Reports
Actions for Customer Service 2021
Customer Service 2021
This report analyses the results of our audits of the Customer Service cluster agencies for the year ended 30 June 2021.
Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.
As there are no outstanding matters relating to audits in the Customer Service cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.
What the report is about
The results of Customer Service cluster agencies' financial statement audits for the year ended 30 June 2021.
What we found
Unmodified audit opinions were issued for all Customer Service cluster agencies.
The number of monetary misstatements decreased from 48 in 2019–20 to 46 in 2020–21.
Seven out of eight agencies did not complete all mandatory early close procedures.
What the key issues were
Upon the implementation of AASB 1059 'Service Concession Arrangements: Grantors', the Department of Customer Service (the department) recognised a service concession asset, the land titling database, totalling $845 million for the first time at 1 July 2019.
The department reported several retrospective corrections of prior period errors.
The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. The high-risk issues were related to:
- the Department of Customer Service – internal control qualifications and control deviations in GovConnect service providers
- the Department of Customer Service – significant control deficiencies in information technology change management controls
- Rental Bond Board – uncertainties in the accounting treatment of rental bonds.
The percentage of repeat issues we report to management and those charged with governance in management letters increased from 29 per cent in prior year to 42 per cent in 2020–21 while the number of items decreased from 94 to 93.
The magnitude and number of internal control exceptions in GovConnect service providers increased resulting in additional audit procedures to address the risks of fraud and errors in the financial statements.
What we recommended
The department should improve the validation process of key valuation assumptions and inputs provided by the private operator NSW Land Registry Services. It should revisit its accounting treatment of new land titling records.
The department should ensure GovConnect service providers prioritise the remediation of control deficiencies in information technology services.
The department should continue to improve controls in cyber security management.
Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.
The New South Wales Government Telecommunications Authority should improve its fixed assets management and financial reporting process to accommodate its growing fixed assets profile.
Fast factsThe Customer Service cluster aims to plan, prioritise, fund and drive digital transformation and customer service across every cluster in the NSW Government.
|
This report provides Parliament and other users of the Customer Service cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2021.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service.
Section highlights
|
Findings reported to management
Forty-two per cent of findings reported to management were repeat issues
Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.
In 2020–21, there were 93 findings raised across the cluster (94 in 2019–20). Forty-two per cent of all issues were repeat issues (29 per cent in 2019–20).
The most common repeat issues related to weaknesses in controls over information technology user access administration.
A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.
The table below describes the common issues identified across the cluster by category and risk rating.
Risk rating | Issue |
Information technology | |
High3 1 new, 1 repeat |
The financial audits identified the need for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with:
High-risk issues are discussed later in the chapter. |
Moderate2 |
|
Low1 |
|
Internal control deficiencies or improvements | |
Moderate2 |
The financial audits identified internal control weaknesses across key business processes, including:
|
Low1 |
|
Financial reporting | |
High3 |
The financial audits identified opportunities for agencies to strengthen financial reporting, including:
High-risk issues are discussed later in the chapter. |
Moderate2 |
|
Low1 |
|
Governance and oversight | |
Moderate2 10 new, 3 repeat |
The financial audits identified opportunities for agencies to improve governance and oversight processes, including:
|
Low1 3 new |
|
Non-compliance with key legislation and/or central agency policies | |
Moderate2 4 new, 4 repeat |
The financial audits identified the need for agencies to improve its compliance with key legislation and central agency policies, including:
|
Low1 1 repeat |
2020–21 audits identified three high-risk findings
High-risk findings, including repeat findings, were reported at the following cluster agencies. One of the 2019–20 high-risk findings were not resolved.
Agency | Description |
2020–21 findings | |
Department of Customer Service Repeat finding: Qualifications and control deviations in GovConnect NSW controls assurance reports |
The GovConnect information technology general controls (ITGC) provided by the department, Infosys and Unisys were qualified in 2020–21. The key controls over user access, system changes and batch process failed in all ITGC reports. Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access. The control deficiencies in ITGC increase:
The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. It is leading a new IT operating model called ‘Service Integration and Application Management’ (SIAM) to strengthen governance and improve performance of GovConnect service providers. The Department is responsible for the remediation of control deficiencies and continuous improvement in the GovConnect environment. This matter was assessed as high-risk, if not adequately addressed, it had the potential to result in material fraud and error in the department's financial statements and reputation damages. This issue is further discussed later in this chapter. |
2020–21 findings | |
Department of Customer Service New finding: Change management significant control deficiencies |
Revenue NSW, a division of the department has a key role in managing the State’s finances. It administers State taxes, manages fines, recovers State debt and administers grants and subsidies. The audit team found significant control deficiencies in change management controls:
We have included this matter as a high-risk management letter finding, as the audit team could not identify mitigating controls. The system activity of these developers was also not being independently logged and monitored. This increases the risk of unauthorised system change. This can significantly affect the integrity of tax calculation, business process approvals, invalid changes to bank accounts, unauthorised refunds and write-offs. The audit team conducted a risk analysis over the relevant business processes affected by this issue and performed additional audit procedures to address the audit risk. |
Rental Bond Board Repeat finding: Accounting treatment of rental bonds held in trust |
The Rental Bond Board (the Board) holds rental bonds totalling $1.7 billion at 30 June 2021. The Board treated the rental bonds off-balance sheet and disclosed the rental bonds as ‘trust funds’. This treatment is based on management’s judgement that the Board does not have control of these funds. Previously the Board obtained advices from the Crown Solicitors who stated that in their view the rental bond funds held in the rental bond account were not moneys held in trust and the Residential Tenancies Act 2010 (the Act) should be reviewed and amended to better support its accounting treatment of rental bonds. The Board has initiated the need to amend the Act, however the implementation of the legislative amendments is still pending. This matter was assessed as high-risk, if not adequately supported, it had the potential to result in material misstatements in the Board's financial statements. |
The number of moderate risk findings increased from prior year
Fifty-nine moderate risk findings were reported in 2020–21, which was a 11.3 per cent increase from 2019–20. Of these, 26 were repeat findings, and 33 were new issues.
Moderate risk findings include:
- weaknesses in user access management, such as untimely access removal for terminated staff, and a lack of periodic user access review
- accounting for leases such as the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy
- formalising arrangements between agencies including corporate service arrangements, funding arrangements, leases, use of SAP system and computer assets
- use of purchasing cards where our data analytics performed indicated potential gaps and controls and non-compliance with government policies.
