Reports
Education 2019
This report focuses on key observations and findings from the most recent financial audits of agencies in the Education cluster. From 1 July 2019, the Technical and Further Education Commission, the NSW Skills Board and the functions and activities associated with vocational training and skills form part of the Education cluster.
Unqualified audit opinions were issued for all cluster agencies’ financial statements. However, internal control deficiencies were identified across the cluster agencies, including 14 findings that were repeated from the previous year. Control deficiencies were also identified in a sample of the state’s 2,200 schools. Schools did not always apply the guidance in the Department of Education's ‘Finance in Schools Handbook’, resulting in control weaknesses in key areas such as governance, cash management and procurement.
'In addition, we continue to observe inconsistencies in the employee leave data reported from the Department of Education’s payroll system, which impact the reliability of estimates of the Department’s liability for employee benefits. The robustness of the Department's quality assurance over leave liability data should be improved', the Auditor-General said.
This report analyses the results of our audits of financial statements of entities within the Education cluster for the year ended 30 June 2019. The table below summarises our key observations.
1. Machinery of Government changes
| The Education cluster has expanded | From 1 July 2019, the Technical and Further Education Commission, the NSW Skills Board and the functions and activities associated with vocational training and skills now form part of the Education cluster. |
2. Financial reporting
| Audit opinions |
Unqualified audit opinions were issued for all cluster agencies' 30 June 2019 financial statements audits. The number of corrections to disclosures in the financial statements, which increased this year, could have been reduced by a more thorough quality assurance over the information underpinning the financial statements. Recommendation: Cluster agencies should improve their quality assurance processes for financial reporting to improve the accuracy of financial statements presented for audit. |
| Preparedness for new accounting standards |
Agencies will implement four new accounting standards shortly. Three are effective from 1 July 2019 and the fourth is effective from 1 July 2020. Cluster agencies needed to do more work on their impact assessments to better prepare for their implementation from 1 July 2019. Recommendation: Cluster agencies should finalise their plans to implement the new accounting standards as soon as possible. |
| Timeliness of financial reporting |
All cluster agencies met the statutory deadline for completing early close procedures and submitting their financial statements for audit. The Department of Education (the Department) delays tabling its financial statements in parliament so it can report its operational outcomes, which are aligned to the calendar year, in a single report. This reduces transparency over the Department's financial statements as they are tabled more than ten months after the end of the financial year. Recommendation: The Department should table its financial statements in parliament earlier, in line with other NSW Government agencies. |
| Inconsistencies in the employee leave data | We continue to observe inconsistencies in the employee leave data reported from the Department’s payroll system, which impacts the reliability of estimates of the Department's liability for employee benefits. The robustness of the Department's quality assurance over leave liability data should be improved. |
3. Audit observations
| Internal control deficiencies |
We identified 55 internal control issues, including 14 findings that were repeated from the previous year. Issues were identified with user access administration, segregation of duties in the Department's key application system and timely preparation and review of key reconciliations. Recommendation: Cluster agencies should prioritise and action recommendations to address internal control weaknesses. |
| Schools review 2018 |
Our review of a selection of NSW schools identified deficiencies in how they applied the Department of Education's ‘Finance in Schools Handbook’, resulting in control weaknesses in key areas such as governance, cash management and procurement. Recommendation: The Department should ensure all schools apply the Department’s ‘Finance in Schools Handbook’ as it is a key internal control. |
This report provides parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
This cluster was significantly impacted by the Machinery of Government changes. The Technical and Further Education Commission and the NSW Skills Board, part of the former Industry cluster, were transferred on 1 July 2019. This report focuses on agencies in the Education cluster from 1 July 2019. Please refer to the section on Machinery of Government changes for more details.
Machinery of Government refers to how the government organises the structures and functions of the public service. Machinery of Government changes are where the government reorganises these structures and functions, and the changes are given effect by Administrative Arrangements Orders.
