE.
TAFE's initial media plan allowed for efficient media placement
During the peer review process, DPC provides advice to agencies about the time they should allow to ensure cost-efficient media placement. For example, DPC advise that agencies book television advertising six to 12 weeks in advance and that agencies book radio advertising two to eight weeks in advance.
While TAFE's initial media plan allowed sufficient time between the approval of the campaign and its launch, a delay in receiving final approval for the campaign meant TAFE could not purchase media placements until two months later than planned. Most purchases still remained within DPC's recommended timeframes, but Indigenous television advertisements and metropolitan out of home advertisements both fell outside DPC's recommended time periods by one week. These delays did not impact on TAFE's efficiency.
TAFE re-used many creative materials, achieving some cost-savings
Rather than commissioning new creative materials, TAFE re-used many creative materials from the previous campaign and supplemented these with a selection of new creative materials. TAFE advised that this led to a cost saving of approximately $130,000.
TAFE sought quotes from suppliers on the government's Advertising and Digital Communication Services prequalification scheme for two creative material contracts. These contracts covered updates to existing materials and a selection of new materials.
The campaign's cost-benefit analysis did not comply with three requirements of the Guidelines
The Act requires an agency to conduct a cost-benefit analysis (CBA) if the cost of an advertising campaign is likely to exceed $1.0 million. The Guidelines set out the requirements of this CBA. TAFE did not comply with three of these requirements, outlined in Exhibit 5.
6.2 The cost benefit analysis must isolate the additional costs and benefits attributable to the advertising campaign itself compared to the base-case of not-advertising. 6.3 The cost benefit analysis must specify the extent to which the expected benefits could be achieved without advertising. 6.4 The cost benefit analysis must outline what options other than advertising could be used to successfully implement the program and achieve the program benefits and a comparison of their costs. |
In this circumstance, section 6.2 of the Guidelines required the CBA to identify the number of enrolments TAFE would expect if it did not advertise. TAFE advised us that it is not possible to say what this scenario would look like because there had always been some degree of advertising, however, this argument is not reflected in the CBA.
TAFE used 2017 as the baseline in the CBA. In 2017, TAFE spent $13.2 million on advertising. As such, the CBA was only able to isolate the impact of the increased expenditure rather than the impact of the campaign's entire $19.5 million expenditure. TAFE advised that 2017 had the most reliable state-wide data and this contributed to the decision to use it as the baseline.
During the audit, TAFE sought advice from NSW Treasury regarding whether a 2017 baseline was appropriate and NSW Treasury advised that it was. Regardless, TAFE did not receive this advice prior to writing the CBA and did not put commentary around this in the CBA. This would also not be sufficient for fulfilling the requirements of the Guidelines.
The CBA did not comply with sections 6.3 and 6.4 of the Guidelines. The CBA briefly considered the impact of spending the campaign budget directly on new training courses, however there was no sustained analysis of this option. TAFE staff advised that there are no realistic alternatives to advertising for achieving the campaign's objectives. However we did not see analysis to support this conclusion in documents provided to us.
The campaign CBA could have better demonstrated cost effectiveness if it considered alternative media mixes as outlined in NSW Treasury's 'Cost Benefit Analysis Framework for Government Advertising and Information Campaigns'. This would also have been consistent with the Handbook.
TAFE made one inaccurate claim in its advertising and overstated a second
The Guidelines set out rules regarding the content of a government advertising campaign. Exhibit 6 sets out one of the principles with which agencies must comply.
The following principles apply to the style and content of government advertising campaigns:
|
TAFE made one inaccurate claim in its advertising and overstated a second.
In some campaign creative material, TAFE claimed that 78 per cent of its own graduates are employed after training (Exhibit 15 in Appendix 2). According to the National Centre for Vocational Education Research, 78 per cent of New South Wales Vocational Education and Training (VET) graduates (i.e. from all training providers) are employed after training. The result for TAFE graduates is 70.4 per cent.
One of the campaign's television advertisements refers to TAFE as ‘Australia's most reputable education provider’. This statement referred to a survey of current TAFE students who were asked where they would consider studying in future: TAFE, University or a private college. The current TAFE students selected TAFE by a large margin. The limited scope of TAFE's student survey and its results do not support the claim that it is ‘Australia's most reputable education provider’.
DPC did not consistently communicate the transitional arrangements for the Brand Guidelines and as such much of TAFE's creative material did not comply at campaign launch
On 7 August 2017, the government released the NSW Government Brand Guidelines (Brand Guidelines), setting out how agencies use the NSW Government logo. The Brand Guidelines replaced the Branding Style Guide which had been in place since September 2015. Some agencies were exempt from using the Branding Style Guide and the introduction of the new Brand Guidelines required these agencies to apply for a new exemption.