The magnitude and number of internal control exceptions in GovConnect service providers have increased
In 2015, the NSW Government selected Unisys Australia Pty Limited’s (Unisys) as an information technology (IT) outsourced service provider and Infosys Limited (Infosys) as a business process outsourced service provider. The outsourced services arrangement was branded GovConnect NSW (GovConnect). The Department of Customer Service (the department) is the contract authority for the NSW Government. In 2019, the NSW Government transitioned a number of Unisys’ IT services progressively to the department and ceased all Unisys's IT services in May 2021. In 2020-21, Infosys, Unisys and the Department were co-providers of business processes and information technology services that constitute the GovConnect environment.
The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. The department is responsible for the remediation of control deficiencies and continuous improvement in GovConnect internal control environment.
The department leads the project management of GovConnect services, including the arrangement to provide internal control assurance reports to customers in 2020–21. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at GovConnect service providers in accordance with Australian Standard on Assurance Engagements 3402 'Assurance Reports on Controls at a Service Organisation' (ASAE 3402). The service auditor reports on the internal controls at a service organisation, which are relevant to a user entity's internal control environment.
The service auditor issued eight ASAE 3402 reports covering business processes controls and information technology general controls (ITGC) provided by the service providers. Four out of eight reports were qualified, a significant increase from previous years.
The table below shows the service auditor's ASAE 3402 opinions issued in various business processes and information technology services provided by service providers for the last five years.
ASAE 3402 controls report# | 2015–16^ | 2016–17 | 2017–18 | 2018–19 | 2019–20 | 2020–21 |
Infosys Accounts receivable | Qualified | Unqualified | Unqualified | Unqualified | Unqualified | Qualified |
Infosys Accounts payable | Qualified | Qualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys Fixed assets | Qualified | Unqualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys General ledger | Qualified | Qualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys Payroll | Adverse | Qualified | Unqualified | Unqualified | Unqualified | Unqualified |
Infosys ITGC | Qualified | Qualified | Unqualified | Unqualified | Unqualified | Qualified |
Unisys ITGC | Qualified | Unqualified | Qualified | Qualified | Unqualified | Qualified |
The department ITGC* | -- | -- | -- | -- | Qualified | Qualified |
ServiceFirst** | Disclaimer | -- | -- | -- | -- | -- |
In 2020–21, the information technology services controls reports issued to the department, Infosys and Unisys were qualified. Infosys' accounts receivable business process controls report was also qualified. The audit qualifications were because:
- the service auditor did not get access to the complete set of records processed during the financial year for several ITGC controls. The system that stored these records was hosted at Unisys. From December 2019 to 28 May 2021, the services at Unisys were progressively migrated to the department's IT environment but this system could not be migrated to the department in the required format, resulting in audit scope limitation for service auditors
- of the deviations identified during sample testing of ITGC controls
- the monthly follow up of outstanding receivables was not performed regularly, which was the only key control to address the timely collection of accounts receivable.
Internal control exceptions in GovConnect information and technology services require urgent remediations
The relevant controls over user access, system changes and password controls failed in all three ASAE 3402 GovConnect ITGC reports. These control failures can lead to unauthorised system access, system and configuration changes (workflow approvals, three-way match, etc.) and modifications to key reports. It increases the risk of:
- fraud and error in the financial statements
- ineffective segregation of duties controls
- accuracy and completeness of system generated reports for the agencies using the SAPConnect system.
The table shows the number of ITGC control deviations compared to prior year:
Year ended 30 June | 2021 | 2020 | ||
Total controls tested | Total number of control deviations and findings | Total controls tested | Total number of control deviations and findings | |
Infosys ITGC | 41 | 16 | 35 | 8 |
Unisys ITGC | 25 | 11 | 33 | 4 |
DCS ITGC | 31 | 9 | 10 | 5 |
Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.
The service auditor identified significant areas for remediation:
- governance arrangement of the IT services
- user access management controls
- SAP database controls
- logical access
- incident management.
In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable. The data analytics identified several terminated employees that were paid long after their termination dates which resulted in salary overpayments during 2020–21. While management had put processes in place to recover these overpayments, the payroll processing controls need to be improved to prevent such overpayments.
The Department of Customer Service advised that it established a ‘Control Reframe Project’ (the project) to address the internal control exceptions at GovConnect service providers. The objective of the project is to ensure the GovConnect assurance model is aligned with clear lines of responsibility and remediation actions are in place to support the delivery of services and achieve an improved outcome for future years.
Recommendation
We recommend the Department of Customer Service:
- improve governance and internal control environment over the information technology services
- ensure GovConnect service providers prioritise remediation actions to address internal control exceptions
- perform a post-implementation review of the transition of the Unisys arrangement to identify lessons learnt and continuous improvement
- develop data analytics to help analyse and identify high-risk patterns and anomalies in GovConnect key transaction systems, augmenting their existing monitoring and detective controls.
The NSW Public Sector's cyber security resilience needs urgent attention
The 2020 'Central Agencies' Report to Parliament highlighted the need for Cyber Security NSW, a business unit within the Department of Customer Service, and NSW Government agencies to prioritise improvements to their cyber security resilience as a matter of urgency. A status update of the 2020 recommendation is included in Appendix five of this report.
The Audit Office's Annual Work Program identifies cyber security as a focus area for the Audit Office in 2021–24. It outlines a three-pronged approach to auditing cyber security in this period:
- considering how agencies are responding to the risks associated with cyber security across our financial audits across the NSW public sector
- examining the effectiveness of cyber security planning and governance arrangements for large NSW state government agencies for our Internal Controls and Governance report
- conducting deep-dive performance audits of the effectiveness of specific agency activities in preparing for, and responding to cyber security risks.
A performance audit 'Managing cyber risks' was tabled in Parliament in July 2021. The audit made several recommendations to audited agencies to uplift their cyber security management. It also recommended the Department of Customer Service to:
- clarify the requirement of the NSW Cyber Security Policy (CSP) reporting to all systems
- require agencies to report the target level of maturity for each mandatory requirement.
A compliance audit 'Compliance with the NSW Cyber Security Policy' was tabled in October 2021. The audit examined whether agencies are complying with the NSW Cyber Security Policy to ensure all NSW Government departments and public service agencies are managing cyber security risks to their information and systems.
