Refine search Expand filter

Reports

Published

Actions for Service NSW's handling of personal information

Service NSW's handling of personal information

Premier and Cabinet
Finance
Cyber security
Fraud
Information technology
Internal controls and governance
Management and administration
Risk
Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

  • Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
  • Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
  • Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

Conclusion

Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.

Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring.

Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies.

The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

  • the content and provision of privacy collection notices
  • the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
  • steps that will be taken by each agency to ensure that personal information is kept secure
  • the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
  • how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

  • to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
  • to better reflect the full scope and complexity of personal information handled by Service NSW
  • to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
  • to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

  • ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
  • ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.
By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

  • establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
  • enable partitioning and role based access restrictions to personal information collected for different programs
  • provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
  • enable customers to view the transaction history of their personal information to detect possible mishandling.
By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

  • the content and provision of privacy collection notices
  • the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
  • steps that will be taken by each agency to ensure that personal information is kept secure
  • the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
  • how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

  • are identified as high risk and have not previously had a privacy impact assessment
  • have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Education 2020

Education 2020

Education
Asset valuation
Compliance
Financial reporting
Fraud
Information technology
Internal controls and governance
Management and administration
Procurement

The Auditor-General for New South Wales, Margaret Crawford, released a report today titled Education 2020. This report focuses on key observations and findings from the most recent audits of agencies in the Education cluster.

Unqualified audit opinions were issued for all cluster agencies’ financial statements. However, internal control deficiencies were identified across the cluster agencies, including deficiencies in the management of purchasing cards and 15 internal control issues that were repeated from the previous year.

The 2019–20 natural disasters caused widespread damage in both Northern and Southern NSW. The COVID‑19 pandemic further challenged agencies, requiring social distancing and other infection control measures which disrupted the traditional means of teaching students. Agencies have adjusted their operations to respond to these emergency events.

The TAFE Commission’s revenues 2019–20 were impacted by the pandemic. Lower enrolments and an increase in fee-free short courses offered during the year contributed to the result.

Read the PDF report

This report analyses the results of our audits of financial statements of entities within the Education cluster for the year ended 30 June 2020. The table below summarises our key observations and recommendations.

1. Financial reporting 

Audit opinions Unqualified audit opinions were issued for all cluster agencies' 30 June 2020 financial statements audits.
New accounting standards

Agencies implemented three new accounting standards during the year.

Our financial statement audits of the Department of Education (the Department) and NSW Education Standards Authority (NESA) identified issues with the leasing information provided by Property NSW (PNSW). Despite the outsourcing arrangement, both the Department and NESA remain ultimately responsible for the completeness and accuracy of this information, which would have benefited from a more thorough quality assurance, validation and review process before they placed reliance upon it.

Recommendation:

We recommend the Department and NESA:

  • quality assure and validate the information provided by PNSW
  • ensure changes made by PNSW to lease data are supported and that assumptions and judgements applied are appropriate
  • document their review of the data supplied.
Changes were made to the financial reporting requirements this year to account for the impact of the pandemic

Emergency legislation was enacted during the year in response to the COVID-19 pandemic. The legislation revised the statutory reporting deadlines for agencies to submit their financial statements and allowed the Treasurer to continue authorising payments from the consolidated fund until the enactment of the 2020–21 budget.

All cluster agencies prepared their financial statements on a going concern basis and submitted their financial statements within the revised statutory deadlines.

The State provided $159.0 million in stimulus funding to support the operations of cluster agencies during emergency events. Nearly half of this funding was to support cleaning activities by the Department and the Technical and Further Education Commission (the TAFE Commission) during the COVID-19 pandemic.

Quality and timeliness of financial reporting

The number of monetary misstatements identified in agencies' financial statements decreased to 14 (23 in 2018–19).

While the number of corrections made to the financial statements after the submission date increased to eight (two in 2018–19), it is important to note these corrections provide parliament and other users of the financial statements increased confidence in the accuracy and presentation of agencies' performance and financial position.

Sustainability of cluster agencies The TAFE Commission's enrolments declined, and operating margins reduced, both being impacted by the COVID-19 pandemic.

2. Audit observations

Internal control deficiencies

We identified 33 internal control issues, including 15 findings that were repeated from previous years.

A high-risk issue was reported at the Department relating to the inadequate monitoring and follow up of privileged user activity in its enterprise resource planning system – SAP.

Repeat findings relate to ongoing deficiencies in information technology controls and management policies, practices and procedures.

Recommendation:

Cluster agencies should:

  • prioritise and action recommendations to address internal control deficiencies
  • review and confirm the appropriateness of existing privileged user access accounts
  • implement a rigorous monitoring regime to ensure that any improper use of privileged user accounts can be detected in a timely manner.
Agency responses to emergency events

The Department established a separate bushfire relief directorate and COVID-19 Taskforce to assist and support school communities in response to recent emergencies.

Other cluster agencies have established committees or response teams to oversee and address all aspects of the impact of COVID-19.

Schools review 2019 We continue to identify instances of non-compliance in relation to cash management and procurement at schools.
Use of purchasing cards at the Department of Education

Since 2015, the NSW Government has encouraged the use of purchasing cards by public sector agencies. Purchasing cards are efficient to transact low value, high volume procurement of goods and services, but the use must be effectively monitored.

Our review of the Department's purchasing cards identified weaknesses in its oversight and monitoring controls, including the issue and cancellation of purchasing cards

Opportunities exist for the Department to better monitor card use. Tools such as data analytics are an efficient and effective detective control to identify irregular activity or misuse by cardholders.

Recommendation:

The Department should:

  • improve the accuracy and completeness of exit procedures for terminated employees to ensure cards are returned and cancelled
  • perform periodic reviews to ensure active cards are held only by current employees
  • set transaction limits that do not exceed the limits of the user’s financial delegation
  • establish a data analytics regime to help analyse and identify high risk patterns and anomalies in their purchasing card usage, augmenting their existing monitoring and detective controls.