TAFE had recently commenced the peer review process for this campaign when the Brand Guidelines were released. TAFE was exempt from the requirements of the Branding Style Guide and as such the material which TAFE was planning to re-use in the new campaign did not contain the NSW Government logo.
Communication about how long agencies had to make themselves compliant with the Brand Guidelines was unclear. On 11 August 2017, the Chair of the Cabinet Standing Committee on Communication and Government Advertising (the Committee) sent a letter to the Secretary of the Department of Industry informing him that the Department must update all its material to be compliant with the Brand Guidelines ‘as soon as practicable within an 18-month transition period’. The Department of Industry advised TAFE that new advertising would need to be immediately compliant, however it was not clear if this included materials which agencies were re-using from previous campaigns. DPC advised the audit team that it expected re-used materials to be compliant when agencies launched new campaigns. DPC provided this advice to some agencies but did not communicate it more broadly. We could not source evidence that DPC provided this advice to TAFE.
DPC ran workshops to explain the transitional arrangements in September 2017 for the changes in the Brand Guidelines, however these did not specifically address the transitional timeframes for new advertising campaigns.
The Department of Industry, on behalf of TAFE, applied to the Committee for approval to co-brand the TAFE logo with the NSW Government logo. This was approved in October 2017. The requirements for co-branding are in Exhibit 7.
Co-branding partners the agency logo with the NSW Government logo. The NSW Government logo must always be presented as the dominant or lead brand. The Brand Guidelines provide the following template shown below the exhibit box. The NSW Government logo is on the left and the agency logo is placed on the right, with a dividing line between them. |
Appendix one - Responses from agencies
Appendix two - About the campaigns
Appendix three - About the audit
Appendix four - Performance auditing
Parliamentary reference - Report number #311 - released 18 December 2018
Actions for Central Agencies 2018
Central Agencies 2018
The Auditor-General for New South Wales, Margaret Crawford, released her report today on the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters. While clear audit opinions were issued on all agency financial statements, the report notes that some complex accounting requirements caused significant errors in agency financial statements submitted for audit, which were corrected before the financial statements were approved.
This report analyses the results of our audits of the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster agencies for the year ended 30 June 2018. The table below summarises our key observations.
This report provides parliament and other users of the NSW Government's central agencies and their cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- liquidity risk management
- government financial services.
The central agencies and their key responsibilities are set out below.
Central agencies | Key central agency responsibilities | Cluster responsibilities |
The Treasury |
|
The cluster:
|
Department of Premier and Cabinet |
|
The cluster:
|
Department of Finance, Services and Innovation |
|
The cluster:
|
Public Service Commission |
|
|
A full list of agencies that this report covers by relevant cluster is included in Appendix three.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation clusters for 2018.
Observation | Conclusions and recommendations |
2.1 Quality of financial reporting | |
Unqualified opinions were issued for all agencies' financial statements submitted to the Audit Office. Complex accounting requirements caused significant errors in some agency financial statements, which were corrected before the financial statements were approved. |
Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement. Recommendation: Agencies should respond to key accounting issues when they are identified by preparing accounting papers and engaging with Treasury, the Audit Office and their Audit and Risk Committee when these matters are identified. |
2.2 Timeliness of financial reporting | |
Most agencies complied with the statutory timeframe for completion of early close procedures, 48 agencies in the Treasury cluster did not comply with the statutory requirement to prepare financial statements, and the audits of nine agencies in the Treasury cluster were not completed within the statutory timeframe. All financial statement information of the 48 agencies that did not prepare financial statements has been captured in the consolidated financial statements of their parent entity, which was subject to audit. |
Early close procedures allow financial reporting issues and risks to be addressed early in the audit process. The timeliness of financial reporting can be improved by performing more robust early close procedures. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from:
- our financial statement audits of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster for 2018
- the areas of focus identified in the Audit Office work program.
The Audit Office work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.