The report found that key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies. The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.
The report noted that the CSP was not achieving the objective of improved cyber governance, controls and culture. The compliance audit made several recommendations to Cyber Security NSW and other NSW Government agencies.
The 2021 maturity self-assessment results against the Australian Cyber Security Centre Essential 8 for the 25 largest NSW State Government agencies are reported in the 2021 'Internal Control and Governance' Report to Parliament.
Repeat recommendation
Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.
Management of cyber security risk
Our 2020-21 financial audit assessed whether cyber security risks represent a risk of material misstatement to the department's own financial statements. A request performance audit 'Service NSW's handling of personal information' was tabled on 18 December 2020. The audit followed two cyber security incidents that resulted in data breaches of customer information. As part of our audit procedures, we obtained an understanding of the controls the department has in place to address the risk of cyber security incidents and respond to any incidences which may have occurred during the year, including its impact on the audit.
Our assessment of the department’s own cyber risk management shows that:
- an approved security incident response plan was not in place during the reporting period. There was a lack of testing over incident detection and monitoring process
- a formal process over patch management that includes assessment, determining relevance and priority, timely rollout and escalation and reporting of long outstanding patches to senior management is being established.
The department provides information security services including cyber security management to cluster agencies. We found that there were insufficient communications within the Customer Service cluster over the controls and assurance over cyber security risk management. Some cluster agencies had put in place limited controls over cyber security risk management.
Recommendation
We recommend the Department of Customer Service:
- establish an approved security incident response plan and formal process over patch management
- improve communications with cluster agencies over the controls and assurance in cyber security management.
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
Appendix five – Status of 2020 recommendations
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for COVID Intensive Learning Support Program
COVID Intensive Learning Support Program
What the report is about
This audit examined a state-wide program to provide small-group tuition to students disadvantaged by the move to learning from home during 2020.
The audit assessed the design and implementation of the program.
What we found
The program design was based on research and data showing learning loss during 2020.
The department rapidly planned and developed the policy design and guidelines for schools.
Governance arrangements matured during program delivery.
The department changed the models for funding schools but did not clearly explain the reasons for doing so.
Government schools with over 900 students were disadvantaged by the funding model compared to smaller schools.
Guidelines, resources and professional learning helped schools implement the program.
Staff eligibility for the program was expanded after reported difficulties in recruiting qualified teachers in some areas.
Online tuition and third-party provider options were developed throughout the program.
There were issues with the quality and timeliness of data used to monitor school progress.
Evaluation arrangements were developed early in the program.
Data limitations mean the evaluation will not be able to fully assess all program objectives.
What we recommended
- Distributing funds between schools more equitably and improving communication of the funding methods.
- Clearer communication about the intended targeted group of students.
- Reviewing the time needed to administer the program.
- Improve support for educators other than qualified teachers.
- Offer the online tuition program to more schools.
- Analysis of the effects of learning from home during 2021 across equity groups and geographic areas.
- Working with universities to increase use of pre-service teachers in the program.
The report also identifies lessons learned for future programs.
Fast facts
- $337m in total program funding. $289 million for government schools and $31 million for non government schools
- 12 days to develop the policy and provide costings to Treasury
- 290,000 targeted students in government schools and 31,000 in non government schools
- 80% of schools were providing small group tuition by the target start date of Week 6, Term 1
- 2–4 months was the estimated student learning loss from the move to learning from home during 2020
- 7,600 tutors engaged in the program as at September 2021.
The NSW Government announced the COVID Intensive Learning Support Program on 10 November 2020, as part of the 2020–21 NSW Budget. The primary goal of the $337 million program was to deliver intensive small group tuition for students who were disadvantaged by the move to remote and/or flexible learning, helping to close the equity gap. It included:
- $306 million to provide small-group tuition for eligible students across every NSW Government primary, secondary and special purpose school
- $31.0 million for around 400 non-government schools to provide small-group tuition to students with the greatest levels of need.
The objective of this audit was to assess the effectiveness of the design and implementation of the COVID Intensive Learning Support Program (the program). To address this objective, the audit assessed whether the Department of Education (the department):
- effectively designed the program and supporting governance arrangements
- is effectively implementing the program.
This audit focuses on activities between October 2020 and August 2021, which aimed to address the first session of learning from home in New South Wales. From August to October 2021, students in many areas of New South Wales were learning from home again, but this second period has not been a focus of this audit. On 18 October 2021, the NSW Government announced the program would be extended into 2022.
Conclusion
The COVID Intensive Learning Support Program was effectively designed to help students catch up on learning loss due to the interruptions to schooling caused by COVID-19. The department rapidly stood up a taskforce to implement the program and then developed supporting governance arrangements during implementation.
Most students in New South Wales were required to learn from home for at least seven weeks during 2020 due to the impact of the Novel-Coronavirus (COVID-19). The department researched, analysed and advised government on several options to address the learning loss that resulted. It recommended small group tuition as the preferred option as it was supported by available evidence and could be rolled out at scale with speed. It identified risks of ensuring an adequate supply of educators and options to address those risks. Consistent with its analysis of where the impact of the learning loss was most severe, the department proposed to direct funding to schools with higher concentrations of students from the most disadvantaged backgrounds.
The department established a cross-functional taskforce to conduct detailed planning and support program implementation. Short timeframes meant the taskforce initially sought approval for key decisions from the program sponsor and existing oversight bodies on an as-needed basis before dedicated program governance arrangements were formalised. Once established, the governance body met regularly to oversee program delivery.
The COVID Intensive Learning Support Program is being effectively implemented. The department has refined the program during rollout to respond to risks, issues and feedback from schools. Issues with how schools enter data into department systems have affected the timeliness and accuracy of program monitoring information.
The department provided schools with guidelines, example models of delivery, systems to record student progress and professional learning. Around 80 per cent of schools had begun delivering tuition under the program by the target date. Schools reported issues with sourcing qualified teachers as a key reason they were unable to start the program by the expected date. In response, the department expanded the type of staff schools could employ, developed an online tuition program, and allowed schools to engage third-party providers to help schools that had difficulty finding qualified teachers for the program.
The department used existing systems to monitor school progress in implementing the program. This reduced the administrative burden on schools, but there were several issues with data quality and timeliness. The program included a mid-year review point to check whether schools were on track to spend their funding. This helped focus schools on ensuring funding would be spent and allowed for redistribution between schools.