Section highlights
The 2019 Machinery of Government changes significantly impacted the Education cluster. From 1 July 2019, the functions and activities associated with the administration of legislation allocated to the Minister for Skills and Tertiary Education were transferred from the former Industry cluster to the Education cluster. Aboriginal Affairs NSW was transferred from the Department of Education (the Department) to the Department of Premier and Cabinet.
The Department is the principal agency in the cluster. The Machinery of Government changes bring new responsibilities, risks and challenges to the cluster.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster for 2019.
Section highlights
Unqualified audit opinions were issued on the financial statements of cluster agencies. However, a more thorough quality review process of the financial statements submitted for audit would help reduce the number of corrections to those statements.
All cluster agencies met the statutory deadlines for completing the early close procedures and submitting the financial statements.
We continue to observe inconsistencies in the employee leave data reported from the Department of Education’s (the Department) payroll system. The robustness of the Department's quality assurance over leave liability data should be improved.
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Education cluster. It also comments on our review of the financial control framework applied by 70 schools in NSW whose financial results form part of the Department of Education's (the Department) financial statements.
Section highlights
- Audit Office management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues. The 2018–19 financial audits of cluster agencies identified 55 internal control issues, including 14 that were carried forward from the previous year.
- Application controls are procedures that operate at a business process level designed to ensure the integrity of accounting records. The Department can mitigate the risk of fraud or error in preparing its financial statements if segregation of duties are appropriately configured in their key application system.
- Our review of a selection of schools across NSW identified deficiencies in how schools apply the Department’s financial management practices and governance arrangements.
Appendix one – List of 2019 recommendations
Appendix two – Status of 2018 recommendations
Appendix three – Cluster agencies
Appendix four – Financial data
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Stronger Communities 2019
A report has been released on the NSW Stronger Communities cluster.
From 1 July 2019, the functions of the former Department of Justice, the former Department of Family and Community Services and many of the cluster agencies moved to the new Stronger Communities cluster. The Department of Communities and Justice is the principal agency in the new Stronger Communities cluster.
The report focuses on key observations and findings from the most recent financial audits of agencies in the Stronger Communities cluster.
Unqualified audit opinions were issued on the financial statements for all agencies in the cluster.
There were 157 audit findings on internal controls. Two of these were high risk and 59 were repeat findings from previous financial audits. ‘Cluster agencies should prioritise actions to address internal control weaknesses promptly with particular focus given to issues that are assessed as high risk’, the Auditor-General said.
The report notes that the NSW Government’s new workers' compensation legislation, which gave eligible firefighters presumptive rights to workers' compensation, cost emergency services agencies $180 million in 2018–19, mostly in increased premiums.
This report analyses the results of our audits of financial statements of the agencies comprising the Stronger Communities cluster for the year ended 30 June 2019. The table below summarises our key observations.
This report provides parliament and other users of the financial statements of agencies in the Stronger Communities cluster with the results of our audits, our observations, analyses, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
This cluster was significantly impacted by the Machinery of Government (MoG) changes on 1 July 2019. This report focuses on the agencies that from 1 July 2019, comprised the Stronger Communities cluster. The MoG changes moved some agencies from the clusters to which they belonged in 2018–19 to the Stronger Communities cluster. Conversely, the MoG also moved some agencies formerly in the Family and Community Services cluster and Justice cluster elsewhere. Please refer to the section on Machinery of Government changes for more details.
The Department of Communities and Justice is the principal agency of the cluster. The newly created department combines functions of the former Department of Justice and the Department of Family and Community Services.
Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes occur when the government reorganises these structures and functions and those changes are given effect by Administrative Orders.
The MoG changes announced following the NSW State election on 23 March 2019 significantly impacted the Stronger Communities cluster through Administrative Changes Orders issued on 2 April 2019 and 1 May 2019. These orders took effect on 1 July 2019.
Section highlights
The 2019 MoG changes significantly impacted the former Justice and Family and Community Services (FACS) departments and clusters.
- The Stronger Communities cluster combines most of the functions and agencies of the former Justice and FACS clusters from 1 July 2019.
- The Department of Communities and Justice is now the principal agency in the new cluster.
- The MoG changes bring new responsibilities, risks and challenges to the cluster.
