Reports
Education 2018
The Auditor-General for New South Wales, Margaret Crawford, released her report today on the results of the financial audits of agencies in the Education cluster. The report focuses on key observations and findings from the most recent financial audits of these agencies. 'I am pleased to report that unqualified audit opinions were issued on the financial statements of both agencies in the Education cluster', the Auditor-General said. Statements were submitted and audited within statutory deadlines.
This report analyses the results of our audits of financial statements of the Education cluster for the year ended 30 June 2018. The table below summarises our key observations.
This report provides parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- service delivery.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster for 2017–18.
| Observation | Conclusions and recommendations |
| 2.1 Quality of financial reporting | |
| Unqualified audit opinions were issued on the financial statements of both cluster agencies. | Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement. |
| 2.2 Timeliness of financial reporting | |
| Both cluster agencies met the statutory deadlines for completing early close procedures and submitting financial statements. | Early close procedures continue to facilitate the timely preparation of cluster agencies’ financial statements and completion of audits, but scope exists to improve outcomes by resolving issues and supplying supporting documentation earlier. |
| 2.3 Key issues from financial audits | |
| Inconsistencies in the Department’s annual leave and long service leave data, identified over the past three audits, remain unresolved. This issue impacts the Department’s liability estimates for annual leave and long service leave, including associated on-costs. It also on-flows to the Crown Entity, which assumes the Department's liability for long service leave. | Recommendation: The Department should confirm leave data and review assumptions following deployment of the new HR/Payroll system to better estimate the liability for employee benefits and the amount to be assumed by the Crown Entity. |
| 2.4 Key financial information | |
| Cluster agencies recorded net deficits in 2017–18. |
The Department recorded a net deficit of $30.7 million in 2017–18 against a budgeted surplus of $122 million. The NSW Education Standards Authority recorded a net deficit of $4.1 million against a budgeted deficit of $4.7 million. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from:
- our financial statement audits of agencies in the Education cluster for 2018
- the areas of focus identified in the Audit Office work program.
The Audit Office Annual Work Program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.
| Observation | Conclusions and recommendations |
| 3.1 Internal controls | |
| Twenty internal control deficiencies were identified during our audits of cluster agencies. We assessed one as a high risk finding. | |
| Eight internal control weaknesses were repeat issues from previous financial audits that had not been fully addressed by management. | Recommendation: Management should prioritise and action recommendations to address internal control weaknesses. |
| 3.2 Information technology | |
| Delivery of the Learning Management and Business Reform (LMBR) program is complete. |
The LMBR program has been a major project for the Department since it was established in 2006. A staged approach was adopted for implementing the Department’s new HR/Payroll system to manage the risks associated with this large-scale roll-out. |
| 3.3 Valuation of the Department’s land and buildings | |
| The Department completed a revaluation of land and building assets during 2017–18. |
A market approach was used to revalue the Department’s land, resulting in a revaluation increment of $2.3 billion. A current replacement cost approach was used to revalue the Department’s school buildings, resulting in an increment of $6.2 billion. |
| 3.4 Maintenance of school facilities | |
| The Department regularly assesses the condition of school buildings and uses Life Cycle Costing to predict maintenance and capital renewal, and to prioritise maintenance activities. | The Life Cycle Costing assessment conducted by the Department in 2017–18 rated 70 per cent of school buildings as being in either as new or good condition. No school buildings were rated as being in end-of-life condition. |
| 3.4 School asset delivery | |
| The Department’s School Assets Strategic Plan is designed to ensure that there are sufficient fit-for-purpose places for students up to 2031. | The Department created a new division, School Infrastructure NSW, to oversee the planning, supply and maintenance of schools and implement major school infrastructure projects. |
This chapter provides service delivery outcomes for the Education cluster for 2017–18. It provides important contextual information about the cluster's operation, but the data on achievement of these outcomes is not audited. The Audit Office does not have a specific mandate to audit performance information.