The department considered program evaluation early in policy design and planning. It embedded an evaluator on the taskforce and expanded a key assessment program to help provide evidence of impact. A process and outcome evaluation is underway which will help inform future delivery. The evaluation will examine educational impacts for students participating in the program but it has not established methods to reliably assess the extent to which the program has met a goal to help 'close the equity gap' for students.
This chapter considers how effectively the COVID Intensive Learning Support Program (the program) was designed and planned for implementation.
This chapter considers how effectively the COVID Intensive Learning Support Program was implemented over our period of review (Terms 1 and 2, 2021).
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #358 - released (15 December 2021).
Actions for Premier and Cabinet 2021
Premier and Cabinet 2021
This report analyses the results of our audits of the Premier and Cabinet cluster agencies for the year ended 30 June 2021.
Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.
As there are no outstanding matters relating to audits in the Premier and Cabinet cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.
What the report is about
The results of the Premier and Cabinet cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2021.
What we found
Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.
The number of monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.
The Library Council of New South Wales corrected a prior period error of $325 million. In 2017, the council split its collection assets into six asset classes, but not the related asset revaluation reserves. To correct this error, some revaluation decrements previously recognised in asset revaluation reserves were reclassified to accumulated funds.
Eight agencies did not complete all of the mandatory early close procedures.
What the key issues were
The Premier and Cabinet cluster was impacted by three Machinery of Government (MoG) changes during 2020–21.
The changes resulted in the transfer of activities and functions in and out of the cluster and the creation of a new entity - Investment NSW.
The transferor entities continued to provide services to Investment NSW subsequent to 30 June 2021. There were no formal service level agreements in place for the provision of these services.
The New South Wales Electoral Commission (the Commission) and Sydney Opera House Trust obtained letters of financial support from their relevant Minister and/or NSW Treasury in 2020–21. The postponement of local government elections impacted the Commission's operations due to increased planned expenditure to support a COVID-safe election. Sydney Opera House Trust's ability to generate revenue was impacted due to the closure of the Concert Hall partly due to COVID-19 and planned renovations.
The number of repeated audit issues raised with management and those charged with governance increased from 22 in 2019–20 to 24 in 2020–21.
There were 47 moderate risk and 28 low risk findings identified. Of the total findings there were 24 repeat issues.
What we recommended
Investment NSW should ensure services received from other agencies are governed by service level agreements.
Fast facts
The Department of Premier and Cabinet supports the Premier and Cabinet to deliver the government's objectives, infrastructure, preparedness for disaster, incident recovery, arts and culture.
- $11.9b of property, plant and equipment as at 30 June 2021
- $4.4b total expenditure incurred in 2020-21
- 100% unqualified audit opinions were issued on agencies' 30 June 2021 financial statements
- 47 moderate risk findings were reported to management
- 38 monetary misstatements were reported in 2020-21
- 32% of all reported issues were repeat issues.
This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster (the cluster) for 2021.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.
Section highlights
|
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Delivering school infrastructure
Delivering school infrastructure
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the planning and delivery of new, redeveloped and upgraded public schools.
School Infrastructure NSW has identified the need to accommodate an additional 180,000 enrolments in public schools by 2039 with a large portion of this growth expected in metropolitan Sydney. It has also identified that around 34,000 teaching spaces will require upgrading to be fit-for-purpose.
Although School Infrastructure NSW has developed a long-term strategic plan that advises government of ongoing funding requirements, it has not presented a list of priorities to meet those needs. Developing a longer-term list of priorities would help signal the areas of greatest need and allow more time to develop the best options to meet those needs.
The audit found that School Infrastructure NSW has focused on delivering existing projects, election commitments and other government announcements. This has diverted attention from identifying and delivering projects that would have better met present and future needs.
The report makes eight recommendations to improve long-term planning for future needs, strengthen the quality of estimated project costs and benefits, and embed a continuous improvement program.
In 2016, the Department of Education prepared a School Assets Strategic Plan (2016 SASP) which outlined long-term funding needs to support the expected growth in enrolments to 2031. Following the release of the 2016 SASP, the NSW Government substantially increased funding for new and upgraded schools from $2.4 billion in the 2016–17 State Budget to $4.2 billion in 2017–18.
In 2017, the Department of Education established School Infrastructure NSW (SINSW) to lead the delivery of the 2016 SASP and the 123 new projects announced in the 2017–18 Budget. This significantly larger program of work required rapid development of internal capacity, governance arrangements, and project management systems. This needed to be done at the same time as scoping and planning for the list of announced projects.
As there are limited funds available to meet growing needs across the State, it is important that SINSW has effective methods to prioritise projects to communities with the greatest need. To ensure that projects deliver value for money, business cases need to have robust estimates of project costs and benefits. Business cases also need to account for the inherent risks in delivering infrastructure projects. Unplanned cost escalations can reduce the number of new or modernised classrooms SINSW can deliver. Unforeseen delays may also impact families who make significant life choices based on their expectations that a school will open at the beginning of the school year.
The objective of this audit was to assess the effectiveness of planning and delivery of new, upgraded and redeveloped schools to meet demand for public school education in New South Wales. To address this objective, the audit examined whether the Department:
- has effective procedures for planning and prioritising school capital works to meet present and future demands
- develops robust business cases for school capital works that reliably inform decision-making
- has effective program/project governance and management systems that support delivering projects on-time, within budget and achievement of intended benefits.
The audit examined business cases for 12 projects as case studies. These include a mix of projects initiated before and after the establishment of SINSW.
This audit commenced in June 2020 and examined strategies and demographic projections developed prior to the emergence of COVID-19. This audit did not examine potential longer-term impacts of COVID-19 on future demands for public school education.