 

This report provides parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations
  • the impact of emergencies and the COVID-19 pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The COVID-19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID-19 pandemic. These amendments:

  • allowed the Treasurer to authorise payments from the consolidated fund until the enactment of the 2020–21 budget – supporting the going concern assessments of cluster agencies
  • revised budgetary, financial and annual reporting time frames – impacting the timeliness of financial reporting
  • exempted certain statutory bodies and departments from preparing financial statements.

This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster for 2020, including any financial implications from the recent emergency events.

Section highlights 

Unqualified audit opinions were issued on the financial statements of cluster agencies.

All cluster agencies met the revised statutory deadlines for completing early close procedures and submitting their financial statements.
 
Emergency legislation allowing the Treasurer to continue authorising payments from the consolidated fund under the existing Appropriations Act enabled cluster agencies to prepare financial statements on a going concern basis.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

  • observations and insights from our financial statement audits of agencies in the Education cluster. It also comments on our review of elements of the financial control framework applied by schools in NSW whose financial results form part of the Department of Education's (the Department) financial statements.
  • assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Section highlights

  • A high-risk issue regarding inadequate monitoring of privileged user access was identified at the Department.
  • We continue to observe issues by schools in relation to cash management and non-compliance with procurement guidelines and purchasing card use.
  • Opportunities exist for the Department and cluster agencies to enhance their monitoring and review of purchasing card activities. Tools such as data analytics procedures provide an efficient and effective detective control, particularly when used in conjunction with independent spot-checks.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 and 2018 recommendations

Appendix three – Financial data

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Planning, Industry and Environment 2019

Planning, Industry and Environment 2019

Planning
Industry
Environment
Asset valuation
Cyber security
Financial reporting
Information technology
Infrastructure
Internal controls and governance
Management and administration
Service delivery
Workforce and capability

This report outlines the results of audits of the financial statements of agencies now grouped in the NSW Planning, Industry and Environment cluster.

Unqualified audit opinions were issued for 56 of the 66 cluster agencies’ 30 June 2019 financial statements. Ten audits remain incomplete. The cluster agencies need to improve the timeliness of financial reporting. 

The Audit Office continued to identify issues regarding unprocessed Aboriginal land claims and the recognition of Crown land. ‘Auditor-General’s reports to parliament have recommended action to reduce the level of unprocessed land claims since 2007. However, the number of unprocessed claims continued to increase’, Margaret Crawford said.

One in five internal control findings were repeat issues. Key themes included information technology, asset management and improvements required to expense and payroll controls.

The report makes several recommendations including:

  • Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019
  • the Department of Planning, Industry and Environment should prioritise action to reduce unprocessed Aboriginal land claims
  • the Department of Planning, Industry and Environment should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

Creation of the Planning, Industry and Environment cluster

The Machinery of Government (MoG) changes abolished the former Planning and Environment cluster and former Industry cluster, and created the Planning, Industry and Environment cluster on 1 July 2019.

The Department of Planning and Environment (DPE), the Department of Industry (DOI), the Office of Environment and Heritage, and the Office of Local Government were abolished and the majority of their functions were transferred to the new Department of Planning, Industry and Environment (DPIE).

The Department of Planning, Industry and Environment is still in the process of implementing changes

The MoG changes bring risks and challenges to the cluster. A MoG Steering Committee, with the support of various project control groups and working groups, identified and developed responses to key risks arising from the changes.

However, the DPIE will take some time to fully integrate the policies, systems and processes of the abolished Departments and agencies.

2. Financial reporting

Audit opinions Unqualified audit opinions were issued for 56 of the 66 cluster agencies' 30 June 2019 financial statements audits. Ten financial statements audits are still ongoing.
Timeliness of financial reporting

Fifty-five of the 57 agencies subject to statutory deadlines submitted their financial statements on time.

Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions issued by the statutory deadline.

Agencies prepared and submitted their early close procedures in accordance with the mandatory timeframe set by NSW Treasury. However, 17 of the 49 agencies where we reviewed early close procedures were assessed as either partially addressing or not addressing one or more of the mandatory requirements. The cluster agencies could benefit from an increased focus on early close procedures.

Introduction of AASB 16 'Leases'

We noted errors in the lease data used in Property NSW's AASB 16 impact calculations, which affect both Property NSW and other government agencies. These errors were significant enough to present a risk of material misstatements to the financial statements of Property NSW and other government agencies in future reporting periods.

We had similar findings in our recent performance audit on 'Property Asset Utilisation', which highlighted issues with the quality of Property NSW's records.

Recommendation: Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019.

Unprocessed Aboriginal land claims have continued to increase

Despite an increase in the number of claims resolved, the number of unprocessed Aboriginal land claims increased by 7.2 per cent from the prior year to 35,855 at 30 June 2019. Claims can be made over Crown land assets of the DPIE or other government agencies. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. We first recommended action to address unprocessed claims in 2007.

Recommendation (repeat issue): The DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

3. Audit observations

Internal controls

One in five internal control issues identified and reported to management in 2018–19 were repeat issues.

The lack of user access review was the most common IT general control issue in the cluster.

Drought relief

The NSW Government announced an emergency drought relief package of $500 million in 2018, in addition to other financial assistance measures already in place.

Limited documentation and written agreements between relevant delivery agencies resulted in a $31.0 million misstatement relating to grant revenue.

Recognition of Crown land

Crown land is an important asset of the state. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Last year we recommended the DOI should ensure the database of Crown land is complete and accurate. While the DOI has commenced actions to improve the database, this continued to be an issue in 2018–19.

Recommendation (repeat issue): The DPIE should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

Developer contributions The former DPE continued to accumulate more developer contributions revenues than it spent on infrastructure projects. Total unspent funds increased to $274 million at 30 June 2019.