Planning and Environment 2018
The Auditor-General for New South Wales, Margaret Crawford, released her report today on the NSW Planning and Environment cluster. The report focuses on key observations and findings from the most recent financial audits of these agencies. Unqualified audit opinions were issued for all agencies' financial statements. However, some cultural institutions had challenges valuing collection assets in 2017–18. These issues were resolved before the financial statements were finalised.
This report analyses the results of our audits of financial statements of the Planning and Environment cluster for the year ended 30 June 2018. The table below summarises our key observations.
This report provides parliament and other users of the Planning and Environment cluster agencies' financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- service delivery.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making is enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Planning and Environment cluster for 2018.
| Observation | Conclusions and recommendations |
| 2.1 Quality of financial reporting | |
| Unqualified audit opinions were issued for all agencies' financial statements. | The quality of financial reporting remains high across the cluster. |
| 2.2 Key accounting issues | |
| There were errors in some cultural institutions' collection asset valuations. | Recommendation: Collection asset valuations could be improved by:
|
| 2.3 Timeliness of financial reporting | |
| Except for two agencies, the audits of cluster agencies’ financial statements were completed within the statutory timeframe. | Issues with asset revaluations delayed the finalisation of two environment and heritage agencies' financial statement audits. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from:
- our financial statement audits of agencies in the Planning and Environment cluster for 2018
- the areas of focus identified in the Audit Office work program.
The Audit Office annual work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.
| Observation | Conclusions and recommendations |
| 3.1 Internal controls | |
| One in five internal control weaknesses reported in 2017–18 were repeat issues. | Delays in implementing audit recommendations can prolong the risk of fraud and error. Recommendation (repeat issue): Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues. |
| One extreme risk was identified relating to the National Art School. The School does not have an occupancy agreement for the Darlinghurst campus. | Lack of formal agreement creates uncertainty over the School's continued occupancy of the Darlinghurst site. The School should continue to liaise with stakeholders to formalise the occupancy arrangement. |
| 3.2 Information technology controls | |
| The controls and governance arrangements when migrating payroll data from the Aurion system to SAP HR system were effective. | Data migration from the Aurion system to SAP HR system had no significant issues. |
| The Department can improve controls over user access to SAP system. | The Department needs to ensure the SAP user access controls are appropriate, including investigation of excess access rights and resolving segregation of duties issues. |
| 3.3 Annual work program | |
| Agencies used different benchmarks to monitor their maintenance expenditure. | The cluster agencies under review operate in different industries. As a result, they do not use the same benchmarks to assess the adequacy of their maintenance spend. |
This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited.
We report this information on service delivery to provide additional context to understand the operations of the Planning and Environment cluster, and to collate and present service information for different segments of the cluster in one report.
In our recent performance audit, ‘Progress and measurement of Premier's Priorities’, we identified 12 limitations of performance measurement and performance data. We recommended the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all relevant agency data sources.
Transport 2018
The Auditor-General for New South Wales, Margaret Crawford released her report today on key observations and findings from the 30 June 2018 financial statement audits of agencies in the Transport cluster. Unqualified audit opinions were issued for all agencies' financial statements. However, assessing the fair value of the broad range of transport related assets creates challenges.
This report analyses the results of our audits of financial statements of the Transport cluster for the year ended 30 June 2018. The table below summarises our key observations.
This report provides Parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2018.