- A temporary office has been established by the Department of Communities and Justice to support the cluster in the planning, delivery and reporting associated with implementing the changes.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations relating to the financial reporting of agencies in the Stronger Communities cluster for 2019.
Section highlights
- Unqualified audit opinions were issued for all agencies' 30 June 2019 financial statements. However, further actions can be taken by some cluster agencies to enhance the quality of their financial reporting.
- In November 2018, the Department of Justice implemented a new Victims Support Services system called VS Connect. Significant data quality issues arising from the VS Connect system implementation impacted the Department's ability to reliably estimate its Victims Support Scheme claims liabilities at 30 June 2019.
We recommend the Department of Communities and Justice resolves the data quality issues in the new VS Connect System before 30 June 2020 and capture and apply lessons learned from recent project implementations, including LifeLink, Justice SAP and VS Connect, in any relevant future implementations. - Our audits found some cluster agencies needed to do more work on their impact assessments and preparedness to implement the new accounting standards, to minimise the risk of errors in their 2019–20 financial statements.
- Cluster agencies with annual leave balances exceeding the State's target should further review their approach to managing leave balances.
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities cluster.
Section highlights
- Cluster agencies should action recommendations to address internal control weaknesses promptly. Particular focus should be given to prioritising high risk issues. The 2018–19 financial audits of cluster agencies identified 157 internal control issues. Of these, two were high risk and 37.6 per cent were repeat findings from previous audits.
- Data from the Department of Justice shows the inmate population reached a maximum of 13,798, compared to an operational capacity of 14,626 beds on 31 August 2019. This equates to an operational vacancy rate of 5.7 per cent, which is more than the recommended 5.0 per cent buffer. This is the first time the vacancy rate has exceeded the target over the last five years. Growth in the NSW prison population is being managed through the NSW Government's $3.8 billion Prison Bed Capacity Program.
- In September 2018, the NSW Government introduced new workers' compensation legislation, which gives eligible firefighters presumptive rights to workers' compensation when diagnosed with one of 12 prescribed cancers. The new legislation cost emergency services agencies $180 million in 2018–19, mainly through additional workers' compensation premiums.
Appendix one – Timeliness of financial reporting by agency
Appendix two – Management letter findings by agency
Appendix three – List of 2019 recommendations
Appendix four – Status of 2018 recommendations
Appendix five – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Health 2019
This report focuses on key observations and findings from the most recent financial audits of the Ministry of Health, local health districts, specialty health networks, health corporations and independent health agencies in New South Wales. The report also summarises self-reported performance measures across the network.
The number and value of adjustments to financial statements of entities in the Health Cluster decreased from the prior year. And unqualified audit opinions were issued for all heath entities’ financial statements.
Audit findings relating to internal controls deficiencies increased across health entities. Contributing to this increase were deficiencies in information system controls, which accounted for nearly a quarter of all control deficiencies. Repeat audit findings also accounted for more than a quarter of all control deficiencies.
The report notes health entities continued to experience challenges with managing employees’ excessive annual leave and time recording practices. The Ambulance Service of New South Wales continued to report high overtime payments to its employees.
This report analyses the results of our audits of financial statements of the agencies comprising the Health cluster for the year ended 30 June 2019. The table below summarises our key observations.