Observation | Conclusions and recommendations |
3.1 Internal controls | |
The 2017–18 audits found one high risk issue and 83 moderate risk issues across the agencies. Nineteen per cent of all issues were repeat issues. | Agencies should focus on rectifying repeat issues. |
The high risk issue at Service NSW related to several deficiencies in procurement and contract management processes. | Service NSW may not be achieving value-for-money from their procurement and contract management activities. The high risk issue should be rectified as a matter of priority. This includes updating and implementing its procurement, vendor and contract management frameworks and delivering training to key staff involved in procurement and contract management activities. |
Property NSW has implemented several controls during the year to rectify the high risk issue identified last year related to its transition to a new property and facility management service provider. However, the service providers performance remains below expectations and there are further opportunities to improve oversight and lift performance. | Property NSW can better define roles and accountabilities with the service provider and formalise policies and processes associated with its monitoring and oversight of the service provider. Implementing relevant KPIs, receiving timely reports and providing timely review and feedback to the service provider may help to lift performance. |
GovConnect received unqualified opinions from their service auditor on all business process controls, except for information technology controls provided by Unisys, where a qualified opinion was received from the service auditor. A qualified opinion was received because of several deficiencies in user access controls. | These internal control deficiencies increase the risk of unauthorised access to key business systems, and increase audit effort and costs associated with addressing the risks arising from the deficiencies. |
3.2 Audit Office annual work program | |
Remediation of the Barangaroo site is now estimated to cost the Barangaroo Delivery Authority in excess of net $400 million. |
Measuring the remaining costs to remediate requires the use of estimation techniques and judgements, making the actual outcome inherently uncertain. We reviewed evidence to support the provision for remediation, including future costs estimates and this evidence supported management’s estimate. |
The State Insurance Regulatory Authority have administered the refund of $138 million in Green slip refunds to policy holders through Service NSW during 2017–18. At 30 June 2018, $112 million in refunds are yet to be claimed. We reviewed the systems and processes supporting the refund process. While we found that this supports the disbursement of refunds to policyholders there were some deficiencies in Service NSW’s project controls when the program was being developed. |
Service NSW should apply the lessons learnt from this program to other programs it is delivering or will be delivering for agencies. |
Revenue NSW recorded $30.4 billion from taxes, fines and fees in 2017–18 ($30.0 billion in 2016–17) to support the State’s finances. |
Crown revenue has steadily increased over the last five years predominately driven by rises in payroll tax and land tax and responsibility for collection of the Emergency Services Levy transferring to Revenue NSW under the Emergency Services Levy Act 2017 effective from July 2017. |
3.3 Managing maintenance | |
Place Management NSW manages significant commercial and retail leases and maintains public domain spaces and other assets around the harbour foreshore. It has consistently underspent its asset maintenance budget. In 2017–18, asset maintenance expenses were only 34 per cent of budgeted maintenance expense. Currently, Place Management NSW does not use any ratios or benchmarks to determine the adequacy of its maintenance spend or to monitor whether it is achieving its budgeted maintenance program. |
This may be contributing to a high proportion of unplanned maintenance, which Place Management NSW reports was 38 per cent of total maintenance expense in 2017–18. Place Management NSW is outsourcing its property and facilities management function from 1 December 2018 to an external service provider. |
This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.
Observation | Conclusions and recommendation |
5.1 Superannuation funds | |
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). However, legislation allows the responsible Minister to prescribe prudential standards, reporting and audit requirements. |
Structured and comprehensive prudential oversight of these Funds is important as they operate in a volatile financial sector, have 103,000 members and manage investments of $43.3 billion. Recommendation: Treasury should consult with the Trustees of the STC Pooled Fund and PCS Fund to prescribe appropriate prudential standards and requirements, including oversight arrangements. |
5.2 Insurance and compensation | |
Nominal Insurer and NSW Self Insurance Corporation investment performance marginally exceeded benchmark over the past five years. | Investment returns can impact on the premiums required to maintain an adequate funding ratio in addition to other factors such as claims experience and discount rates. |
The Workers Compensation Nominal Insurer (Nominal Insurer) and NSW Self Insurance Corporation's net collected premiums and contributions decreased over the past five years. | The insurance schemes' investment performance and stable claim payments have enabled less reliance on net collected premiums and contributions as a source of funding, over the past five years. |
Reforms were introduced to manage the Home Warranty Scheme's financial sustainability risks. | The Home Warranty Scheme has not collected sufficient premiums to fund expected claims costs, since commencing operations in 2011. In 2017–18, the Crown contributed $181 million for historical shortfalls. New reforms started on 1 January 2018 enabling the Scheme to price premiums based on risk. |
Actions for Internal Controls and Governance 2018
Internal Controls and Governance 2018
The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.
This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.
This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.
This report offers insights into internal controls and governance in the NSW public sector
This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:
- Internal control trends
- Information technology (IT), including IT vendor management
- Transparency and performance reporting
- Management of purchasing cards and taxis
- Fraud and corruption control.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.
The focus of the report has changed since last year
Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Agencies selected for the volume account for 95 per cent of the state's expenditure
While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.
Observation | Conclusions and recommendations |
---|---|
2.1 High risk findings | |
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16. | Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority. |
2.2 Common findings | |
We found several internal controls and governance findings common to multiple agencies. | Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective. |
2.3 New and repeat findings | |
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies. | The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies. |
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases |
Recommendation: Agencies should reduce IT risks by:
|
Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.