| Observation | Conclusions and recommendations |
| 2.1 Quality of financial reporting | |
| Unqualified audit opinions were issued for all agencies' financial statements | Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement. |
| 2.2 Key accounting issues | |
| Valuation of assets continues to create challenges. Although agencies complied with the requirements of the accounting standards and Treasury policies on valuations, we identified some opportunities for improvements at RMS. |
RMS incorporated data from its asset condition assessments for the first time in the valuation methodology which improved the valuation outcome. Overall, we were satisfied with the valuation methodology and key assumptions, but we noted some deficiencies in the asset data in relation to asset component unit rates and old condition data for some components of assets. Also, a bypass and tunnel were incorrectly excluded from RMS records and valuation process since 2013. This resulted in an increase for these assets’ value by $133 million. The valuation inputs for Wetlands and Moorings were revised this year to better reflect the assets' characteristics resulting in a $98.0 million increase. |
| 2.3 Timeliness of financial reporting | |
| Residual Transport Corporation did not submit its financial statements by the statutory reporting deadline. | Residual Transport Corporation remained a dormant entity with no transactions for the year ended 30 June 2018. |
| With the exception of Residual Transport Corporation, all agencies completed early close procedures and submitted financial statements within statutory timeframes. | Early close procedures allow financial reporting issues and risks to be addressed early in the reporting and audit process. |
| 2.4 Financial sustainability | |
| NSW Trains and the Chief Investigator of the Office of Transport Safety Investigations reported negative net assets of $75.7 million and $89,000 respectively at 30 June 2018. | NSW Trains and the Chief Investigator of the Office of Transport Safety Investigations continue to require letters of financial support to confirm their ability to pay liabilities as they fall due. |
| 2.5 Passenger revenue and patronage | |
| Transport agencies revenue growth increased at a higher rate than patronage. | Public transport passenger revenue increased by $114 million (8.3 per cent) in 2017–18, and patronage increased by 37.1 million (5.1 per cent) across all modes of transport based on data provided by TfNSW. |
| Negative balance Opal Cards resulted in $3.8 million in revenue not collected in 2017–18 and $7.8 million since the introduction of Opal. A total of 1.1 million Opal cards issued since its introduction have negative balances. | Transport for NSW advised it is liaising with the ticketing vendor to implement system changes and are investigating other ways to reduce the occurrences. |
| 2.6 Cost recovery from public transport users | |
| Overall cost recovery from users has decreased. | Overall cost recovery from public transport users (on rail and bus services by STA) decreased from 23.2 per cent to 22.4 per cent between 2016–17 and 2017–18. The main reason for the decrease is due to expenditure increasing at a faster rate than revenue in 2017–18. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from:
- our financial statement audits of agencies in the Transport cluster for 2018
- the areas of focus identified in the Audit Office annual work program.
The Audit Office Annual Work Program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.
| Observation | Conclusions and recommendations |
| 3.1 Internal controls | |
| There was an increase in findings on internal controls across the Transport cluster. | Key themes related to information technology, employee leave entitlements and asset management. Eighteen per cent of all issues were repeat issues. |
| 3.2 Audit Office Annual work program | |
| The Transport cluster wrote-off over $200 million of assets which were replaced by new assets or technology. |
Majority of this write-off was recognised by RMS, with $199 million relating to the write-off of existing assets which have been replaced during the year. |
| RailCorp is expected to convert to TAHE from 1 July 2019. | Several working groups are considering different aspects of the TAHE transition including its status as a for-profit Public Trading Enterprise and which assets to transfer to TAHE. We will continue to monitor developments on TAHE for any impact to the financial statements. |
| RMS' estimated maintenance backlog at 30 June 2018 of $3.4 billion is lower than last year. Sydney Trains' estimated maintenance backlog at 30 June 2018 increased by 20.6 per cent to $434 million. TfNSW does not quantify its backlog maintenance. | TfNSW advised it is liaising with Infrastructure NSW to develop a consistent definition of maintenance backlog across all transport service providers. |
| Not all agencies monitor unplanned maintenance across the Transport cluster. | Unplanned maintenance can be more expensive than planned maintenance. TfNSW should develop a consistent approach to define, monitor and track unplanned maintenance across the cluster. |
This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by Cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited.
We report this information on service delivery to provide additional context to understand the operations of the Transport cluster and to collate and present service information for different modes of transport in one report.
In our recent performance audit, Progress and measurement of Premier's Priorities, we identified 12 limitations of performance measurement and performance data. We recommended that the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all agency data sources.