1. Machinery of Government changes
| Cluster changes | Machinery of Government (MoG) changes refer to how the government reorganises agency structures and functions and realigns ministerial responsibilities. The Health cluster was not impacted by the MoG changes. |
2. Financial reporting
| Financial reporting |
The financial statements of NSW Health and its controlled entities received unqualified audit opinions before the legislative deadline. |
| Financial performance | Overall, NSW Health recorded an operating surplus of $1.1 billion in 2018–19, an increase of $699 million from 2017–18. This was the result of additional funding received for capital expenditure on the construction of new facilities, upgrades and redevelopments. Budgeted expense for the 15 local health districts and two speciality networks increased from $18.3 billion to $19.4 billion in 2018–19. The 15 health entities recorded unfavourable variances between actual and budgeted expenses. |
| Excess annual leave |
Managing excess annual leave remains a challenge for NSW Health, 36.9 per cent of the workforce have excess annual leave balances. Recommendation: Health entities should further review their approach to managing excess annual leave in 2019–20, and:
|
| Overtime payments | NSW Health entities generally manage overtime well. The Ambulance Service of NSW’s overtime payments of $83.1 million (9.8 per cent of total salaries and wages), remain significantly higher than other health entities. Recommendation: The Ambulance Service of NSW should further review the effectiveness of its rostering practices to identify strategies to reduce overtime payments. |
3. Audit observations
| Internal control deficiencies | We identified more internal control deficiencies in 2018–19. The number of repeat issues from prior years also remains high with more than one quarter of issues having been previously reported. More than a quarter of deficiencies related to information system controls. |
| Infrastructure delivery | NSW Health defines projects with a budgeted cost greater than $50.0 million as 'major projects'. There were significant revisions to planned financial completion dates and budgeted costs of these projects. The revised total budgets for the 30 ongoing major capital projects at 30 June 2019 is $10.2 billion, $2.2 billion more than the original budget. Health Infrastructure completed three major capital projects during 2018–19. |
| Asset maintenance | The total cost of maintaining the health entities’ $19.8 billion of assets was $635 million for 2018–19. Health entities' approaches to setting maintenance budgets vary. Most entities are addressing their backlog maintenance, although many were not able to quantify the full extent of their backlog maintenance. Although health entities continue to use fully depreciated assets, the replacement cost of these assets is decreasing. |
This report provides parliament and other users of the financial statements of agencies within the Health cluster with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas for the year ended 30 June 2019:
- financial reporting
- audit observations.
The Health cluster was not impacted by the Machinery of Government changes on 1 July 2019.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the health cluster for 2019.
Section highlights
- We issued unqualified audit opinions for all health entities’ financial statements and identified fewer misstatement than last year. Health entities continue to meet statutory deadlines.
- The Ministry of Health sets significant accounting policies centrally and provides a template for the preparation of health entities’ financial statements. These processes promote consistent quality in the financial reports of health entities and reduce the number of misstatements we identify.
- NSW Health recorded an operating surplus of $1.1 billion, an increase of $699 million from 2017–18. This is because of additional capital grants for new facilities, upgrades and redevelopments. The capital replacement ratio (investment in new assets divided by depreciation) for NSW Health is 2.6.
- NSW Health’s expenses increased by 7.0 per cent in 2018–19 (5.5 per cent in 2017–18). This is one percentage point higher than the projected long-term annual expense growth rate of six per cent. The primary causes for the growth in expenses are increased:
- employee related expenses because provisions for employee benefits increased when the discount rate decreased
- operating expenses associated with the opening of Northern Beaches Hospital.
- Excess annual leave balances continue to increase for the NSW Health workforce, with excess annual leave balances impacting 37 per cent of employees (34 per cent in 2017–18).
- Health entities should further review their approach to managing excess annual leave in 2019–20 by monitoring current and projected leave balances on a regular basis, agreeing formal leave plans with employees and encouraging staff that perform key control functions to take a minimum of two consecutive weeks’ leave a year as a fraud mitigation strategy.
- The Ambulance Services continued to report overtime payments higher than other health entities. The Ambulance Service paid its employees $83.1 million in overtime payments in 2018–19 ($74.8 million in 2017–18).
- We issued a qualified audit opinion for the Ministry of Health's Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. We identified 40 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2018–19 (17 in 2017–18).