ConclusionSchool Infrastructure NSW has been focused on delivering existing projects, election commitments and other government announcements. This has diverted attention from identifying and delivering projects that would have better met present and future student and classroom needs. While it has developed a long-term strategic plan that advises government of ongoing funding requirements, it has not presented a list of priorities to meet these needs. In its first years of operation, SINSW has focused on delivering existing projects and the 123 new projects announced in the 2017–18 Budget. Further NSW Government announcements in the 2018–19 Budget, election commitments in the 2019–20 Budget, and announcements in the 2020–21 Budget, made up the majority of new projects, rather than projects prioritised by SINSW. In early 2020, SINSW advised the NSW Government that the currently funded infrastructure program would not meet forecast classroom requirements for 2023 and beyond. The School Asset Strategic Plan 2020 estimates the annual level of investment needed over the next 20 years to meet growth, update and upgrade facilities to meet compliance obligations. However, SINSW’s ten-year Capital Investment Plans for 2018–19, 2019–20 and 2020–21 only identified priorities over a two-year horizon. Developing a longer-term pipeline of priorities would signal the areas of greatest need and allow greater scope to consider a range of options to best meet those needs. SINSW has made progress in planning across geographic areas but needs to better prioritise which projects move forward. Given the current and projected needs for new classrooms, it is vital that SINSW provides long-term advice based on thorough state-wide analysis to help prioritise projects that best meet this demand. SINSW has improved its capabilities, processes, and systems to support planning in ‘School Community Groups’, which are clusters of between 5 to 15 schools in a geographic area. This addresses a key direction identified in the School Assets Strategic Plan 2016. It has developed a planning tool which allows it to prioritise School Community Groups based on weighted criteria. It has also developed an approach to identify potential projects within School Community Groups but has not yet put in place a structured process to prioritise which projects move to the business case stage to seek funding for delivery. Business cases we examined established service needs, but several had shortcomings in scope definition, cost estimation and risk identification. Most business cases we examined demonstrated the service need and consultation with stakeholders helped to incorporate educational requirements. Common templates and specific cost-benefit guidance developed in partnership with NSW Treasury has helped to promote consistency across business cases. However, there were shortcomings in several business cases we reviewed. Business cases for projects already announced by government presented a limited number of options, and the process for eliminating other options was not transparent. Cost increases and contingency drawdowns for several projects indicate that scoping, costing and risk assessments could be improved, especially for complex projects. Standard program management systems and governance arrangements support project delivery, however, there is scope for better ongoing oversight of benefits. SINSW applies standard governance arrangements to projects based on their size. Higher value projects have executive oversight while lower value projects are overseen on a regional basis. SINSW has improved its project management systems to provide more consistent data and greater transparency to senior management over project status, cost and use of contingencies. SINSW has worked with NSW Treasury to define a consistent set of benefits for new and redeveloped schools. Estimated benefits are currently based on international contexts but SINSW advises it is undertaking further research to improve the evidence base in this area. The current approach to ongoing monitoring, reporting and evaluation of project benefits places responsibility on the infrastructure delivery team. This team is not the most appropriate area to monitor ongoing benefits, which are expected to accrue many years after delivery and depend on actions in other areas of the Department. |
1. Key findings
SINSW delivered projects against an established program of works in its first years of operation
At establishment, SINSW inherited a portfolio of existing projects and 123 new projects announced as part of the 2017–18 Budget (to commence over 2017–18 and 2018–19). It has progressively worked through individual project planning to deliver against these projects.
The 2018–19 Budget funded two new projects that had not already been announced. Both projects were identified by SINSW as a priority. The 2018–19 Budget also allocated funding for 'planning' 22 new projects. Seventeen of the 22 projects had been identified by SINSW as a priority.
SINSW identified 31 new priority projects in its Capital Investment Plan for 2019–20. Thirteen of these projects were funded in that year with a further 27 projects included as election commitments. SINSW identified 20 new projects in its Capital Investment Plan for 2020–21 but only two of these were funded. SINSW advised this was due to a constrained budget environment.
There is an anticipated shortfall of classrooms based on the current funded program
Despite increased funding since 2017–18, SINSW advised the NSW Government in early 2020 that the currently funded infrastructure program would not meet forecast classroom requirements for 2023 and beyond. Accordingly, it is vital that new funding is prioritised to projects which best meet demand.
SINSW only identified specific priorities over a two-year horizon in its Capital Investment Plans for 2018–19, 2019–20 and 2020–21. The School Assets Strategic Plan 2016 and the 2020 update make the case for sustained funding for school building and redevelopment. These plans estimate annual funding requirements and show geographic areas with increasing forecast enrolments. Detailing how priorities over a ten-year timeframe fit within a ten-year capital planning limit would create more certainty about meeting growth demands.
There has been progress in formalising prioritisation frameworks, data tools and supporting governance arrangements
SINSW committed to planning for new and redeveloped schools in 'School Community Groups' in the School Assets Strategic Plan 2016. This is a new way of planning which considers the educational needs over a defined geographical area. It has developed a planning tool to prioritise School Community Groups based on weighted criteria. It has also established governance frameworks to improve transparency over decisions to reprioritise this list.
SINSW has refined its approach to planning in School Community Groups over the past four years. It now prepares Service Needs Reports to investigate needs, identify projects, prioritise, determine scope and timing, and assess non-capital options. SINSW has yet to finalise arrangements for how needs identified in Service Needs Reports progress to the strategic business case stage.
Projects announced prior to developing a business case have less opportunity to consider a range of options to meet the service needs
Business cases for projects already announced by government (or announced for planning) go through the same process of determining the service need and impacts on surrounding schools. However, for some announced projects, the range of options considered in the business case is influenced by the parameters of the announcement. This makes it more difficult to genuinely pursue alternate options that could better meet the identified service need.
Projects identified by SINSW have a more rigorous process of considering options. Service Needs Reports explore a wide range of asset and non-asset interventions across the School Community Group. Options are narrowed as the projects move through the strategic and final business case stages. SINSW uses its Investment Review Committee to engage key stakeholders early in the process so that they are informed about how non-asset solutions have been considered and why SINSW is progressing the business case for a capital solution for particular projects.
Several business cases underestimated project costs and risks, leading to scope and budget increases
Several business cases we reviewed did not adequately identify the initial scope requirements, project-specific risks or the likely project cost. For two business cases, this appeared to be due to an attempt to fit the project within a predetermined amount. Announcing a project’s scope, budget and timeframe before proper planning increases risks to successful delivery against expectations.
Several of the projects we examined required drawdowns on contingency funds due to inadequate consideration of scope, costs and project risks at the planning stage. Contingency funds are intended for unanticipated extra costs rather than those that could have or should have been identified at the planning stage.