 

This report provides parliament and other users of the Planning, Industry and Environment cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

This cluster was created by the Machinery of Government changes on 1 July 2019. This report is focused on agencies in the Planning, Industry and Environment cluster from 1 July 2019. However, these agencies were all in other clusters during 2018–19. Please refer to the section on Machinery of Government changes for more details.

Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes are where the government reorganises these structures and functions that are given effect by Administrative orders.

The MoG changes, announced following the NSW State election on 23 March 2019, created the Planning, Industry and Environment (PIE) cluster. The Administrative Changes Orders issued on 2 April 2019, 1 May 2019 and 28 June 2019 gave effect to these changes. These orders became effective on 1 July 2019.

Section highlights

The 2019 MoG changes significantly impacted the former Planning and Environment, and Industry clusters and agencies.

  • The PIE cluster combines most of the functions and agencies of the former Planning and Environment and Industry clusters from 1 July 2019.
  • The Department of Planning, Industry and Environment is the principal agency in the PIE cluster.
  • The MoG changes bring risks and challenges to the PIE cluster.
  • A MoG Steering Committee was established to oversee the transitional processes.
  • The full integration of the systems and processes will not be completed in the near future.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

  • Unqualified audit opinions were issued for all completed 30 June 2019 financial statements audits. However, some cluster agencies can further enhance the quality of financial reporting.
  • Timeliness of financial reporting remains an issue for 13 agencies.
  • Deficiencies were identified in the data used to calculate the impact of AASB 16 ‘Leases’ effective from 1 July 2019. Property NSW should urgently address these deficiencies.
  • Unprocessed Aboriginal land claims continue to increase. DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our audit observations and insights from our financial statement audits of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Section highlights

  • One in five issues identified and reported to management in 2018–19 were repeat issues.
  • The lack of user access review was the most common IT general control issue in the PIE cluster.
  • The PIE cluster provided significant financial assistance for drought relief.
  • There continues to be significant deficiencies in Crown land records. The DPIE should ensure the Crown land database is complete and accurate.
  • Unspent developer contributions funds continued to build up in 2018–19. 

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – Cluster agencies

Appendix four – Financial data

Appendix five – Management letter findings

Appendix six – Timeliness of financial reporting

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Education 2019

Education 2019

Education
Financial reporting
Information technology
Internal controls and governance
Management and administration
Shared services and collaboration
Workforce and capability

This report focuses on key observations and findings from the most recent financial audits of agencies in the Education cluster. From 1 July 2019, the Technical and Further Education Commission, the NSW Skills Board and the functions and activities associated with vocational training and skills form part of the Education cluster.

Unqualified audit opinions were issued for all cluster agencies’ financial statements. However, internal control deficiencies were identified across the cluster agencies, including 14 findings that were repeated from the previous year. Control deficiencies were also identified in a sample of the state’s 2,200 schools. Schools did not always apply the guidance in the Department of Education's ‘Finance in Schools Handbook’, resulting in control weaknesses in key areas such as governance, cash management and procurement.

'In addition, we continue to observe inconsistencies in the employee leave data reported from the Department of Education’s payroll system, which impact the reliability of estimates of the Department’s liability for employee benefits. The robustness of the Department's quality assurance over leave liability data should be improved', the Auditor-General said.

Download the Education 2019 report (PDF)

This report analyses the results of our audits of financial statements of entities within the Education cluster for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

The Education cluster has expanded From 1 July 2019, the Technical and Further Education Commission, the NSW Skills Board and the functions and activities associated with vocational training and skills now form part of the Education cluster.

2. Financial reporting

Audit opinions

Unqualified audit opinions were issued for all cluster agencies' 30 June 2019 financial statements audits.

The number of corrections to disclosures in the financial statements, which increased this year, could have been reduced by a more thorough quality assurance over the information underpinning the financial statements.

Recommendation: Cluster agencies should improve their quality assurance processes for financial reporting to improve the accuracy of financial statements presented for audit.

Preparedness for new accounting standards

Agencies will implement four new accounting standards shortly. Three are effective from 1 July 2019 and the fourth is effective from 1 July 2020. Cluster agencies needed to do more work on their impact assessments to better prepare for their implementation from 1 July 2019.

Recommendation: Cluster agencies should finalise their plans to implement the new accounting standards as soon as possible.

Timeliness of financial reporting

All cluster agencies met the statutory deadline for completing early close procedures and submitting their financial statements for audit.

The Department of Education (the Department) delays tabling its financial statements in parliament so it can report its operational outcomes, which are aligned to the calendar year, in a single report. This reduces transparency over the Department's financial statements as they are tabled more than ten months after the end of the financial year.

Recommendation: The Department should table its financial statements in parliament earlier, in line with other NSW Government agencies.

Inconsistencies in the employee leave data We continue to observe inconsistencies in the employee leave data reported from the Department’s payroll system, which impacts the reliability of estimates of the Department's liability for employee benefits. The robustness of the Department's quality assurance over leave liability data should be improved.

3. Audit observations

Internal control deficiencies

We identified 55 internal control issues, including 14 findings that were repeated from the previous year.

Issues were identified with user access administration, segregation of duties in the Department's key application system and timely preparation and review of key reconciliations.

Recommendation: Cluster agencies should prioritise and action recommendations to address internal control weaknesses.

Schools review 2018

Our review of a selection of NSW schools identified deficiencies in how they applied the Department of Education's ‘Finance in Schools Handbook’, resulting in control weaknesses in key areas such as governance, cash management and procurement.

Recommendation: The Department should ensure all schools apply the Department’s ‘Finance in Schools Handbook’ as it is a key internal control.

 

This report provides parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

This cluster was significantly impacted by the Machinery of Government changes. The Technical and Further Education Commission and the NSW Skills Board, part of the former Industry cluster, were transferred on 1 July 2019. This report focuses on agencies in the Education cluster from 1 July 2019. Please refer to the section on Machinery of Government changes for more details.

Machinery of Government refers to how the government organises the structures and functions of the public service. Machinery of Government changes are where the government reorganises these structures and functions, and the changes are given effect by Administrative Arrangements Orders.