Mobile speed cameras
The primary goal of speed cameras is to reduce speeding and make the roads safer. Our 2011 performance audit on speed cameras found that, in general, speed cameras change driver behaviour and have a positive impact on road safety.
Transport for NSW published the NSW Speed Camera Strategy in June 2012 in response to our audit. According to the Strategy, the main purpose of mobile speed cameras is to reduce speeding across the road network by providing a general deterrence through anywhere, anytime enforcement and by creating a perceived risk of detection across the road network. Fixed and red-light speed cameras aim to reduce speeding at specific locations.
Roads and Maritime Services and Transport for NSW deploy mobile speed cameras (MSCs) in consultation with NSW Police. The cameras are operated by contractors authorised by Roads and Maritime Services. MSC locations are stretches of road that can be more than 20 kilometres long. MSC sites are specific places within these locations that meet the requirements for a MSC vehicle to be able to operate there.
This audit assessed whether the mobile speed camera program is effectively managed to maximise road safety benefits across the NSW road network.
The mobile speed camera program requires improvements to key aspects of its management to maximise road safety benefits. While camera locations have been selected based on crash history, the limited number of locations restricts network coverage. It also makes enforcement more predictable, reducing the ability to provide a general deterrence. Implementation of the program has been consistent with government decisions to limit its hours of operation and use multiple warning signs. These factors limit the ability of the mobile speed camera program to effectively deliver a broad general network deterrence from speeding.
Many locations are needed to enable network-wide coverage and ensure MSC sessions are randomised and not predictable. However, there are insufficient locations available to operate MSCs that meet strict criteria for crash history, operator safety, signage and technical requirements. MSC performance would be improved if there were more locations.
A scheduling system is meant to randomise MSC location visits to ensure they are not predictable. However, a relatively small number of locations have been visited many times making their deployment more predictable in these places. The allocation of MSCs across the time of day, day of week and across regions is prioritised based on crash history but the frequency of location visits does not correspond with the crash risk for each location.
There is evidence of a reduction in fatal and serious crashes at the 30 best-performing MSC locations. However, there is limited evidence that the current MSC program in NSW has led to a behavioural change in drivers by creating a general network deterrence. While the overall reduction in serious injuries on roads has continued, fatalities have started to climb again. Compliance with speed limits has improved at the sites and locations that MSCs operate, but the results of overall network speed surveys vary, with recent improvements in some speed zones but not others.
There is no supporting justification for the number of hours of operation for the program. The rate of MSC enforcement (hours per capita) in NSW is less than Queensland and Victoria. The government decision to use multiple warning signs has made it harder to identify and maintain suitable MSC locations, and impeded their use for enforcement in both traffic directions and in school zones.
Appendix one - Response from agency
Appendix two - About the audit
Appendix three - Performance auditing
Parliamentary reference - Report number #308 - released 18 October 2018
Regulation of water pollution in drinking water catchments and illegal disposal of solid waste
There are important gaps in how the Environmental Protection Authority (EPA) implements its regulatory framework for water pollution in drinking water catchments and illegal solid waste disposal. This limits the effectiveness of its regulatory responses, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford.