Guidance on benefit calculations has provided a consistent framework for business cases
Business cases we examined presented a consistent set of benefits based on guidance developed in partnership with NSW Treasury. Following this guidance helps to compare cost-benefit analyses across business cases. However, the evidence for the estimated benefits is based on contexts outside of NSW. SINSW has the tools and data sources to calculate benefits more suited to the context of particular schools. Doing so would improve the accuracy of cost-benefit analyses. SINSW advised that it is currently updating the guidance in partnership with NSW Treasury.
SINSW involves school principals, executives and teaching staff in developing education rationales when commencing projects. These documents help align projects with education outcomes. They also provide a baseline for post-occupancy evaluation, which is important to determine whether the new school infrastructure is being used in the ways that were anticipated in the business case.
SINSW could elevate its existing assurance review process to consolidate lessons learned
SINSW engages external peer reviewers to conduct assurance reviews on its projects at multiple stages of planning and delivery. It has established a Community of Practice for external reviewers to keep them up to date on new developments and requirements. Higher value projects are also subject to review by Infrastructure NSW under the Investor Assurance Framework.
By looking at all projects at all stages, assurance reviews can identify systematic issues across the full portfolio of projects. A recent assurance review analysed common findings from reviews of strategic and final business cases. This provides a helpful way to improve internal processes. SINSW advised that it is implementing a continuous improvement program, which will be able to take findings from assurance reviews to build organisational capabilities.
2. Recommendations
By September 2021, the Department of Education should:
- finalise the investment prioritisation approach with agreement from key stakeholders
- finalise and update on an ongoing basis a ten-year list of priorities to meet the forecast demand for new classrooms and contemporary fit for purpose learning environments, which identifies individual projects and programs in the short-term and priority geographic areas and programs in the medium-term
- seek a ten-year Capital Planning Limit from NSW Treasury to ensure the needs identified in the ten-year list of priorities are met and are coordinated with the forward capital programs of other agencies
- improve the quality of data on cost benchmarks that underpin the annual ten-year Capital Investment Plan and updates to the School Assets Strategic Plan
- embed an evidence-based cost benefit analysis framework for school investment, in consultation with NSW Treasury, by:
- validating benefits estimated in previous business cases with actual results
- building the evidence base in relation to contemporary learning environments
- regularly share data on forecast needs with relevant planning agencies to promote strategic opportunities for servicing education needs
- implement the continuous improvement program for service planning, options assessment, business case development, project delivery and handover. The program should be informed by findings from assurance reviews, post-occupancy evaluations and project lessons learned
- establish benefits realisation processes and practices that:
- ensure business cases set baselines and targets for benefits
- review benefits during delivery, prior to handover and as part of Post Occupancy Evaluations
- identify which part(s) of the Department are best placed to develop, manage and evaluate benefits on an ongoing basis.
Note: The Department's formal response to this report at Appendix one states that while it 'supports the recommendations, it considers the proposed six-month timeframe to be an unreasonably short period for a large and complex organisation to effectively implement many of these recommendations'. It suggests 12 months would be needed to implement the recommendations. The recommendations stemming from this audit are core business for SINSW. The Audit Office considers it important for SINSW to place priority on implementing the recommendations in time to inform the 2022–23 budget cycle. Extending the deadline to April 2022 would place action outside of that budget cycle. |
There have been significant increases in funding for education infrastructure since the 2017–18 Budget and further growth in demand for places in schools is forecast. SINSW has the challenge, not only of meeting the need for new classrooms due to population growth, but also upgrading facilities to enable modern teaching techniques. In addition, community expectations of what constitutes a vibrant and successful school community continues to increase.
Given growing demand and budget constraints, projects must be selected to best meet the needs of the community and planning and prioritisation are vital. SINSW has been progressing planning for announced projects as well as implementing a new type of strategic state-wide planning and prioritisation, cluster planning, where options are developed for School Community Groups.
The primary role of a business case is to reliably inform an investment and/or policy decision. Over the period of review, the NSW Government's guidelines for business cases have established this requires recommendations based on convincing arguments, sufficient evidence, and accurate costing of alternatives and expected benefits. Business case guidelines are underpinned by guides for economic appraisal and cost-benefit analysis.
As SINSW moves to prioritise business cases for interventions in School Community Groups, it will increasingly need to demonstrate rigour in its assessment of all options. It will also need to ensure that scope identification, cost and risk planning and the setting of contingencies are accurate. This will help decision-makers better understand, plan for and manage the investment required to meet the demand for school infrastructure.
For this audit, we examined business cases and related documentation for 12 projects. Several of these projects were developed before School Infrastructure NSW was established in mid-2017.
Over the period of review, NSW Government policies for business case development and submission have emphasised that effective governance arrangements are critical to a proposal's successful implementation.
SINSW's guidance similarly highlight the importance of effective governance and project management for achieving good outcomes. It prescribes a general governance structure managed by SINSW that can be tailored to the planning and delivery of school infrastructure projects.
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright Notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #347 - released (8 April 2021).
Auditor-General’s Report to Parliament on Delivering School Infrastructure
This corrigendum has been prepared to amend the following text within my Auditor-General’s Report to Parliament on Delivering School Infrastructure, dated 8 April 2021.
On page two, the original text was as follows:
Further NSW Government announcements in the 2018–19 Budget and election commitments in the 2019–20 Budget made up the majority of new projects, rather than projects prioritised by SINSW.
The original text has now been changed to
Further NSW Government announcements in the 2018–19 Budget, election commitments in the 2019–20 Budget, and announcements in the 2020–21 Budget, made up the majority of new projects, rather than projects prioritised by SINSW.
On page three, the original text was as follows:
The 2018–19 Budget funded three new projects that had not already been announced. One of the three projects was identified by SINSW as a priority.
The original text has now been changed to:
The 2018–19 Budget funded two new projects that had not already been announced. Both projects were identified by SINSW as a priority.
On page three the original text was as follows:
SINSW identified 33 priority projects in its Capital Investment Plan for 2019–20.
The original text has now been changed to
SINSW identified 31 new priority projects in its Capital Investment Plan for 2019–20.
On page eleven, in Exhibit 4, the original text was as follows:
The 2018–19 NSW Budget announced funding for an additional 43 new and upgraded schools to commence works in 2018–19. Of the 43 projects:
• 1 was identified by SINSW as a priority in its Capital Investment Plan (SINSW requested funding for one new project)
• 40 had already been announced
• 2 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).
