Refine search

Reports

10 December 2020

Published

Transport 2020

Transport

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Project management

1. Financial Reporting
Audit opinion	Unmodified audit opinions issued for the financial statements of all Transport cluster entities.
Quality and timeliness of financial reporting	All cluster agencies met the statutory deadlines for completing the early close and submitting the financial statements. Transport cluster agencies continued to experience some challenges with accounting for land and infrastructure assets. The former Roads and Maritime Services and Sydney Metro recorded prior period corrections to property, plant and equipment balances.
Impact of COVID-19 on passenger revenue and patronage	Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19. The Transport cluster received additional funding from NSW Treasury during the year to support the reduced revenue and additional costs incurred such as cleaning on all modes of public transport and additional staff to manage physical distancing.
Completion of the CBD and South East Light Rail	The CBD and South East Light Rail project was completed and commenced operations in this financial year. At 30 June 2020, the total cost of the project related to the CBD and South East Light Rail was $3.3 billion. Of this total cost, $2.6 billion was recorded as assets, whilst $700 million was expensed.
2. Audit Observations
Internal control	While internal controls issues raised in management letters in the Transport cluster have decreased compared to the prior year, control weaknesses continue to exist in access security for financial systems. We identified 56 management letter findings across the cluster and 43 per cent of all issues were repeat issues. The majority of the repeat issues relate to information technology controls around user access management. There were three high risk issues identified - two related to financial reporting of assets and one for implementation of TAHE (see below).
Agency responses to emergency events	Transport for NSW established the COVID-19 Taskforce in March 2020 to take responsibility for the overall response of planning and coordination for the Transport cluster. It also implemented the COVIDSafe Transport Plan which incorporates guidance on physical distancing, increasing services to support social distancing and cleaning.
RailCorp transition to TAHE	On 1 July 2020, RailCorp was renamed Transport Asset Holding Entity of New South Wales (TAHE) and converted to a for-profit statutory State-Owned Corporation. TAHE is a commercial for-profit Public Trading Entity with the intent to provide a commercial return to its shareholders. A plan was established by NSW Treasury to transition RailCorp to TAHE which covered the period 1 July 2015 to 1 July 2019. A large portion of the planned arrangements were not implemented by 1 July 2020. As at the time of this report, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements are not finalised. The State Owned Corporations Act 1989 generally requires finalisation of an SCI three months after the commencement of each financial year. However, under the Transport Administration Act 1988, TAHE received an extension from the voting shareholders, the Treasurer and Minister for Finance and Small Business, to submit its first SCI by 31 December 2020. In accordance with the original plan, interim commercial access arrangements were supposed to be in place with RailCorp prior to commencement of TAHE. Under the transitional arrangements, TAHE is continuing to operate in accordance with the asset and safety management plans of RailCorp. The final operating model is expected to include considerations of safety, operational, financial and fiscal risks. This should include a consideration of the potential conflicting objectives of a commercial return, and maintenance and safety measures. This matter has been included as a high risk finding in our management letter due to the significance of the financial reporting impacts and business risks for TAHE. Recommendation: TAHE management should: establish an operating model in line with the original intent of a commercial return finalise commercial agreements with the public rail operators confirm forecast financial information to assess valuation of TAHE infrastructure finalise asset and safety management plans. Resolution of the above matters are critical as they may significantly impact the financial reporting arrangements for TAHE for 2020–21, in particular, accounting policies adopted as well as measurement principles of its significant infrastructure asset base.
Completeness and accuracy of contracts registers	Across the Transport cluster, contracts and agreements are maintained by the transport agencies using disparate registers. Recommendation (repeat): Transport agencies should continue to implement a process to centrally capture all contracts and agreements entered. This will ensure: agencies are fully aware of contractual and other obligations appropriate assessment of financial reporting implications ongoing assessments of accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities' and new accounting standard AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Section highlights

Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19.
Unqualified audit opinions were issued on all Transport agencies' financial statements.
Transport cluster agencies continued to experience challenges with accounting of land and infrastructure assets.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

observations and insights from our financial statement audits of agencies in the Transport cluster
assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Section highlights

While there was a decrease in findings on internal controls across the Transport cluster, 43 per cent of all issues were repeat issues. Many repeat issues related to information technology controls around user access management.
RailCorp transitioned to TAHE on 1 July 2020. TAHE's operating model and commercial arrangements with public rail operators has not been finalised despite government original plans to be operating from 1 July 2019. TAHE management should finalise its operating model and commercial agreements with public rail operators as they may significantly impact the financial reporting arrangements for TAHE for 2020–21.
Completeness and accuracy of contracts registers remains an ongoing issue for the Transport cluster.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

20 December 2017

Published

Internal Controls and Governance 2017

Finance

Education

Community Services

Health

Justice

Whole of Government

Asset valuation

Compliance

Cyber security

Information technology

Internal controls and governance

Project management

Risk

Agencies need to do more to address risks posed by information technology (IT).

Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.

1. Overall trends

New and repeat findings	The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved.
High risk findings	Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies.
Common findings	Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity.

2. Information Technology

IT security	Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls.
Cyber security	Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.
Other IT systems	Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems.

3. Asset Management

Capital investment	Agencies report delays delivering against the significant increase in their budgets for capital projects.
Capital projects	Agencies are underspending their capital budgets and some can improve capital project governance.
Asset disposals	Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes.

4. Governance

Governance arrangements	Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues.
Shared services	Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set.

5. Ethics and Conduct

Ethical framework	Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics.
Conflicts of interest	All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

6. Risk Management

Risk management maturity	All agencies have implemented risk management frameworks, but with varying levels of maturity.
Risk management elements	Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency.

This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.

This new report offers strategic insight on the public sector as a whole

In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.

This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.

Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.

These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.

Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:

Overall trends
Information technology
Asset management
Governance
Ethics and conduct
Risk management.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.

Issues	Recommendations
1.1 New and repeat findings
The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17. Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies.	Recommendation Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis.
1.2 High risk findings
We found seven high risk internal control deficiencies, which might significantly affect agencies.	Recommendation Agencies should rectify high risk internal control deficiencies as a priority
1.3 Common findings
The most common internal control deficiencies related to poor or absent IT controls. We found some common governance deficiencies across multiple agencies.	Recommendation Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies.

Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.

Issues

Recommendations

2.1 IT security

User access administration

While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems.

Recommendation

Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:

establish and enforce clear policies and procedures
review user access regularly
remove user access for terminated staff promptly
change user access for transferred staff promptly.

Privileged access

Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access.

Recommendation

Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:

only grant privileged access in line with the responsibilities of a position
review the level of access regularly
limit privileged access to necessary functions and data
monitor privileged user account activity on a regular basis.

Password controls

Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls.

Recommendation

Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:

minimum password lengths and complexity requirements
limits on the number of failed log-in attempts
password history (such as the number of passwords remembered)
maximum and minimum password ages.

2.2 Cyber Security

Cyber security framework

Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.

Recommendation

The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents.

Cyber security strategies

While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness.

Recommendations

The Department of Finance, Services and Innovation should:

mandate minimum standards and require agencies to regularly assess and report on how well they mitigate cyber security risks against these standards
develop a framework that provides for cyber security training.

Agencies should ensure they adequately resource staff dedicated to cyber security.

2.3 Other IT systems

Change control processes

Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes.

Recommendation

Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems.

Disaster recovery planning

Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis.

Recommendation

Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans.

Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:

manage their major capital projects
dispose of existing assets.

Issues

Recommendations or conclusions

3.1 Capital investment

Capital asset investment ratios

Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one.

Recommendation

Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs.

Volume of capital spending

Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years.

Conclusion

The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years.

3.2 Capital projects

Major capital projects

Agencies’ major capital projects were underspent by 13 percent against their budgets.

Conclusion

The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time.

Capital project governance

Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects.

Conclusion

Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight.

3.3. Asset disposals

Asset disposal procedures

Agencies need to strengthen their asset disposal procedures.

Recommendations

Agencies should have formal processes for disposing of surplus properties.

Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption.

Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.

This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.

Issues

Recommendations or conclusions

4.1 Governance arrangements

Continuous disclosure

Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations.

Conclusion

Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:

regular public disclosure of key performance information
disclosure of both positive and negative information
prompt reporting of significant issues.

4.2 Shared services

Service level agreements

Some agencies do not have service level agreements for their shared service arrangements.

Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements.

Conclusion

Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:

specify the controls a provider must maintain
specify key performance targets
include penalties for non-compliance.

Shared service performance

Some agencies do not set performance standards for their shared service providers or regularly review performance results.

Conclusion

Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received.

Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money.

All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.

This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.

We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.

Issues

Recommendations or conclusions

5.1 Ethical framework

Code of conduct

All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

Recommendation

Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date.

Statement of business ethics

Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors.

Conclusion

Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture.

5.2 Potential conflicts of interest

Conflicts of interest

All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest.