Observation | Conclusions and recommendations |
---|---|
3.1 Management of IT vendors | |
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review. |
Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by:
|
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract. |
Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination. |
Performance management Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance. |
Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by:
|
Transitioning services Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor. |
Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'. |
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete. |
Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by:
Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations. |
3.2 IT general controls | |
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review. |
Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments. |
User access administration
|
Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems. |
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities. |
Recommendation: Agencies should:
|
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters. |
Recommendation: Agencies should ensure IT password settings comply with their password policies. |
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment. |
Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed. |
This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.
Observation | Conclusion or recommendation |
4.1 Reporting on performance | |
Only 57 per cent of agencies linked reporting on performance to their strategic objectives. The use of targets and reporting performance over time was limited and applied inconsistently. |
Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information. Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports. |
There is no independent assurance that the performance metrics agencies report in their annual reports are accurate. Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported. |
Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited. The relevance and accuracy of performance information is enhanced when:
|
4.2 Reporting on reports | |
Agency reporting on major projects does not meet the requirements of the annual reports regulation. Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations. |
NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations. Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress. |
The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works. Sixteen of 30 agencies reported some information on completed major works. |
Conclusion: Agencies could improve their transparency if they reported, or were required to report:
|
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.
Observation | Conclusion or recommendation |
5.1 Management of purchasing cards | |
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement. |
Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards. |
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy. |
Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'. |
Preventative controls We found that:
|
Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as:
|
Detective controls Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used. |
Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to:
|
5.2 Management of taxis | |
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition:
|
Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies:
|
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews. |
Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program. |
Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.
Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:
- unreported frauds in organisations can be almost three times the number of reported frauds
- our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
- fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
- agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.
Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.
Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.
Observation | Conclusion or recommendation |
6.1 Prevention systems | |
Prevention systems Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies. |
Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by:
|
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be. | Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified. |
6.2 Detection systems | |
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program. |
Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment. |
6.3 Notification systems | |
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption. |
Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture |
Actions for State Finances 2018
State Finances 2018
Pursuant to the Public Finance and Audit Act 1983, I present my Report on State Finances 2018.
I am pleased to once again report that I issued a clear audit opinion on the State’s consolidated financial statements. This demonstrates the Government’s focus on preparing high quality information on the State’s financial position and performance for use by stakeholders.
However, there are two key areas I would like to see addressed to further support the preparation of the State’s financial statements.
Firstly, some complex accounting matters are not being resolved until late in the financial reporting cycle. This has contributed to an increase in the number of errors in the financial statements key agencies are submitting for audit, particularly around assessing the value of physical assets. Better planning and earlier resolution of these matters would lead to more efficient processes.
Secondly, the State needs to implement five new accounting standards over the next two years. Agencies will need to devote significant resources and effort to collect the necessary information and assess the impact at the whole of government level. I will work with Treasury and relevant agencies to help them improve quality assurance controls over their financial reporting.
Throughout 2017-18 my office worked with Treasury on reforms to improve financial governance, budgeting and reporting arrangements across the sector.
The Government Sector Finance Bill 2018 passed both houses of Parliament in June 2018. However, the Legislative Council returned other proposed changes to the Public Finance and Audit Act 1983 to the Legislative Assembly for further consideration. Most of these changes relate to the Public Accounts Committee. At the time of writing, the cognate Bill had not been debated.
The budget result was a $4.2 billion surplus. The consolidated financial statements at 30 June 2018 do not reflect the sale of 51 per cent of the State’s investment in Sydney Motorway Corporation for which it received $9.3 billion. The sale was announced on 31 August 2018.
Finally, I would like to thank the staff of Treasury for the way they approached the audit. Our partnership is critical to ensuring the quality of financial management and reporting.
Margaret Crawford
Auditor-General
19 October 2018
The State's financial statements given a clear audit opinion
Timely and accurate financial reporting enables informed decision making, effective management of public funds and enhances public accountability.
Since the introduction of mandatory ‘early close procedures’ in 2011-12, the number of significant errors in financial statements of agencies had fallen largely due to identifying and resolving complex accounting issues early.
In 2016-17, Treasury narrowed the scope of mandatory procedures to focus on physical asset valuations and pro-forma financial statements. Despite being broadened for 2017-18, we have observed an increase in the number of errors in agency financial statements.
In 2017-18, twenty-three errors exceeding $20 million were found in agencies’ financial statements that make up the State’s consolidated financial statements. This compares to only five in 2015-16.
The errors identified this year were the result of:
- incorrectly applying Australian Accounting Standards
- deficiencies in assessing the value of physical assets
- using inappropriate and inaccurate assumptions when measuring liabilities
- inaccurately reflecting inter-agency payables and receivables.
Quality financial reporting would be enhanced by responding to key accounting issues as soon as they are identified, and preparing accounting position papers for consideration by Treasury, agency Audit and Risk Committees and the Audit Office.