Section highlights

The 2019 Machinery of Government changes significantly impacted the Education cluster. From 1 July 2019, the functions and activities associated with the administration of legislation allocated to the Minister for Skills and Tertiary Education were transferred from the former Industry cluster to the Education cluster. Aboriginal Affairs NSW was transferred from the Department of Education (the Department) to the Department of Premier and Cabinet.

The Department is the principal agency in the cluster. The Machinery of Government changes bring new responsibilities, risks and challenges to the cluster.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster for 2019.

Section highlights

Unqualified audit opinions were issued on the financial statements of cluster agencies. However, a more thorough quality review process of the financial statements submitted for audit would help reduce the number of corrections to those statements.

All cluster agencies met the statutory deadlines for completing the early close procedures and submitting the financial statements.

We continue to observe inconsistencies in the employee leave data reported from the Department of Education’s (the Department) payroll system. The robustness of the Department's quality assurance over leave liability data should be improved.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Education cluster. It also comments on our review of the financial control framework applied by 70 schools in NSW whose financial results form part of the Department of Education's (the Department) financial statements.

Section highlights

  • Audit Office management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues. The 2018–19 financial audits of cluster agencies identified 55 internal control issues, including 14 that were carried forward from the previous year.
  • Application controls are procedures that operate at a business process level designed to ensure the integrity of accounting records. The Department can mitigate the risk of fraud or error in preparing its financial statements if segregation of duties are appropriately configured in their key application system.
  • Our review of a selection of schools across NSW identified deficiencies in how schools apply the Department’s financial management practices and governance arrangements.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – Cluster agencies

Appendix four – Financial data

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Internal Controls and Governance 2019

Internal Controls and Governance 2019

Education
Community Services
Finance
Health
Industry
Justice
Planning
Premier and Cabinet
Transport
Treasury
Whole of Government
Compliance
Cyber security
Fraud
Information technology
Internal controls and governance
Management and administration
Procurement
Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

  • financial controls
  • information technology controls
  • gifts and benefits
  • internal audit
  • contingent labour
  • sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

  • out of date policies or an absence of policies to guide appropriate decisions
  • poor record keeping and document retention
  • incomplete or inaccurate centralised registers or gaps in these registers
  • policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

  • user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
  • an absence of privileged user activity reviews at 35 per cent of agencies
  • password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

  • ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
  • establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
  • providing on-going training, awareness activities and support to employees, not just at induction
  • publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.
Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

  • the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
  • the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.
Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

  • preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
  • involving agency human resources units in decisions about engaging contingent labour
  • regularly reporting on contingent labour use and tenure to agency executive teams
  • strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

  • identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
  • assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.
Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

 

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

  • highlighting the potential risks posed by weaknesses in controls and governance processes
  • helping agencies benchmark the adequacy of their processes against their peers
  • focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

  • internal control trends
  • information technology controls, including access to agency systems
  • protecting sensitive information held within agencies
  • managing large and diverse workforces (controls around employing and managing contingent workers)
  • maintaining an ethical culture (management of gifts and benefits)
  • effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

  • operate effectively and efficiently
  • produce reliable financial reports
  • comply with laws and regulations
  • support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.
 
Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.
 
We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
  • out of date policies or an absence of policies to guide appropriate decisions
  • poor record keeping and document retention
  • incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings
Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.
IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.
Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits. 

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

  • ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
  • establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
  • updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
  • providing on-going training, awareness activities and support to employees, not just at induction
  • regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
  • publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings 

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including: 

  • documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
  • ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
  • involving the CAE more extensively in executive forums as an observer
  • documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
  • reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include: 

  • preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
  • involving agency human resources units in decisions about engaging contingent labour
  • regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
  • strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Key areas where agencies can improve their management of sensitive data include:

  • identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
  • assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
  • developing comprehensive data breach management policies to ensure data breaches are appropriately managed
  • maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
  • providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations 

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Ensuring teaching quality in NSW public schools

Ensuring teaching quality in NSW public schools

Education
Management and administration
Regulation
Service delivery
Workforce and capability

The Auditor-General for New South Wales, Margaret Crawford, has released a report on how the New South Wales Education and Standards Authority (NESA) and the Department of Education (the Department) ensure teaching quality in NSW public schools.

Around 2,200 NSW public school principals are responsible for accrediting their teachers in line with the Australian Professional Standards for Teachers. The report found that NESA does not oversight principals’ decisions to ensure that minimum standards for teaching quality are consistently met.

The Department does not effectively monitor teaching quality across the state. With limited data, it is difficult for the Department to ensure its strategies to improve teaching quality are appropriately targeted to improve teaching quality.

The Department’s Performance and Development Framework does not adequately support principals and supervisors to effectively manage and improve teacher performance or actively improve teaching quality. The Department manages those teachers formally identified as underperforming through teacher improvement programs. Only 53 of over 66,000 teachers employed by the Department were involved in these programs in 2018.

The report makes three recommendations towards NESA to improve accreditation processes, and four recommendations to the Department to improve its systems and processes for ensuring teaching quality across the State.

Australian research has shown that quality teaching is the greatest in-school influence on student engagement and outcomes, accounting for 30 per cent of the variance in student performance. An international comparative study of 15-year-old students showed the performance of New South Wales students in reading, mathematics and science has declined between 2006 and 2015.

The Australian Professional Standards for Teachers (the Standards) describe the knowledge, skills and understanding expected of effective teachers at different career stages. Teachers must be accredited against the Standards to be employed in NSW schools. The NSW Education Standards Authority (NESA) is responsible for ensuring all teachers in NSW schools are accredited. As part of the accreditation process the NSW Department of Education (The Department) assesses whether public school teachers meet proficient accreditation standards and advises NESA of its decisions.