Recommendation

Agencies should improve the way they manage conflicts of interest, particularly by:

requiring senior executives to make a conflict-of-interest declaration at least annually
implementing processes to identify and address outstanding declarations
providing annual training to staff
maintaining current registers of conflicts of interest.

Gifts and benefits

While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct.

Recommendation

Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff.

Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.

This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.

Issues

Recommendations or conclusions

6.1 Risk management maturity

All agencies have implemented risk management frameworks, but with varying levels of maturity in their application.

Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence.

Conclusion

Agencies have introduced risk management frameworks and practices as required by the Treasury’s:

'Risk Management Toolkit for the NSW Public Sector'
'Internal Audit and Risk Management Policy for the NSW Public Sector'.

However, more can be done to progress risk management maturity and embed risk management in agency culture.

6.2 Risk management elements

Risk culture

Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.

Conclusion

Agencies can improve their risk culture by:

setting an appropriate tone from the top
training all staff in effective risk management
ensuring desired risk behaviours and culture are supported, monitored, and reinforced through business plans, or the equivalent and employees' performance assessments.

Risk registers and reporting

Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level.

Conclusion

Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately.

Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.

15 December 2017

Published

Transport 2017

Transport

Asset valuation

Information technology

Internal controls and governance

Project management

The following report focuses on key observations and findings from the most recent financial statement audits of agencies in the Transport cluster.

Unqualified audit opinions were issued for all agencies' financial statements. However, the report notes the agencies can improve their asset revaluation processes.

1. Financial reporting and controls

Audit opinions	Unqualified audit opinions were issued for all agencies' financial statements.
Early close	Early close procedures continue to facilitate timely preparation of financial statements and completion of audits, but agencies can improve their asset revaluation processes. The revaluations were not completed by the early close deadline.
Key audit matters	The cluster corrected the value of rail tunnels and earthworks by recording an additional $8.5 billion in infrastructure assets.
Passenger revenue and patronage	Revenue increased by seven per cent at a similar rate to patronage. Opal fare structure changes came into effect on 5 September 2016. Continued rises in patronage can increase pressure on public transport punctuality.
Negative balances on Opal Cards	There was $2.6 million in revenue not collected during 2016–17 financial year through negative balance Opal Cards. This represents 0.2 per cent of total annual passenger revenue. Transport advise the cumulative balance of negative balance Opal Cards is $4.2 million as at 30 June 2017. Recommendation: Transport for NSW (TfNSW) should implement measures to prevent loss of revenue from passengers tapping off with negative balance Opal Cards.
Investment in infrastructure	Agencies spent $8.5 billion on assets in 2016–17 and have contractual capital commitments of $11.3 billion over the next five years.
Internal controls	IT systems user access administration remains an area of weakness.

2. Service Delivery

Punctuality	According to Transport data, average punctuality is above target for Sydney Trains, Ferries and Light Rail, but below target for NSW Trains services. State Transit Authority of NSW (STA) is not meeting punctuality targets. STA continued working with TfNSW on delivering improved punctuality.
Public transport capacity	Passenger crowding is above benchmark for many morning peak suburban rail services, as indicated by Transport data. Eleven of the 14 bus contract regions had full buses.
Bus crowding	There are no target measures on crowding for bus operators in any contract region. Recommendation: TfNSW should develop target measures on crowding for bus operators in all contract regions and publish the results.
Customer satisfaction	Surveys conducted by Transport indicate customer satisfaction exceeded target for all modes of public transport.

Confidence in public sector decision-making and transparency is enhanced when financial reporting is accurate and timely. Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies.

This chapter outlines our audit observations, conclusions or recommendations related to financial reporting and controls of Transport cluster agencies for 2016–17.