Key accounting matters addressed by the State in 2017-18.
Restatement of some of the State’s previously reported asset and liability values.
The state corrected the previously reported values of some long-term liabilities ($2 billion).
Accounting standards require the State to measure its long-term liabilities at the best estimate of the expenditures required to settle the obligations. The affected liabilities include claims liabilities of the Lifetime Care and Support Authority of NSW and the NSW Self Insurance Corporation, and scheme liabilities of the Long Service Corporation. The liabilities are adjusted by what is referred to as the ‘discount rate’ to reflect the decreasing value of money over time.
In the past, agencies used a variety of rates to discount these liabilities. Some liabilities were discounted using the estimated long-term fair value of 10-year TCorp bond yields while others were discounted using the expected
return on investments. These discount rates did not comply with the requirements of Australian Accounting Standards and underestimated liabilities by $2.0 billion.
In 2017-18, the State assessed the discount rates previously used in the Sector. It determined the market yield on Commonwealth Bonds best met the Accounting Standard requirements and used this rate to discount similar liabilities in relevant agencies. This resulted in a $2.0 billion increase in the previously reported values of these liabilities and a similar decrease in retained earnings at 1 July 2016.
The State corrected previously reported values of certain Library assets ($1.1 billion).The value of the Pictorial Collection of the Library Council of NSW (the Library) was reassessed at 31 January 2018. During the valuation process the Library identified three errors in the 2015 valuations which overstated the previously reported asset values. The errors included:
This resulted in a $1.1 billion decrease in previously reported asset values and a corresponding decrease in the asset revaluation reserve at 1 July 2016. |
Information system limitations continue at TAFE NSW.TAFE NSW has experienced ongoing issues with its student administration system.TAFE NSW has again implemented additional processes to verify the accuracy and completeness of revenue from student fees. TAFE NSW expects to spend up to $89 million on a new information system to address these issues. Modules of the new student enrolment system are planned to be in place by May 2019 |
Risks to the quality and timeliness of financial reporting.
Challenges associated with valuing the State's physical assets.
When we audit financial statements we focus on areas we consider higher risk. These areas often require the use of estimates and judgements.
The valuation of the State’s physical assets is one such area. Fair value estimates are inherently complex and sensitive to assumptions and judgements. In the public sector, this may be exacerbated by the unique nature of its assets, such as land under roads, preserved plant specimens, cultural collections and other heritage assets.
In 2017-18, valuations of physical assets added $24.5 billion to the value of the State’s balance sheet. These assets are now valued at $339.2 billion. Our audits of these valuations identified:
The Library Council of NSW had three errors in the methodology previously used to value their pictorial assets ($1.1 billion error). |
The Royal Botanic Gardens and Domain Trust did not previously recognise a value for their Herbarium assets ($284 million error). |
Some revaluations within the Ministry of Health did not meet the requirements of Australian Accounting Standards or Treasury requirements ($159 million error). |
The Department of Justice used an incorrect valuation
|
Some important matters agencies should consider when planning/conducting asset valuations include:
STARTING OUT
- Planning is important
- Most effective revaluations include early engagement with all stakeholders, including auditors.
- Determine who needs to be involved and advised of progress with the revaluation – e.g. finance, internal audit, audit and risk committee.
- Ensure asset registers are complete and there is evidence to demonstrate the agency controls the assets.
- The effective date of the valuation can be any date after the financial year commences, but well before year end.
MANAGEMENT'S ROLE
- For large mass valuations consider using a suitable project management methodology to ensure the process remains ‘on track’ with sufficient oversight.
- Consider engaging an expert to perform the valuation, but maintain responsibility for the outcomes. Ensure the outcomes are reasonable and quality review the results, including the appropriateness of inputs and key assumptions.
- Compare pre and post valuation results on an individual asset basis. Where changes are significant and/or unexpected, document explanations from the valuer.
- Start revaluations early so they are completed by early close (around March). The timetable must allow time for a quality review of results and for the results to be recorded in the financial records.
- Revaluation workpapers must include the revaluation source data provided to the valuer and a reconciliation of the source data to the general ledger.
USING EXPERTS
- The terms of engagement should be documented in an engagement letter, which clearly details the proposed valuation methodology. It’s important the valuer knows what is required from a policy perspective and clearly understands the accounting framework used to prepare the financial statements.
- Valuation reports should detail the key assumptions used, explain why the valuation approach was adopted and how the use of relevant observable input was maximised.
- Valuation reports should clearly differentiate between assets revalued using a cost approach and those using an income or market approach. They should explain why the approach used was the most relevant for the asset type.
- Consider using representative/statistical sampling for mass valuations and determine the extent of physical inspections that may be required.
- If a sampling technique is used, it should provide sufficient confidence that the sample is representative of the population.