| By 31 December 2018, to improve governance and oversight, the EPA should: | |
| 1. | implement a more effective performance framework with regular reports to the Chief Executive Officer and to the EPA Board on outcomes-based key result areas that assess its environmental and regulatory performance and trends over time |
| By 30 June 2019, to improve consistency in its practices, the EPA should: | |
| 2. | progressively update and make accessible its policies and procedures for regulatory operations, and mandate procedures where necessary to ensure consistent application |
| 3. | implement internal controls to monitor the consistency and quality of its regulatory operations. |
| By 30 June 2019, to address worsening water quality in Lake Burragorang, the EPA should: | |
| 4. | (a) review the impact of its licensed activities on water quality in Lake Burragorang, and |
| (b) develop strategies relating to its licensed activities (in consultation with other relevant NSW Government agencies) to improve and maintain the lake's water quality. | |
| To improve compliance monitoring, the EPA should implement procedures to: | |
| 5. | by 30 June 2019, validate self-reported information, eliminate hardcopy submissions and require licensees to report on their breaches of the Act and associated regulations in their annual returns |
| 6. | by 31 December 2018, conduct mandatory site inspections under the risk-based licensing scheme to assess compliance with all regulatory requirements and licence conditions. |
| By 31 December 2018 to improve enforcement, the EPA should: | |
| 7. | Implement procedures to systematically assess non-compliances with licence conditions and breaches of the Act and to implement appropriate and consistent regulatory actions. |
Appendix one – Response from agency
Appendix two – List of enforcement tools
Appendix three – The EPA's organisational structure
Appendix four – The EPA's regions and branches
Appendix five – About the audit
Appendix six – Performance auditing
Parliamentary reference - Report number #304 - released 28 June 2018
Managing risks in the NSW public sector: risk culture and capability
The Ministry of Health, NSW Fair Trading, NSW Police Force, and NSW Treasury Corporation are taking steps to strengthen their risk culture, according to a report released today by the Auditor-General, Margaret Crawford. 'Senior management communicates the importance of managing risk to their staff, and there are many examples of risk management being integrated into daily activities', the Auditor-General said.
We did find that three of the agencies we examined could strengthen their culture so that all employees feel comfortable speaking openly about risks. To support innovation, senior management could also do better at communicating to their staff the levels of risk they are willing to accept.
Effective risk management is essential to good governance, and supports staff at all levels to make informed judgements and decisions. At a time when government is encouraging innovation and exploring new service delivery models, effective risk management is about seizing opportunities as well as managing threats.
Over the past decade, governments and regulators around the world have increasingly turned their attention to risk culture. It is now widely accepted that organisational culture is a key element of risk management because it influences how people recognise and engage with risk. Neglecting this ‘soft’ side of risk management can prevent institutions from managing risks that threaten their success and lead to missed opportunities for change, improvement or innovation.
This audit assessed how effectively NSW Government agencies are building risk management capabilities and embedding a sound risk culture throughout their organisations. To do this we examined whether:
- agencies can demonstrate that senior management is committed to risk management
- information about risk is communicated effectively throughout agencies
- agencies are building risk management capabilities.
The audit examined four agencies: the Ministry of Health, the NSW Fair Trading function within the Department of Finance, Services and Innovation, NSW Police Force and NSW Treasury Corporation (TCorp). NSW Treasury was also included as the agency responsible for the NSW Government's risk management framework.
In assessing an agency’s risk culture, we focused on four key areas:
Executive sponsorship (tone at the top)
In the four agencies we reviewed, senior management is communicating the importance of managing risk. They have endorsed risk management frameworks and funded central functions tasked with overseeing risk management within their agencies.
That said, we found that three case study agencies do not measure their existing risk culture. Without clear measures of how employees identify and engage with risk, it is difficult for agencies to tell whether employee's behaviours are aligned with the 'tone' set by the executive and management.
For example, in some agencies we examined we found a disconnect between risk tolerances espoused by senior management and how these concepts were understood by staff.
Employee perceptions of risk management
Our survey of staff indicated that while senior leaders have communicated the importance of managing risk, more could be done to strengthen a culture of open communication so that all employees feel comfortable speaking openly about risks. We found that senior management could better communicate to their staff the levels of risk they should be willing to accept.
Integration of risk management into daily activities and links to decision-making
We found examples of risk management being integrated into daily activities. On the other hand, we also identified areas where risk management deviated from good practice. For example, we found that corporate risk registers are not consistently used as a tool to support decision-making.
Support and guidance to help staff manage risks
Most case study agencies are monitoring risk-related skills and knowledge of their workforce, but only one agency has addressed the gaps it identified. While agencies are providing risk management training, surveyed staff in three case study agencies reported that risk management training is not adequate.