The School Excellence Framework provides a method for the Department to monitor teaching quality at a school level across four elements of effective teaching practice. The Performance and Development Framework provides a method for teachers and their supervisors to monitor and improve teaching quality through setting professional goals to guide their performance and development.

The Department has a strategic goal that every student, every teacher, every leader and every school improves every year. In line with this goal, the Department has a range of strategies targeted to improving teaching quality at different career stages. These include additional resources to support new teachers, a program to support teachers to gain higher-level accreditation, support for principals to manage underperforming teachers, and a professional learning program where teachers observe and discuss each other's practice.

The objective of this audit was to assess the effectiveness of the NSW Department of Education's and the NSW Education Standards Authority's arrangements to ensure teaching quality in NSW public schools. To address this objective, the audit examined whether:

  • agencies effectively monitor the quality of teaching in NSW public schools
  • strategies to improve the quality of teaching are planned, communicated, implemented and monitored well.
The NSW Education Standards Authority does not oversight principals’ decisions to accredit teachers as proficient. This means it is not ensuring minimum standards for teaching quality are consistently met.
NESA does not have a process to ensure principals’ decisions to accredit teachers are in line with the Standards. The decision to accredit teachers is one of the main ways to ensure teaching quality. In New South Wales public schools, around 2,200 principals are tasked with making decisions to accredit their teachers as proficient. NESA provides training and guidelines for principals to encourage consistent accreditation decisions but regular turnover of principals makes it difficult to ensure that all principals are adequately supported. NESA has more oversight of provisional and conditional accreditation for beginning teachers, as well as higher-level accreditation for highly effective teachers. That said, there are only limited numbers of teachers with higher-level accreditation across the state.
The Department of Education does not effectively monitor teaching quality at a system level. This makes it difficult to ensure strategies to improve teaching quality are appropriately targeted.
The Department is not collecting sufficient information to monitor teaching quality across the state. No information on teacher assessment against the Performance and Development Framework is collected centrally. Schools self-assess their performance against the School Excellence Framework but this does not assess teaching quality for all teachers. The Department also surveys students about their experiences of teaching quality but schools opt-in to this survey, with 65 per cent of public schools participating in 2018. These factors limit the ability of the Department to target efforts to areas of concern.
We examined five key strategies that support the critical parts of a teacher’s career. Most strategies were based on research and consultation, planned, trialled, reviewed and adjusted before wider rollout. Guidance and training is provided to communicate requirements and help schools implement strategies at a local level. Monitoring of strategies implemented at a local level is variable. We identified several instances where Quality Teaching, Successful Students funding was used outside guidelines. Two strategies have not yet been evaluated, which prevents the Department from determining whether they are having the desired impact.
The Performance and Development Framework is not structured in a way that supports principals and supervisors to actively improve teacher performance and teaching quality.
There is limited opportunity for supervisors to set goals, conduct observations of teaching practice, or provide constructive written feedback on a teacher’s progress towards achieving their goals under this framework. Guidance on how to use the Standards to construct quality goals, observe teaching practice and provide valuable feedback is also insufficient. The framework focuses on teachers’ self-identified development goals but there is no requirement to align these with the Standards. These limitations reduce the ability of supervisors to use this framework to effectively manage teacher performance and improve teaching quality.
The Department manages those teachers formally identified as underperforming through teacher improvement programs. Only 53 of over 66,000 teachers employed by the Department were involved in these programs in 2018. By comparison, a report on inspections conducted in the United Kingdom assessed the quality of teaching as ‘inadequate’ in three per cent of schools.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary Reference: Report number #327 - released 26 September 2019

36

Published

Actions for Ensuring contract management capability in government - Department of Education

Ensuring contract management capability in government - Department of Education

Education
Compliance
Internal controls and governance
Management and administration
Procurement
Workforce and capability

This report examines whether the Department of Education has the required contract management capability to effectively manage high-value goods and services contracts (over $250,000). In 2017–18, the department managed high-value goods and services contracts worth $3.08 billion, with most of the contracts running over multiple years.

NSW government agencies are increasingly delivering services and projects through contracts with third parties. These contracts can be complex and governments face challenges in negotiating and implementing them effectively.

Contract management capability is a broad term, which can include aspects of individual staff capability as well as organisational capability (such as policies, frameworks and processes).

In 2017–18, the Department of Education (the Department) managed high-value (over $250,000) goods and services contracts worth $3.08 billion, with most of the contracts running over multiple years. The Department delivers, funds and regulates education services for NSW students from early childhood to secondary school.

This audit examined whether the Department has the required capability to effectively manage high-value goods and services contracts.

We did not examine infrastructure, construction or information communication and technology contracts. We assessed the Department against the following criteria:

  1. The Department’s policies and procedures support effective contract management and are consistent with relevant frameworks, policies and guidelines.
  2. The Department has capable personnel to effectively conduct the monitoring activities throughout the life of the contract.

The NSW Public Service Commission and the Department of Finance, Services and Innovation are included as auditees as they administer policies which directly affect contract management capability, including:

  • NSW Procurement Board Directions and policies
  • NSW Procurement Agency Accreditation Scheme
  • NSW Public Sector Capability Framework.

The Department of Finance, Services and Innovation's responsibility for NSW Procurement will transfer to NSW Treasury on 1 July 2019 as part of changes to government administrative arrangements announced on 2 April 2019 and amended on 1 May 2019.

Conclusion

The Department of Education's procedures and policies for goods and services contract management are consistent with relevant guidance. It also has a systemic approach to defining the capability required for contract management roles. That said, there are gaps in how well the Department uses this capability to ensure its contracts are performing. We also found one program (comprising 645 contracts) that was not compliant with the Department's policies.

The Department has up-to-date policies and procedures that are consistent with relevant guidance. The Department also communicates changes to procurement related policies, monitors compliance with policies and conducts regular reviews aiming to identify non-compliance.

The Department uses the NSW Public Service Commission's capability framework to support its workforce management and development. The capability framework includes general contract management capability for all staff and occupation specific capabilities for contract managers. The Department also provides learning and development for staff who manage contracts to improve their capability.