The original text has now been changed to:
The 2018–19 NSW Budget announced funding for an additional 42 new and upgraded schools to commence works in 2018–19. Of the 42 projects:
• 2 were identified by SINSW as a priority in its Capital Investment Plan (SINSW requested funding for two new projects)
• 40 had already been announced.
On page eleven, the original text was as follows:
The 2019–20 NSW Budget announced funding for an additional 40 new and upgraded schools as election commitments. Of the 40 election commitment projects:
• 13 were identified by SINSW as priorities in its Capital Investment Plan (SINSW requested funding for a total of 33 new projects)
• 27 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).
The original text has now been changed to:
The 2019–20 NSW Budget announced funding for an additional 40 new and upgraded schools as election commitments. Of the 40 election commitment projects:
• 13 were identified by SINSW as priorities in its Capital Investment Plan (SINSW requested funding for a total of 31 new projects)
• 27 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).
The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.
Actions for Internal Controls and Governance 2017
Internal Controls and Governance 2017
Agencies need to do more to address risks posed by information technology (IT).
Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
1. Overall trends
New and repeat findings |
The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved. |
High risk findings |
Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies. |
Common findings |
Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity. |
2. Information Technology
IT security |
Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls. |
Cyber security |
Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Other IT systems |
Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems. |
3. Asset Management
Capital investment |
Agencies report delays delivering against the significant increase in their budgets for capital projects. |
Capital projects |
Agencies are underspending their capital budgets and some can improve capital project governance. |
Asset disposals |
Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes. |
4. Governance
Governance arrangements |
Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues. |
Shared services |
Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set. |
5. Ethics and Conduct
Ethical framework |
Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics. |
Conflicts of interest |
All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
6. Risk Management
Risk management maturity |
All agencies have implemented risk management frameworks, but with varying levels of maturity. |
Risk management elements |
Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency. |
This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.
This new report offers strategic insight on the public sector as a whole
In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.
This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.
Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.
These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.
Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:
- Overall trends
- Information technology
- Asset management
- Governance
- Ethics and conduct
- Risk management.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.
Issues |
Recommendations |
1.1 New and repeat findings |
|
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies. |
Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis. |
1.2 High risk findings |
|
We found seven high risk internal control deficiencies, which might significantly affect agencies. |
Recommendation Agencies should rectify high risk internal control deficiencies as a priority |
1.3 Common findings |
|
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies. |
Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies. |
Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.
Issues | Recommendations |
2.1 IT security |
|
User access administration While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems. |
Recommendation Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:
|
Privileged access Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access. |
Recommendation Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:
|
Password controls Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls. |
Recommendation Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:
|
2.2 Cyber Security |
|
Cyber security framework Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Recommendation The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents. |
Cyber security strategies While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness. |
Recommendations The Department of Finance, Services and Innovation should:
Agencies should ensure they adequately resource staff dedicated to cyber security. |
2.3 Other IT systems |
|
Change control processes Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes. |
Recommendation Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems. |
Disaster recovery planning Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis. |
Recommendation Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans. |
Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:
- manage their major capital projects
- dispose of existing assets.
Issues | Recommendations or conclusions |
3.1 Capital investment |
|
Capital asset investment ratios Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one. |
Recommendation Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs. |
Volume of capital spending Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years. |
Conclusion The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years. |
3.2 Capital projects |
|
Major capital projects Agencies’ major capital projects were underspent by 13 percent against their budgets. |
Conclusion The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time. |
Capital project governance Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects. |
Conclusion Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight. |
3.3. Asset disposals |
|
Asset disposal procedures Agencies need to strengthen their asset disposal procedures. |
Recommendations Agencies should have formal processes for disposing of surplus properties. Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption. |
Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.
This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.
Issues | Recommendations or conclusions |
4.1 Governance arrangements |
|
Continuous disclosure Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations. |
Conclusion Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:
|
4.2 Shared services |
|
Service level agreements Some agencies do not have service level agreements for their shared service arrangements. Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements. |
Conclusion Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:
|
Shared service performance Some agencies do not set performance standards for their shared service providers or regularly review performance results. |
Conclusion Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received. Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money. |
All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.
This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.
We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.
Issues | Recommendations or conclusions |
5.1 Ethical framework |
|
Code of conduct All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
Recommendation Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date. |
Statement of business ethics Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors. |
Conclusion Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture. |
5.2 Potential conflicts of interest |
|
Conflicts of interest All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest. |
Recommendation Agencies should improve the way they manage conflicts of interest, particularly by:
|
Gifts and benefits While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct. |
Recommendation Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff. |
Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.
This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.
Issues | Recommendations or conclusions |
6.1 Risk management maturity |
|
All agencies have implemented risk management frameworks, but with varying levels of maturity in their application. Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence. |
Conclusion Agencies have introduced risk management frameworks and practices as required by the Treasury’s:
However, more can be done to progress risk management maturity and embed risk management in agency culture. |
6.2 Risk management elements |
|
Risk culture Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.
|
Conclusion Agencies can improve their risk culture by:
|
Risk registers and reporting Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level. |
Conclusion Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately. |
Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.
Actions for Report on Education 2017
Report on Education 2017
The Auditor-General, Margaret Crawford released her report on the results of the financial audits of agencies in the Education cluster. The report focuses on key observations and findings from the most recent audits of these agencies.
'I am pleased to report that unqualified audit opinions were issued on the financial statements for all agencies in the Education cluster', the Auditor-General said. 'The quality and timeliness of financial reporting remains strong'.
Actions for Sharing school and community facilities
Sharing school and community facilities
Schools and the community would benefit if school facilities were shared more often.
The Department of Education’s ‘Community Use of School Facilities Policy’ encourages but does not require schools to share facilities. Sharing depends heavily on the willingness of school principals and there are few incentives. There are many challenges in developing agreements with community users and there is only limited support available from the Department.
There are strategies and plans to support the sharing of facilities between schools and the wider community, but none are backed up with budgets, specific plans or timeframes.
Governments should strive for the best use of assets. This is particularly important in the context of a growing New South Wales population, fiscal constraints and increasing demand for services.
Lack of available land, rising land costs and population growth highlighted in our April 2017 'Planning for school infrastructure' performance audit report mean that new and existing schools will need to share their facilities with communities more than is currently the case.