NSW Treasury provides agencies with direction and guidance on risk management through policy and guidelines. In line with better practice, NSW Treasury's principles-based policy acknowledges that individual agencies are in a better position to understand their own risks and design risk management frameworks that address those risks. Nevertheless, there is scope for NSW Treasury to refine its guidance material to support a better risk culture in the NSW public sector.
Recommendation
By May 2019, NSW Treasury should:
- Review the scope of its risk management guidance, and identify additional guidance, training or activities to improve risk culture across the NSW public sector. This should focus on encouraging agency heads to form a view on the current risk culture in their agencies, identify desirable changes to that risk culture, and take steps to address those changes.
Appendix one - Response from agencies
Appendix three - About the audit
Appendix four - Performance auditing
Parliamentary reference - Report number #298 - released 23 April 2018
Internal Controls and Governance 2017
Agencies need to do more to address risks posed by information technology (IT).
Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
1. Overall trends
|
New and repeat findings |
The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved. |
|
High risk findings |
Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies. |
|
Common findings |
Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity. |
2. Information Technology
|
IT security |
Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls. |
|
Cyber security |
Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
|
Other IT systems |
Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems. |
3. Asset Management
|
Capital investment |
Agencies report delays delivering against the significant increase in their budgets for capital projects. |
|
Capital projects |
Agencies are underspending their capital budgets and some can improve capital project governance. |
|
Asset disposals |
Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes. |
4. Governance
|
Governance arrangements |
Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues. |
|
Shared services |
Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set. |
5. Ethics and Conduct
|
Ethical framework |
Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics. |
|
Conflicts of interest |
All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
6. Risk Management
|
Risk management maturity |
All agencies have implemented risk management frameworks, but with varying levels of maturity. |
|
Risk management elements |
Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency. |
This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.
This new report offers strategic insight on the public sector as a whole
In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.
This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.
Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.
These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.
Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:
- Overall trends
- Information technology
- Asset management
- Governance
- Ethics and conduct
- Risk management.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.
|
Issues |
Recommendations |
|
1.1 New and repeat findings |
|
|
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies. |
Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis. |
|
1.2 High risk findings |
|
|
We found seven high risk internal control deficiencies, which might significantly affect agencies. |
Recommendation Agencies should rectify high risk internal control deficiencies as a priority |
|
1.3 Common findings |
|
|
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies. |
Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies. |
Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.
| Issues | Recommendations |
2.1 IT security |
|
|
User access administration While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems. |
Recommendation Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:
|
|
Privileged access Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access. |
Recommendation Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:
|
|
Password controls Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls. |
Recommendation Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:
|
2.2 Cyber Security |
|
|
Cyber security framework Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat. |
Recommendation The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents. |
|
Cyber security strategies While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness. |
Recommendations The Department of Finance, Services and Innovation should:
Agencies should ensure they adequately resource staff dedicated to cyber security. |
2.3 Other IT systems |
|
|
Change control processes Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes. |
Recommendation Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems. |
|
Disaster recovery planning Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis. |
Recommendation Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans. |
Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:
- manage their major capital projects
- dispose of existing assets.
| Issues | Recommendations or conclusions |
3.1 Capital investment |
|
|
Capital asset investment ratios Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one. |
Recommendation Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs. |
|
Volume of capital spending Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years. |
Conclusion The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years. |
3.2 Capital projects |
|
|
Major capital projects Agencies’ major capital projects were underspent by 13 percent against their budgets. |
Conclusion The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time. |
|
Capital project governance Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects. |
Conclusion Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight. |
3.3. Asset disposals |
|
|
Asset disposal procedures Agencies need to strengthen their asset disposal procedures. |
Recommendations Agencies should have formal processes for disposing of surplus properties. Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption. |
Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.
This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.
| Issues | Recommendations or conclusions |
4.1 Governance arrangements |
|
|
Continuous disclosure Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations. |
Conclusion Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:
|
4.2 Shared services |
|
|
Service level agreements Some agencies do not have service level agreements for their shared service arrangements. Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements. |
Conclusion Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:
|
|
Shared service performance Some agencies do not set performance standards for their shared service providers or regularly review performance results. |
Conclusion Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received. Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money. |
All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.