The Department provides some guidance on different ways that contract managers can validate performance information provided by suppliers. However, the Department does not provide guidance to assist contract managers to choose the best validation strategy according to contract risk. This could lead to inconsistent practice and contracts not delivering what they are supposed to.

We found that none of the 645 contracts associated with the Assisted Schools Travel Program (estimated value of $182 million in 2018–19) have contract management plans. This is contrary to the Department's policies and increases the risk that contract managers are not effectively reviewing performance and resolving disputes.

Appendix one - Response from agencies

Appendix two - About the audit

Appendix three - Performance auditing

 

Parliamentary Reference: Report number #325 - released 28 June 2019

Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Engagement of probity advisers and probity auditors

Engagement of probity advisers and probity auditors

Transport
Education
Health
Compliance
Internal controls and governance
Procurement
Project management
Workforce and capability

Three key agencies are not fully complying with the NSW Procurement Board’s Direction for engaging probity practitioners, according to a report released today by the Acting Auditor-General for New South Wales, Ian Goodwin. They also do not have effective processes to achieve compliance or assure that probity engagements achieved value for money.

Probity is defined as the quality of having strong moral principles, honesty and decency. Probity is important for NSW Government agencies as it helps ensure decisions are made with integrity, fairness and accountability, while attaining value for money.

Probity advisers provide guidance on issues concerning integrity, fairness and accountability that may arise throughout asset procurement and disposal processes. Probity auditors verify that agencies' processes are consistent with government laws and legislation, guidelines and best practice principles. 

According to the NSW State Infrastructure Strategy 2018-2038, New South Wales has more infrastructure projects underway than any state or territory in Australia. The scale of the spend on procuring and constructing new public transport networks, roads, schools and hospitals, the complexity of these projects and public scrutiny of aspects of their delivery has increased the focus on probity in the public sector. 

A Procurement Board Direction, 'PBD-2013-05 Engagement of probity advisers and probity auditors' (the Direction), sets out the requirements for NSW Government agencies' use and engagement of probity practitioners. It confirms agencies should routinely take into account probity considerations in their procurement. The Direction also specifies that NSW Government agencies can use probity advisers and probity auditors (probity practitioners) when making decisions on procuring and disposing of assets, but that agencies:

  • should use external probity practitioners as the exception rather than the rule
  • should not use external probity practitioners as an 'insurance policy'
  • must be accountable for decisions made
  • cannot substitute the use of probity practitioners for good management practices
  • not engage the same probity practitioner on an ongoing basis, and ensure the relationship remains robustly independent. 

The scale of probity spend may be small in the context of the NSW Government's spend on projects. However, government agencies remain responsible for probity considerations whether they engage external probity practitioners or not.

The audit assessed whether Transport for NSW, the Department of Education and the Ministry of Health:

  • complied with the requirements of ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’
  • effectively ensured they achieved value for money when they used probity practitioners.

These entities are referred to as 'participating agencies' in this report.

We also surveyed 40 NSW Government agencies with the largest total expenditures (top 40 agencies) to get a cross sector view of their use of probity practitioners. These agencies are listed in Appendix two.

Conclusion

We found instances where each of the three participating agencies had not fully complied with the requirements of the NSW Procurement Board Direction ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’ when they engaged probity practitioners. We also found they did not have effective processes to achieve compliance or assure the engagements achieved value for money.

In the sample of engagements we selected, we found instances where the participating agencies did not always:

  • document detailed terms of reference
  • ensure the practitioner was sufficiently independent
  • manage probity practitioners' independence and conflict of interest issues transparently
  • provide practitioners with full access to records, people and meetings
  • establish independent reporting lines   reporting was limited to project managers
  • evaluate whether value for money was achieved.

We also found:

  • agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners
  • the NSW Procurement Board does not effectively monitor agencies' compliance with the Direction's requirements. Our enquiries revealed that the Board has not asked any agency to report on its use of probity practitioners since the Direction's inception in 2013. 

There are no professional standards and capability requirements for probity practitioners

NSW Government agencies use probity practitioners to independently verify that their procurement and asset disposal processes are transparent, fair and accountable in the pursuit of value for money. 

Probity practitioners are not subject to regulations that require them to have professional qualifications, experience and capability. Government agencies in New South Wales have difficulty finding probity standards, regulations or best practice guides to reference, which may diminish the degree of reliance stakeholders can place on practitioners’ work.

The NSW Procurement Board provides direction for the use of probity practitioners

The NSW Procurement Board Direction 'PBD-2013-15 for engagement of probity advisers and probity auditors' outlines the requirements for agencies' use of probity practitioners in the New South Wales public sector. All NSW Government agencies, except local government, state owned corporations and universities, must comply with the Direction when engaging probity practitioners. This is illustrated in Exhibit 1 below.

Published

Actions for Wellbeing of secondary school students

Wellbeing of secondary school students

Education
Management and administration
Service delivery
Shared services and collaboration
Workforce and capability

The Department of Education has a strong focus on supporting secondary school students’ wellbeing. However, it is difficult to assess how well the Department is progressing as it is yet to measure or report on the outcomes of this work at a whole-of-state level.

The Department of Education’s (the Department) purpose is to prepare young people for rewarding lives as engaged citizens in a complex and dynamic society. The Department commits to creating quality learning opportunities for children and young people, including a commitment to student wellbeing, which is seen as directly linked to positive learning outcomes. Wellbeing is defined broadly by the Department as “the quality of a person’s life…It is more than the absence of physical or psychological illness”. Student wellbeing can be supported by everything a school does to enhance a student's learning—from curriculum to teacher quality to targeted policies and programs to whole-school approaches to wellbeing.