This audit assessed how effectively schools share facilities with each other, local councils and community groups. In making this assessment, the audit examined whether the Department of Education (Department):
- has a clear policy to encourage and support facilities sharing
- is implementing evidence-based strategies and procedures for facilities sharing
- can show it is realising an increasing proportion of sharing opportunities.
Facilities sharing is the use of a physical asset, such as a building, rooms, or open spaces, by more than one group for a range of activities at the same time or at different times. For the purposes of this audit, we have divided sharing arrangements into two types: shared use and joint use.
Shared use refers to arrangements where existing school assets are hired out for non-school purposes, usually for a limited time. The assets remain under the control of the school. Generally, there is little alteration or enhancement to the asset required to enable shared use. Shared use can also refer to schools using external facilities, such as council pools, but these arrangements are not included within the scope of this audit.
Joint use refers to arrangements where new or upgraded school and non-school facilities or community hubs are planned, funded, built and jointly shared between a school and other parties, usually involving significant investment.
Both shared use and joint use agreements are governed by contractual obligations.
The sharing of school facilities with the community is not fully effective. The Department of Education is implementing strategies to increase shared and joint use but several barriers, some outside the Department’s direct control, must be addressed to fully realise benefits to students and the community of sharing school facilities. In addition, the Department needs to do more to encourage individual schools to share facilities with the community.
A collaborative, multi-agency approach is needed to overcome barriers to the joint use of facilities, otherwise, the Department may need significantly more funds than planned to deliver sufficient fit-for-purpose school facilities where and when needed.
Since the early 2000’s, several reviews in NSW and other jurisdictions have commented on the benefits of and need to increase the sharing of school facilities.
Several NSW Government strategies and plans support shared and joint use of facilities between schools and the wider community, but none are backed up with financial incentives, or specific plans with implementation timeframes. In Victoria and Queensland whole-of-government processes are in place to support a more coordinated approach to planning, building and sharing community facilities. For example, Victoria has a comprehensive policy framework encompassing both existing and future use of community facilities and a $50 million program to seed the development of community facilities on school sites over the next four years.
There are examples of successful shared use, but more can be done. Information about the available facilities is not readily available to potential community users. Schools should work more closely with councils and other stakeholders to leverage shared use.
Currently, the administrative burden, costs and risks associated with shared use can exceed the perceived benefits to schools, leading to reluctance amongst some Principals to share. In addition, a substantial backlog of school-initiated infrastructure proposals awaiting Departmental approval means that schools that raise money from sharing their facilities find it difficult to use the funds they raise on improved infrastructure. Some of these proposals have been waiting for approval for more than 12 months.
The Department could do more to support Principals by ensuring the fees charged for facilities cover the costs incurred by schools, that Principals can access help with negotiating and managing contracts, and that infrastructure proposals initiated and funded by schools are approved in a timely manner.
The Department is not monitoring shared use across the State, and does not evaluate different approaches as evidence to influence policies and procedures.
Recommendations
By December, 2018, the Department should:
- increase incentives and reduce impediments for school Principals to share school facilities, including:
- review the methodology for calculating fees charged for facilities to ensure that shared use of school facilities does not result in a financial burden to schools or the Department
- improve support provided to Principals by School Infrastructure NSW, including reducing the backlog of school-initiated infrastructure proposals awaiting approval
- develop service standards, including timeframes, for assessing and approving school-initiated infrastructure proposals.
- provide readily-accessible information about available school facilities to community groups and local councils
- implement processes to monitor and regularly evaluate the implementation of the shared use policy and promote better practice to drive improvements.
As discussed in our 2017 audit report on ‘Planning for school infrastructure’, joint use agreements are a key direction of the School Assets Strategic Plan. Joint use of school facilities will be necessary to ensure that there will be enough fit-for-purpose learning spaces for students when and where needed. Under the ‘Community Use of School Facilities Policy’ Principals play the leading role in identifying opportunities, and developing and managing agreements for sharing school facilities. This is impractical for joint use projects which involve substantial investment in new or refurbished assets, in particular for joint use projects in schools that are yet to be built. In addition, the policy does not address joint-use facilities built on land not owned by the Department. For these reasons, the Department is developing a new policy.
The Department is planning to develop joint use agreements in a more systematic way as part of school community planning, previously known as cluster planning, with a special focus on local councils. Several agreements are currently being piloted, and will be evaluated to provide an evidence-based foundation for this new approach.
To develop or refurbish school facilities for joint use, the Department, councils and other key stakeholders must work together and prioritise joint use from the earliest stages of any project. A collaborative, multi-agency approach is needed to ensure sufficient fit-for-purpose facilities are available for school students within the funding framework proposed in the School Assets Strategic Plan.
To increase shared and joint use, the Department is recruiting specialist staff in its Asset Division to assist with the brokerage, community engagement and development of agreements, but these staff are not dedicated to joint use projects and their available time may not be sufficient to provide the necessary support in the timeframes required.
Recommendations
By December, 2018, the Department of Education should:
- ensure that the implementation of the new ‘Joint Use of School Facilities and Land Policy’ is adequately resourced, and has the support of Principals
- implement processes to monitor and regularly evaluate the implementation of joint use policy and promote better practice to drive improvements.
Appendix one - Response from agency
Appendix two - About the audit
Appendix three - Victoria's 30-Year Infrastructure Strategy
Appendix four - Not-for-profit hire changes
Appendix five - Performance Auditing
Parliamentary reference - Report number #293 - released 1 November 2017
Actions for Information and Communication Technologies in schools for teaching and learning
Information and Communication Technologies in schools for teaching and learning
Several factors are reducing effective use of information and communication technology (ICT) in the classroom.
These are primarily:
Parliamentary reference - Report number #289 - released 6 July 2017
Actions for NorthConnex
NorthConnex
The processes used to assess NorthConnex adequately considered value for money for taxpayers.This report also found that the impact of tolling concessions on road users and the motorway network was consistent with policy objectives described in the 2012 NSW Long Term Transport Master Plan.
Parliamentary reference - Report number #287 - released 8 June 2017
Actions for Planning for school infrastructure
Planning for school infrastructure
The Department of Education proposes to fundamentally reform school infrastructure planning and delivery to meet the future demand for student places, and to overcome chronic under-investment for much of the last decade. To do this, it will need to spend much more than it has been receiving to date.
Parliamentary reference - Report number #284 - released 4 May 2017