This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.
We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.
| Issues | Recommendations or conclusions |
5.1 Ethical framework |
|
|
Code of conduct All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour. |
Recommendation Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date. |
|
Statement of business ethics Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors. |
Conclusion Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture. |
5.2 Potential conflicts of interest |
|
|
Conflicts of interest All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest. |
Recommendation Agencies should improve the way they manage conflicts of interest, particularly by:
|
|
Gifts and benefits While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct. |
Recommendation Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff. |
Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.
This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.
| Issues | Recommendations or conclusions |
6.1 Risk management maturity |
|
|
All agencies have implemented risk management frameworks, but with varying levels of maturity in their application. Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence. |
Conclusion Agencies have introduced risk management frameworks and practices as required by the Treasury’s:
However, more can be done to progress risk management maturity and embed risk management in agency culture. |
6.2 Risk management elements |
|
|
Risk culture Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.
|
Conclusion Agencies can improve their risk culture by:
|
|
Risk registers and reporting Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level. |
Conclusion Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately. |
Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.
Sharing school and community facilities
Schools and the community would benefit if school facilities were shared more often.
The Department of Education’s ‘Community Use of School Facilities Policy’ encourages but does not require schools to share facilities. Sharing depends heavily on the willingness of school principals and there are few incentives. There are many challenges in developing agreements with community users and there is only limited support available from the Department.
There are strategies and plans to support the sharing of facilities between schools and the wider community, but none are backed up with budgets, specific plans or timeframes.
Governments should strive for the best use of assets. This is particularly important in the context of a growing New South Wales population, fiscal constraints and increasing demand for services.
Lack of available land, rising land costs and population growth highlighted in our April 2017 'Planning for school infrastructure' performance audit report mean that new and existing schools will need to share their facilities with communities more than is currently the case.
This audit assessed how effectively schools share facilities with each other, local councils and community groups. In making this assessment, the audit examined whether the Department of Education (Department):
- has a clear policy to encourage and support facilities sharing
- is implementing evidence-based strategies and procedures for facilities sharing
- can show it is realising an increasing proportion of sharing opportunities.
Facilities sharing is the use of a physical asset, such as a building, rooms, or open spaces, by more than one group for a range of activities at the same time or at different times. For the purposes of this audit, we have divided sharing arrangements into two types: shared use and joint use.
Shared use refers to arrangements where existing school assets are hired out for non-school purposes, usually for a limited time. The assets remain under the control of the school. Generally, there is little alteration or enhancement to the asset required to enable shared use. Shared use can also refer to schools using external facilities, such as council pools, but these arrangements are not included within the scope of this audit.
Joint use refers to arrangements where new or upgraded school and non-school facilities or community hubs are planned, funded, built and jointly shared between a school and other parties, usually involving significant investment.
Both shared use and joint use agreements are governed by contractual obligations.
The sharing of school facilities with the community is not fully effective. The Department of Education is implementing strategies to increase shared and joint use but several barriers, some outside the Department’s direct control, must be addressed to fully realise benefits to students and the community of sharing school facilities. In addition, the Department needs to do more to encourage individual schools to share facilities with the community.
A collaborative, multi-agency approach is needed to overcome barriers to the joint use of facilities, otherwise, the Department may need significantly more funds than planned to deliver sufficient fit-for-purpose school facilities where and when needed.
Since the early 2000’s, several reviews in NSW and other jurisdictions have commented on the benefits of and need to increase the sharing of school facilities.
Several NSW Government strategies and plans support shared and joint use of facilities between schools and the wider community, but none are backed up with financial incentives, or specific plans with implementation timeframes. In Victoria and Queensland whole-of-government processes are in place to support a more coordinated approach to planning, building and sharing community facilities. For example, Victoria has a comprehensive policy framework encompassing both existing and future use of community facilities and a $50 million program to seed the development of community facilities on school sites over the next four years.