Several reforms have aimed to support student wellbeing in recent years. 'Local Schools, Local Decisions' gave NSW schools more local authority to make decisions, including schools' approaches to support student wellbeing. In 2016, the 'Supported Students, Successful Students' initiative provided $167 million over four years to support the wellbeing of students. From 2018, the 'Every Student is Known, Valued and Cared For' initiative provides a principal led mentoring program, and a website with policies, procedures and resources to support student wellbeing.

This audit assessed how well the Department of Education supports secondary schools to promote and support the wellbeing of their students and how well secondary schools are promoting and supporting the wellbeing of their students.

Conclusion

The Department has implemented a range of programs and reforms aimed at supporting student wellbeing. However, the outcomes of this work have yet to be measured or reported on at a system level, making it difficult to assess the Department's progress in improving student wellbeing.

Secondary schools have generally adopted a structured approach to deliver wellbeing support and programs, using both Department and localised resources. The approaches have been tailored to meet the needs of their school community. That said, public reporting on wellbeing improvement measures via annual school reports is of variable quality and needs to improve.

The Department’s wellbeing initiatives are supported by research and consultation, but outcomes have not been reported on

The Department’s development of wellbeing policy, guidance, tools and resources has been transparent, consultative and well researched. It has drawn on international and domestic evidence to support its aim to deliver a fundamental shift from welfare to wellbeing at the school and system level.

However, the key performance indicator to monitor and track progress in wellbeing has yet to be reported on despite the strategic plan including this as a priority for the period 2018 to 2022. This includes not yet reporting a baseline for the target, nor how it will be measured.

The Department’s wellbeing resources are mostly well targeted but there is room for improvement

The Department’s allocation of resources to deliver wellbeing initiatives in schools is mostly well targeted, reflects a needs basis and supports current strategic directions. This could be improved with some changes to formula allocations and clearer definitions of the resourcing required for identified wellbeing positions in schools. The workforce modelling for forecasting supply and demand, specifically for school counsellors and psychologists, needs to separately identify these positions as they are currently subsumed in general teacher numbers.

Schools' reporting on wellbeing improvement measures is of variable quality and needs to improve

Schools we visited demonstrated a variety of approaches to wellbeing depending on their local circumstances and student populations. They make use of Department policies, guidelines, and resources, particularly mandatory policies and data collections, which have good compliance and take-up at school level. Professional learning supports specific wellbeing initiatives and online systems for monitoring and reporting have contributed to schools’ capacity and capabilities.

Schools report publicly on wellbeing improvement measures through annual school reports but this reporting is of variable quality. The Department plans to improve the capability of schools in data analysis and we recommend that this include the setting and evaluation of improvement targets for wellbeing.

The implementation of the 2015 Wellbeing Framework in schools is incomplete and the Department has not effectively prioritised and consolidated tools, systems and reporting for wellbeing

Schools' take up of the 2015 Wellbeing Framework is hindered by it not being linked to the school planning and reporting policy and tools—the School Excellence Framework. At some schools we visited, this disconnect has led to a lack of knowledge and confidence in using it in schools. The Department has identified the need to improve alignment of policies, frameworks and plans and has commenced work on this.

We found evidence of overburdening in schools for addressing student wellbeing—in the number of tools, online systems for information collection, and duplication in reporting. Following the significant reforms of recent years, the Department should consolidate its efforts by reinforcing existing effective programs and systems and addressing identified gaps and equity issues, rather than introducing further change for schools. In particular, methods and processes for complex case coordination need improvement.

The NSW Department of Education commits to creating quality learning opportunities for students. This includes strengthening students’ physical, social, emotional and spiritual development. The Department sets out to enable students to be healthy, happy, engaged and successful.

Welfare and wellbeing

The Department’s approach has significantly shifted from student welfare to wellbeing of the whole child and young person. Wellbeing is defined in departmental policy and strategy documents broadly, and as directly linked to learning and positive learning outcomes. “Wellbeing can be described as the quality of a person’s life…It is more than the absence of physical or psychological illness…Wellbeing, or the lack of it, can affect a student’s engagement and success in learning…”

Student wellbeing can be supported by everything a school does to enhance a student's learning—from curriculum to teacher quality to targeted policies and programs to whole-school approaches to wellbeing. Distinctions between wellbeing and welfare in the school context are outlined below.

Exhibit 1: Welfare and wellbeing
Welfare Wellbeing
Operates from a basis of student need and doesn't always take into account a whole child view. For all students.
Rather than building on the strengths of students, operates from a deficit model of individual student problems or negative behaviours. Goes beyond just welfare needs of a few students and aims for all students to be healthy, happy, successful and productive individuals who are active and positive contributors to the school and society in which they live.

Source: Department of Education 2018 'Wellbeing is here' presentation.

Published

Actions for Supply of secondary teachers in STEM-related disciplines

Supply of secondary teachers in STEM-related disciplines

Education
Management and administration
Service delivery
Workforce and capability

The NSW Department of Education’s plans and strategies to respond to the demand for secondary teachers in STEM-related disciplines are limited by incomplete data and underperforming scholarship and sponsorship program. The Department does not collect sufficient information to monitor what disciplines teachers actually teach nor does it predict supply and demand for teachers by discipline and location. This restricts the Department’s ability to track and forecast the supply and demand for secondary teachers in STEM-related disciplines.

In recent years, Australian and international education policy has focused on improving outcomes in Science, Technology, Engineering and Mathematics (STEM) subjects. However, research has identified a shortage of qualified secondary teachers in STEM-related disciplines 1. This is projected to worsen due to a combination of student population increases, an ageing workforce, and fewer people going into teaching. Shortfalls are likely to be more acute in rural and remote areas, and areas of low socio-economic status.

The Department of Education (the Department) has a variety of strategies to encourage teachers to practise in locations or disciplines of need. These include scholarships for tertiary students going into teaching, sponsorships for teachers seeking approval to teach additional disciplines, and incentives to attract teachers to rural and remote locations. 