- Significant judgements should be supported by relevant benchmark data or other analysis and observations. A common example in the public sector is to discount asset values to reflect restrictions on use.
- Ensure the valuer has considered the age and condition of the assets, and heritage/cultural aspects and/or other special factors.
WHAT ABOUT INTERVENING YEARS?
- Perform revaluations with sufficient regularity to ensure asset carrying values in the financial statements reflect fair value.
- Indexation alone is not normally a substitute for a full revaluation. A full revaluation may be needed to accurately establish fair values if asset values move significantly when indices are applied to them.
- Where indexation is used between full revaluations, the indices should be appropriate for the type of asset being assessed.
- Indexing can be unreliable in assessing whether the fair value of assets has moved over time. For example, some assets are valued based on re- collection cost estimates, which may fall over time due to improved re-collection methods and technology.
COMMUNICATION
- For mass or complex valuations, key stakeholders, including auditors, should be involved at the scoping stage and invited to planning meetings with valuers.
- Management should meet with the auditors regularly to discuss progress and outcomes.
- When issues are identified, management should consult with and seek advice from Treasury.
The state will need to implement five new accounting standards over the next two years.
The State has started developing processes it considers necessary to effectively implement the requirements of five new accounting standards. The changes are significant and will impact the financial position and results of agencies and the State.
The new requirements increase the risk of errors in the financial statements. To minimise this risk, agencies will need to devote resources and effort to collect the necessary information and assess the impact of the accounting changes at the whole of government level.
Treasury is liaising with and obtaining information from agencies to assess the impact of the new standards at the whole of government level. Treasury is also liaising with other Treasuries throughout Australia on common implementation issues. To help agencies implement the new standards, Treasury is developing guidance, preparing position papers on proposed accounting treatments, and mandating options within the new standards that agencies need to adopt on transition.
A $4.2 billion surplus, $1.5 billion more than was budgeted
The Total State Sector comprises 304 entities controlled by NSW Government
The General Government Sector, which comprises 212 entities, generally provides goods and services funded centrally by the State.
The non-General Government Sector, which comprises 92 Government businesses, generally provides goods and services, such as water, electricity and financial services that consumers pay for directly.
A principal measure of a Government’s overall performance is its Net Operating Balance (Budget Result). This is the difference between the cost of General Government service delivery and the revenue earned to fund these sectors.
WHAT CHANGED FROM 2017 TO 2018?
$4.2b |
2017-18 General Government Budget Result |
Changes in revenues compared to 2016-17
Dividends and distributions
|
Due to:
|
||
2016-2017 | Change | 2017-2018 | |
2.4b |
+1.3b |
3.7b |
Taxation
|
Due to:
|
||
2016-2017 | Change | 2017-2018 | |
30.8b |
+537m |
31.3b |
Grants & Subsidies
|
Due to:
|
||
2016-2017 | Change | 2017-2018 | |
31.4b |
+509m |
31.9b |
Sale of Goods and services
|
Includes:
|
||
2016-2017 | Change | 2017-2018 | |
8.2b |
+349m |
8.5b |
5.5b |
-185m |
5.3b |
Other revenues |
Changes to expenses compared to 2016-17
Recurrent Grants & Subsidies
|
Due to:
|
||
2016-2017 | Change | 2017-2018 | |
12.6b |
+1.3b |
13.9b |
Employee costs
|
Due to:
|
||
2016-2017 | Change | 2017-2018 | |
34.9b |
+1.2b |
36.1b |
Other operating expenses
|
Includes:
|
||
2016-2017 | Change | 2017-2018 | |
18.3b |
+1.4b |
19.7b |
|
6.8b |
+103m |
6.9b |
Other expenses |
$5.7b |
2016-17 General Government Budget Result |
The State maintained its AAA credit rating.
The object of the Fiscal Responsibility Act 2012 is to maintain the State’s AAA credit rating.
The Government manages NSW’s finances in alignment with the Fiscal Responsibility Act 2012 (the Act).
The Act establishes the framework for fiscal responsibility and the strategy to protect the State’s AAA credit rating and service delivery
to the people of NSW.
The legislation sets out targets and principles for financial management to achieve this.
New South Wales has credit ratings of AAA/ Stable from Standard & Poor’s and Aaa/ Stable from Moody’s Investors Service.
THE FISCAL TARGETS FOR ACHIEVING THIS OBJECTIVE ARE:
General Government annual expenditure growth is lower than long term average revenue growth.
General Government expenditure grew by 5.4 per cent in 2017-18. This was lower than the long-term revenue growth rate of 5.6 per cent.
Eliminating unfunded superannuation liabilities by 2030.
The Act sets a target to eliminate unfunded superannuation liabilities by 2030.