Audit opinions
We issued unqualified audit opinions for all health entities and quality of financial reporting continues to improve
We identified fewer misstatements this year, and the errors were less significant. In 2018–19 no errors exceeded $5.0 million (eight errors recorded in 2017–18). Ten health entities conducted a full revaluation of their land, buildings and infrastructure systems in 2018–19, but more robust processes avoided the errors identified in the previous year.
| Number of misstatements | ||||||
| Year ended 30 June | 2019 | 2018 | 2017 | |||
 |
 |
|
|
|
|
|
| Less than $50,000 | -- | -- | -- | 6 | 3 | 3 |
| $50,000 to $249,999 | -- | 1 | -- | -- | 2 | 3 |
| $250,000 to $999,999 | 1 | -- | -- | -- | 1 | 3 |
| $1 million to $4,999,999 | -- | 2 | -- | 2 | 1 | 5 |
| $5 million and greater | -- | -- | 6 | 2 | 1 | 2 |
| Total number of misstatements | 1 | 3 | 6 | 10 | 8 | 16 |
Corrected mistatements. Uncorrected statements.We issued a qualified audit opinion for our compliance audit of the Ministry of Health's Annual Prudential Compliance Statement
The Ministry of Health operates eight aged care facilities in NSW and is required to comply with the Fees and Payments Principles 2014 (No. 2) (the Principles) when entering into agreements with and managing payments to and from care recipients. The Principles are set by the Commonwealth Assistant Minister for Social Services. We identified 40 instances of material non-compliance in 2018–19, including:
- not agreeing maximum accommodation amounts payable with aged care recipients before they entered the residential care services
- not entering into accommodation agreements with care recipients within the specified period
- charging incorrect fees for activities or services to one care recipient
- not refunding two bond balances within the statutory framework
- not paying the correct amount of interest for 14 care recipients’ bonds refunded during the year.
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the health cluster.
Section highlights
- The number of internal control deficiencies has increased since 2017–18. More than a quarter of control deficiencies are repeat issues and almost a quarter relate to information system controls. Both employee time recording and leave management remain as repeat issues in 2018–19.
- Control deficiencies that relate to managing employees' leave, employees’ time recording or information system limitations can be difficult for entities to resolve in a timely manner.
- Agreements for the treatment of New South Wales residents while they are interstate, and interstate residents while they are in New South Wales, are unsigned for Queensland, Victoria and the Australian Capital Territory for 2016–17, 2017–18 and 2018–19.
- NSW Health recorded $113.6 million in revenue from fees charged to Medicare ineligible patients during 2018–19 but has received payment for less than half of this.
- NSW Health reported that they completed three major capital projects during 2018–19.
- As at 30 June 2019 there were 30 ongoing major capital health projects in NSW. The revised capital budget for these projects in total was $2.2 billion more than the original budget of $8.0 billion.
- Health entities spent $635 million maintaining assets with a fair value of $19.8 billion of assets. Almost all entities were working through backlog maintenance during 2018–19, although several were unable to quantify the backlog.
- While entities are now regularly reassessing the useful lives of their assets, entities are still using a high volume of assets that are fully depreciated. Due to the age and nature of these assets the impact was not material.
Appendix one – List of 2019 recommendations
Appendix two – Status of 2018 recommendations
Appendix three – Financial data
Appendix four – Analysis of financial indicators
Appendix five – Analysis of performance against budget
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Internal Controls and Governance 2019
This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.
The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:
- financial controls
- information technology controls
- gifts and benefits
- internal audit
- contingent labour
- sensitive data.
The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.
1. Internal control trends
| New, repeat and high risk findings |
There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies. Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time. |
| Common findings |
A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:
|
2. Information technology controls
| IT general controls |
We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:
We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required. |
3. Gifts and benefits
| Gifts and benefits registers |
All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers. Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour. |
| Managing gifts and benefits |
We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites. Agencies can improve management of gifts and benefits by:
|
| Reporting and monitoring |
Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee. Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits. |
4. Internal audit
| Obtaining value from the internal audit function |
Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee. Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer. Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks. |
| Role of the Chief Audit Executive |
Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE. The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO. Agencies should ensure:
|
| Quality assurance and improvement program |
Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function. The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually. Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments. |
5. Managing contingent labour
| Obtaining value for money from contingent labour |
According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces. Agencies can improve their management of contingent labour by:
We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'. |
6. Managing sensitive data
| Identifying and assessing sensitive data |
Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked. Agencies can improve processes to manage sensitive data by:
|
| Managing data breaches |
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents. Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach. |
This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.
Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.
This report offers insights into internal controls and governance in the NSW public sector
This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.
Areas of specific focus of the report have changed since last year
Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:
- internal control trends
- information technology controls, including access to agency systems
- protecting sensitive information held within agencies
- managing large and diverse workforces (controls around employing and managing contingent workers)
- maintaining an ethical culture (management of gifts and benefits)
- effectiveness of internal audit function and its oversight by Audit and Risk Committees.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Key conclusions and sector wide learnings
- out of date policies or an absence of policies to guide appropriate decisions
- poor record keeping and document retention
- incomplete or inaccurate centralised registers or gaps in these registers.
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.
Key conclusions and sector wide learnings
We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.
Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.
Areas where agencies can improve their management of gifts and benefits include:
- ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
- establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
- updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
- providing on-going training, awareness activities and support to employees, not just at induction
- regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
- publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.
Key conclusions and sector wide learnings
We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:
- documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
- ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
- involving the CAE more extensively in executive forums as an observer
- documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
- reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.
Key conclusions and sector wide learnings
Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.
There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:
- preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
- involving agency human resources units in decisions about engaging contingent labour
- regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
- strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.
Key conclusions and sector wide learnings
Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.
It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.
Key areas where agencies can improve their management of sensitive data include:
- identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
- assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
- developing comprehensive data breach management policies to ensure data breaches are appropriately managed
- maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
- providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.
Appendix one – List of 2019 recommendations
Appendix two – Status of 2018 recommendations
Appendix three – In-scope agencies
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Volume Ten 2013 focusing on Health
Unqualified opinions were issued for all agencies audited in the following report.
Some of the reports findings include:
-
Most cultural bodies rely heavily on government grants to fund services
-
The Sydney Opera House Trust earns most of its revenue from commercial operations
-
Less than half of the 2014-16 service agreements between HealthShare NSW and its customers have been signed. HealthShare NSW and health entities should finalise their 2014-2016 service agreements by no later than 31 January 2014
-
Five service level agreements with NSW Health Pathology for 2012-13 were never signed. NSW Health Pathology and local health districts/speciality networks should finalise their 2013-14 service agreements by no later than 31 December 2013
-
HealthShare NSW is committed to sharing internal audit findings across NSW Health
-
The Ministry has started a long-term project to review its policy directives
-
A recent review concluded the health sector has mature risk management practices
-
When changes to the Aboriginal Land Rights Act 1983 occur, the Minister should identify and assess any risks from the changes and develop strategies to mitigate against them.
Volume Six 2013 focusing on Law, Order and Emergency Services
We issued unqualified audit opinions on the above agencies’ 30 June 2013 financial statements. During the year, The Treasury issued TC 13/01 ‘Mandatory early close procedures for 2013’. As a result, the law and order services agencies were required to perform early close procedures. All law and order service agencies were broadly successful in performing the procedures, which helped them submit financial statements by an earlier due date. This in turn enabled the financial statement audits to be finalised within an earlier timeframe of eight weeks (nine weeks in 2011-12).
As previously recommended, the Department of Attorney General and Justice should continue integrating policies, operations and systems between its divisions and, once complete, analyse the costs and benefits. The Department of Attorney-General and Justice should also ensure it has the necessary processes in place to enable it to regularly monitor and measure the performance and success of the Victims Support Scheme in providing a more accessible, streamlined and targeted service to victims of violent crime in New South Wales.
Volume Five 2013 focusing on Education
Unqualified audit opinions were issued on the following financial statements for the year ended 30 June 2013: Department of Education and Communities (including the TAFE Commission), Technical and Further Education Commission, Board of Studies, Office of the Board of Studies, Board of Studies Casual Staff Division, Institute of Teachers, Office of the Institute of Teachers, NSW Board of Vocational Education and Training.
A key issue of focus was around the revaluation of School and TAFE NSW buildings. The report found that the Department’s approach to revaluing its buildings addressed previous concerns, however more work is required to refine the revaluation model and to build on the evidence available for cost rates.