This audit assessed the effectiveness of the Department's workforce plans and strategies in responding to the demand for secondary teachers in STEM-related disciplines. We assessed:

  • how well the Department tracks the supply and demand for secondary teachers in STEM-related disciplines across NSW
  • whether the Department has effective strategies to attract and retain secondary teachers in STEM-related disciplines.
Conclusion
There are two key shortcomings that fundamentally limit the effectiveness of the Department's plans and strategies to respond to the demand for secondary teachers in STEM-related disciplines. First, the Department is not accurately tracking the supply and demand for secondary teachers by discipline due to incomplete data. Second, not all scholarship and sponsorship places are allocated and many scholars withdraw from the programs before completion. The Department has recognised and started to address these problems with a new workforce model, revised incentives and scholarship programs. 

The Department’s current workforce planning model does not provide the information needed to target workforce plans and strategies to areas of need. This is because it does not predict supply and demand for teachers by discipline and location. An internal review in 2017 acknowledged the limitations of this model. In response the Department developed a new model, which it is currently enhancing, to predict supply and demand for teachers by discipline and location. For this to be successful, the Department needs to monitor the level of out-of-field teaching and improve data on the willingness of teachers to work in particular locations. 

The Department does not allocate all available scholarship and sponsorship places and around 30 per cent of recipients do not complete the term of their agreement. An internal review in 2017 highlighted that some programs were not targeting workforce need and that there were no key performance indicators to determine the overall effectiveness of these programs. However, scholarship programs and incentives are promoted well through social media and face-to-face events at Universities. Further, the Department has used findings from internal reviews of incentives and scholarships in 2016 and 2017 to inform recent changes to programs. 

The Department has little oversight of access to practicum placements for pre-service teachers in areas of need. Professional experience agreements were established with each University in 2015 to improve the placement process for disciplines of need. Initial teacher education students must complete several ‘practicum placements’ before they can be qualified to teach in a school. Several universities we consulted reported difficulties finding practicum placements for pre-service teachers specialising in STEM-related disciplines. The Department is now revising the agreements to improve the quality of data it collects on the number, location and subject area of practicum placements. 

1 Australian Council for Educational Research 2015, The teacher workforce in Australia - supply, demand and data issues.

 

The Department is not accurately tracking the supply and demand for secondary teachers by discipline due to incomplete data. 

The Department’s current workforce planning model does not accurately predict supply and demand for teachers by discipline and location. An internal review in 2017 acknowledged the limitations of this model. In response the Department developed a new model which it is currently enhancing to address the findings of the review. For this model to be successful, the Department needs to monitor the level of out-of-field teaching and improve data on the willingness of teachers to work in particular locations. Further work also needs to be undertaken to refine the assumptions that underpin the Department’s workforce planning models as it starts to predict the need for teachers by discipline.

The Department has not publicly reported on the supply and demand for teachers by discipline since 2015. While it does report annually on its current workforce profile, this information is not detailed enough to inform future strategies or programs. More detailed public reporting may help the Department to influence the future supply of teachers by communicating its projected areas of need. Planned improvements to the Department's workforce planning model, as relayed to us, will add to the data available on areas of need. Once available, this should be reported publicly. 

Recommendations
By December 2019, the Department of Education should:

  1. Improve its workforce planning model to better understand and communicate supply and demand for teachers by: 
    • determining the extent, and analysing the impact, of out-of-field teaching by permanent and temporary teachers in each school
    • sourcing additional data to more accurately reflect teacher location preferences
    • projecting supply and demand by subject level and geographic area
    • regularly reporting on the supply and demand for secondary teachers in each discipline to communicate future areas of need to future teacher education students.

The Department's current scholarship and sponsorship programs are not allocating all available places and many scholars withdraw from the programs before completion. An internal review in 2017 raised several issues with the effectiveness of programs and the Department has started to revise its scholarship, sponsorship and incentive programs. 

An internal review in 2017 highlighted that scholarship and sponsorship programs were not targeting workforce need, and that there were no key performance indicators to determine the overall effectiveness of these strategies. In addition, the review found that only 79 per cent of available scholarship placements are allocated each year, and 31 per cent of scholarship recipients withdraw prior to completing their required service period. The Department recently announced changes to its scholarship programs from 2019 onwards.

The Department has incentives to encourage teachers to work in rural and remote areas, including teachers in STEM-related disciplines. Incentives include access to priority transfers, rental subsidies and other allowances. Research conducted in 2016 examined the influence of incentives in encouraging teachers to work in rural and remote areas. The Department used findings of this research when updating its set of rural and remote incentives in 2017.

The Department promotes its scholarship and sponsorship programs through the teach.NSW website. It uses social media to direct applicants to this website. It also promotes its programs through careers fairs, University open days, and professional events. Past applicants have reported that the website clearly communicates eligibility criteria and the terms of agreement for all scholarship programs. 

The Department could strengthen its relationship with universities to attract teachers to areas of need by collecting and analysing data on practicum placements, facilitating placements for scholarship recipients, and communicating predicted teacher needs by discipline. 

Recommendations
By December 2019, the Department of Education should:

2. Implement changes to address the findings of the 'Teacher Scholarship Realignment' report, including by:

  • testing a range of program designs with target candidates to determine the best options to attract more suitable applicants
  • establishing key performance indicators, and setting targets, to better monitor the effectiveness of the programs
  • reducing the number of scholars appointed to over-establishment positions
  • increasing the proportion of scholars appointed to priority locations 
  • further analysing scholarship recipients career paths to inform future improvements to the scholarship programs.

3. Review its role in the practicum placement process of pre-service teachers by:

  • analysing how many students each school accommodates per year, to ensure there are appropriate placements available for students in high needs disciplines
  • working with universities to facilitate practicum placements for scholarship recipients
  • establishing mechanisms for ongoing monitoring of its partnerships with universities to ensure they are meeting their aims.

Appendix one - Response from agency

Appendix two - About the audit

Appendix three - Performance auditing

 

Parliamentary Reference - Report number #313 - released 29 January 2019.