There are examples of successful shared use, but more can be done. Information about the available facilities is not readily available to potential community users. Schools should work more closely with councils and other stakeholders to leverage shared use.
Currently, the administrative burden, costs and risks associated with shared use can exceed the perceived benefits to schools, leading to reluctance amongst some Principals to share. In addition, a substantial backlog of school-initiated infrastructure proposals awaiting Departmental approval means that schools that raise money from sharing their facilities find it difficult to use the funds they raise on improved infrastructure. Some of these proposals have been waiting for approval for more than 12 months.
The Department could do more to support Principals by ensuring the fees charged for facilities cover the costs incurred by schools, that Principals can access help with negotiating and managing contracts, and that infrastructure proposals initiated and funded by schools are approved in a timely manner.
The Department is not monitoring shared use across the State, and does not evaluate different approaches as evidence to influence policies and procedures.
Recommendations
By December, 2018, the Department should:
- increase incentives and reduce impediments for school Principals to share school facilities, including:
- review the methodology for calculating fees charged for facilities to ensure that shared use of school facilities does not result in a financial burden to schools or the Department
- improve support provided to Principals by School Infrastructure NSW, including reducing the backlog of school-initiated infrastructure proposals awaiting approval
- develop service standards, including timeframes, for assessing and approving school-initiated infrastructure proposals.
- provide readily-accessible information about available school facilities to community groups and local councils
- implement processes to monitor and regularly evaluate the implementation of the shared use policy and promote better practice to drive improvements.
As discussed in our 2017 audit report on ‘Planning for school infrastructure’, joint use agreements are a key direction of the School Assets Strategic Plan. Joint use of school facilities will be necessary to ensure that there will be enough fit-for-purpose learning spaces for students when and where needed. Under the ‘Community Use of School Facilities Policy’ Principals play the leading role in identifying opportunities, and developing and managing agreements for sharing school facilities. This is impractical for joint use projects which involve substantial investment in new or refurbished assets, in particular for joint use projects in schools that are yet to be built. In addition, the policy does not address joint-use facilities built on land not owned by the Department. For these reasons, the Department is developing a new policy.
The Department is planning to develop joint use agreements in a more systematic way as part of school community planning, previously known as cluster planning, with a special focus on local councils. Several agreements are currently being piloted, and will be evaluated to provide an evidence-based foundation for this new approach.
To develop or refurbish school facilities for joint use, the Department, councils and other key stakeholders must work together and prioritise joint use from the earliest stages of any project. A collaborative, multi-agency approach is needed to ensure sufficient fit-for-purpose facilities are available for school students within the funding framework proposed in the School Assets Strategic Plan.
To increase shared and joint use, the Department is recruiting specialist staff in its Asset Division to assist with the brokerage, community engagement and development of agreements, but these staff are not dedicated to joint use projects and their available time may not be sufficient to provide the necessary support in the timeframes required.
Recommendations
By December, 2018, the Department of Education should:
- ensure that the implementation of the new ‘Joint Use of School Facilities and Land Policy’ is adequately resourced, and has the support of Principals
- implement processes to monitor and regularly evaluate the implementation of joint use policy and promote better practice to drive improvements.
Appendix one - Response from agency
Appendix two - About the audit
Appendix three - Victoria's 30-Year Infrastructure Strategy
Appendix four - Not-for-profit hire changes
Appendix five - Performance Auditing
Parliamentary reference - Report number #293 - released 1 November 2017
Information and Communication Technologies in schools for teaching and learning
Several factors are reducing effective use of information and communication technology (ICT) in the classroom.
These are primarily:
Parliamentary reference - Report number #289 - released 6 July 2017
Therapeutic programs in prisons
Corrective Services NSW should ensure eligible prisoners receive timely programs to reduce the risk they will reoffend on release.
Parliamentary reference - Report number #283 - released 3 May 2017