The State’s funding plan is to contribute amounts escalated by five per cent each year so the schemes will be fully funded by 2030. In 2017-18, the State made employer contributions of $1.7 billion, which is largely consistent with contributions over the past five years. Treasury expects superannuation liabilities will be fully funded by 2030 based on the funding program at the last triennial review (December 2015).
For fiscal responsibility purposes, the State uses AASB 1056: Superannuation Entities. This standard discounts superannuation liabilities using the expected return on assets backing the liability.
Using this method, the State’s unfunded superannuation liability was $14.0 billion at 30 June 2018 ($15.0 billion at 30 June 2017). The unfunded liability is $3.4 billion less than it was when the Act was introduced.
Revenues increased by $3.2 billion to $86.7 billion in 2017-18.
Revenues were underpinned by growth in taxation and Australian Government grant revenues, but stamp duties fell.
Tax revenue for the Total State Sector increased by $746 million, or 2.5 per cent compared to 2016-17, primarily due to a:
- $582 million increase in land tax from growth in land values
- $562 million increase in payroll tax from NSW employment and wages growth
- $1 billion decrease in stamp duty due to lower than expected growth in property market transactions, volumes and prices. In 2016-17, stamp duty included $718 million from the leases of Ausgrid and Endeavour Energy assets.
The State expects total stamp duties will fall to $9.5 billion in 2018-19, a decrease of almost $2.0 billion from 2016-17.
The State received Australian Government grants and subsidies of $30.9 billion in 2017-18.
The State received $444 million more in grants and subsidies from the Australian Government than it did in 2016-17. This was due to increases in GST revenues ($753 million) and special purpose payments ($683 million).
There was a decrease in National Partnership payments ($992 million), mainly due to the timing of major road projects including the Pacific Highway (Woolgoolga to Ballina), WestConnex and Western Sydney Infrastructure Program.
In 2017-18, sales of goods and services were $1.1 billion higher than in 2016-17. This reflected increased transaction revenue at Sydney Water ($139 million), the Department of Education ($133 million), WestConnex ($145 million), Department of Finance, Services and Innovation ($111 million) and Sydney Trains ($83 million).
Other dividends and distributions were $803 million higher than in 2016-17 mainly reflecting higher investment returns on TCorp investments.
$ |
83.5b |
+3.9% |
86.7b |
Total Revenue |
Key revenues include:
2016-2017 | Change% | 2017-2018 | ||
35.4b |
+2.8 |
36.3b |
Taxation, Fees, Fines, and other | |
31.4b |
+1.6 |
31.9b |
Grants & Subsidies | |
14.1b |
+8.1 |
15.2b |
Sale of Goods and Services |
Expenses increased $4.9 billion to $84.2 billion in 2017-18
Overall expenses increased 6.1 per cent compared to 2016-17. Most of the increase was due to higher employee and operating costs.
$ |
79.3b |
+6.1% |
84.2b |
Total Expenses |
Salaries and wages increased by 3.6 per cent compared to 2016-17.
Salaries and wages increased to $31.1 billion from $30 billion. This was due to inflation linked salary and wage increases and a reported increase in front line staff.
The Government wages policy aims to limit growth in employee remuneration and other employee related costs to no more than 2.5 per cent per annum.
Operating expenses increased by 7.8 per cent from 2016-17.
Within operating expenses, payments for supplies, services and other expenses increased, in part, due to:
- increased costs of major rail projects, WestConnex, B-Line bus program and a new rail timetable
- addressing the maintenance backlog and higher school operating expenses of the Department of Education.
Key expenses include:
2016-2017 | Change% | 2017-2018 | ||
32.8b |
+3.8 |
34.1b |
Employee Expenses | |
21.6b |
+7.8 |
23.3b |
Operating Costs | |
9.7b |
+12.7 |
10.9b |
Grants & Subsidies | |
7.2b |
+6.6 |
7.6b |
Depreciation | |
4.6b |
+2.8 |
4.7b |
Superannuation Expense |
Health costs remain the highest expense of the State.
The Australian Bureau of Statistics introduced a revised Classification of the Function of Government Australia Framework (COFOG-A) effective 1 July 2017. This resulted in some re-classification of expenditure between purposes and now shows State expenses are highest in:
- Health (25.5 per cent)
- General Public Services (25.0 per cent)
- Education (19.6 per cent).
General Public Services includes the executive and legislative branches, financial affairs, public debt transactions and general public service transactions.
The graph highlights the annual expenditure by function and the value of assets to deliver those services.
Assets grew by $35.6 billion to $443 billion in 2017-18
Valuing the State’s physical assets.
The State had physical assets with a fair value of $339 billion at 30 June 2018. This includes land and buildings ($161.6b) and Infrastructure ($160.2b).
Our audits assess the reasonableness and appropriateness of assumptions used to value physical assets. This includes obtaining an understanding of the valuation methodologies used and judgements made. We also review the completeness of asset registers and the mathematical accuracy of valuation models.
Net movements between years include additions, disposals, depreciation and valuations. This year, revaluations of physical assets added $24.5 billion to the value of the State’s assets. This was mainly attributable to the following agencies:
- Department of Education - $8.5 billion
- Roads and Maritime Services - $7.4 billion.
The State’s financial assets increased by $308 million in 2017-18 ($27.5 billion in 2016-17).
In 2016-17, the significant increase in financial assets was primarily from the sale or lease of the following government assets and businesses:
- In June 2017, the Government leased 50.4 per cent of Endeavour Energy assets, which followed the long-term lease 50.4 per cent of Ausgrid’s assets in December 2016. The Government received proceeds of $24.0 billion from these transactions.
- A 35-year concession for providing titling and registry services, effective 30 June 2017, was granted to a private sector operator. The Government received $2.6 billion cash for the concession.
The Government implemented reforms relating to the use the State’s financial assets.
In 2017-18, the Asset and Liability Committee, which advises the Government on balance sheet management, recommended the following policy actions and frameworks to help manage the State’s financial risks and opportunities:
- expanding the scope of cash management reforms to give the State a whole-of-government view on the use of surplus funds. Treasury advises these reforms have centralised funds management of approximately $3.0 billion
- endorsing a new whole-of-government Foreign Exchange (FX) Risk Policy (effective 1 July 2018) to effectively manage the State’s FX risk
- expanding management of the State’s debt portfolio to minimise interest rate risks, reduce interest costs where possible, and extend the average weighted life of the General Government’s debt portfolio towards eight years
- endorsing establishment of a ‘sustainability bond’ program to further diversify and expand the State’s bond investor base and raise awareness of the Government’s social and environmental initiatives.
The State has established the NSW Generations Fund to maintain debt at sustainable levels.
The State established the NSW Generations Funds (NGF) in June 2018 to support debt retirement and to fund community-focused initiatives. The Government has indicated it will initially capitalise the NGF with $3.0 billion from its reserves.
The NSW Generations Funds Act 2018 requires an audit of each NSW Generations Fund by the Auditor- General (including a report by the Auditor-General on whether payments from the Funds have been made in accordance with the Act). The first audit of the fund will be for the period up to 30 June 2019.
$ |
407b |
+8.7% |
443b |
Total Assets |
Key assets include:
2016-2017 | Change% | 2017-2018 | ||
Physical Assets | ||||
147.0b |
+9.0 |
160.2b |
Infrastructure | |
143.4b |
+12.7 |
161.6b |
Land and Buildings | |
Financial Assets | ||||
27.7b |
- 4.6 |
26.4b |
Equity investments | |
20.6b |
- 5.2 |
19.5b |
Cash and Recievables | |
40.5b |
+6.5 |
41.3b |
Investments and Placements |
Liabilities increased $5.1 billion to $189 billion in 2017-18
Valuing the State’s liabilities relies on actuarial assessments.
Nearly half of the State’s liabilities relate to its employees. They include unfunded superannuation, and employee benefits, such as long service and recreation leave.
Valuing these obligations involves complex estimation techniques and significant judgements. Small changes in assumptions can materially impact the values and the financial statements.
The State’s superannuation obligations fell $2.2 billion in 2017-18.
The State’s $56.4 billion unfunded superannuation liability represents obligations to past and present employees less the value of assets set aside to meet those obligations. The unfunded superannuation liability fell from $58.6 billion to $56.4 billion in 2017-18.
The State’s borrowings at 30 June 2018 were $700 million higher than they were at 30 June 2017.
The State’s borrowings totalled $71.3 billion at 30 June 2018.
TCorp issues bonds to raise funds for NSW Government agencies. These are actively traded in financial markets, which provides price transparency and liquidity to public sector borrowers and institutional investors. All TCorp bonds are guaranteed by the NSW Government.
The Government manages its debt liabilities through its balance sheet management strategy. The strategy extends to TCorp, which applies an active risk management strategy to the Government’s debt portfolio.
General Government Sector debt has been restructured by replacing shorter-term debt with longer-term debt. This lengthens the portfolio to match liabilities with the funding requirements for infrastructure assets.
$ |
184b |
+2.8% |
189b |
Total Liabilities |
Key liabilities include:
2016-2017 | Change% | 2017-2018 | ||
58.6b |
- 3.7 |
56.4b |
Unfunded Superannuation | |
18.3b |
+4.7 |
19.1b |
Other Employee Benefits | |
70.6b |
+1.0 |
71.3b |
Borrowings |
Actions for Members' Additional Entitlements 2017
Members' Additional Entitlements 2017