Observation	Conclusion or recommendation
Quality of financial reporting
Unqualified opinions were issued for all agencies’ financial statements.	Unqualified audit opinions were issued on the 2016–17 financial statements of all agencies in the Transport cluster. Agencies complied with the new disclosure requirements required under accounting standard AASB 124 'Related Party Disclosures'.
Old tunnels and earthworks valued.	The cluster corrected the value of rail tunnels and earthworks by recording an additional $8.5 billion in infrastructure assets.
Timeliness of financial reporting
Most agencies complied with the statutory timeframes for completion of early close procedures and preparation and audit of financial statements.	Early close procedures continue to facilitate timely preparation of financial statements and completion of audits, but agencies can make further improvement in the revaluation process.
TfNSW and RailCorp completed asset revaluations after the early close deadline.	While all revaluation matters were resolved and corrected, completing the revaluation process earlier would enable more timely review, identification and resolution of matters.
Passenger revenue, patronage and cost recovery
Revenue increased by 7 per cent at a similar rate to patronage.	Public transport passenger revenue increased by $93 million (seven per cent) in 2016–17, and patronage increased by 49 million (seven per cent) across all modes of transport. There were some changes in the method of calculating reported patronage between 2015–16 and 2016–17. If the methods had been consistent, the patronage increase would be 6.5 per cent. Opal fare structure changes came into effect on 5 September 2016.
Value of negative balance Opal Cards doubled since last year.	There was $2.6 million in revenue not collected during 2016–17 financial year through negative balance Opal Cards. This represents 0.2 per cent of total annual passenger revenue. Transport advise the cumulative balance of negative balance Opal Cards is $4.2 million as at 30 June 2017. Recommendation: TfNSW should implement measures to prevent the loss of revenue from passengers tapping off with negative balance Opal cards.
The overall cost recovery from users of public transport increased slightly to 21.3 per cent.	Cost of service per passenger journey for buses and ferries decreased. Revenue per passenger journey for all modes remained fairly stable.
Investment in infrastructure
There was a significant investment in transport assets in 2016–17.	Agencies spent $8.5 billion on assets in 2016–17, including $3.8 billion on rail systems and $3.8 billion on road and maritime infrastructure systems.
Transport cluster have capital commitment of $11.3 billion over the next five years.	The transport cluster has significant contractual commitments over the next five years on rail and road infrastructure projects.
Internal controls
User access administration over systems remains an area of weakness.	We identified six moderate and eight low risk issues related to user systems access administration across four agencies. This included review of highly privileged/super user account transactions not performed effectively and user access reviews not performed. These weaknesses increase the risk of users having excessive or unauthorised access to critical financial systems and information.

Achievement of government outcomes can be improved through effective delivery of the right mix of services, whether from the public, private or not‑for‑profit sectors. Service delivery reform will be most successful if there is clear accountability for service delivery outcomes, decisions are aligned to strategic direction and performance is monitored and evaluated.

This chapter outlines our audit observations, conclusions or recommendations related to service delivery in the Transport cluster agencies for 2016–17.

Observations	Conclusion or recommendation
Punctuality
Average punctuality is above target for Sydney Trains, but below target for NSW Trains services. Punctuality targets are not met by all bus operators.	Meeting punctuality targets is a continuing challenge for NSW Trains’ and STA bus services.
The 2017 performance audit 'Passenger Rail Punctuality' reported that based on forecast patronage increases, rail agencies will find it hard to maintain punctuality after 2019 unless the capacity of the network to carry trains and people is increased significantly.	The 2017 performance audit found that given the likely lead times involved with major infrastructure projects, there remains a significant risk of poor punctuality after 2019. Transport advised it is currently either delivering or planning rail network upgrades to address current growth and longer-term future demand. This includes investments such as procurement of suburban and intercity trains, Sydney Metro services and further timetable planning into the 2020s.
After reaching its punctuality target in 2015–16 for the first time in 13 years, NSW Trains regional services was below the target in 2016–17.	NSW Trains regional services achieved an average of 75 per cent punctuality in 2016–17, four per cent less than 2015–16.
The bus contracts do not have an option to impose financial penalties on STA for poor punctuality performance.	In 2015–16, we recommended TfNSW should consider including financial penalties for not meeting each punctuality KPI in future contracts with bus operators. An opportunity to implement the recommendation requires a contract renewal process to be finalised with STA, which did not occur during 2016–17.
Public transport capacity
There are no target measures on crowding for bus operators in any contract region.	Recommendation: TfNSW should develop target measures on crowding for bus operators in all contract regions and publish the results.
Customer Satisfaction
Customers on ferries continued to be most satisfied, followed by those on light rail. Sydney Trains and NSW Trains had fewer complaints in 2016–17.	Customer satisfaction exceeded target for all modes of transport.
Project management
Transport cluster manages many of the State high profile/high risk projects.	Major Transport projects include WestConnex, Sydney Metro Northwest, Sydney Metro City and Southwest, Woolgoolga to Ballina - Pacific Highway upgrade, NorthConnex, CBD and South East Light Rail and Newcastle Light Rail.
Safety performance
Road fatalities decreased by eight per cent between July 2016 and June 2017, from 390 to 359 deaths.	Road fatalities mainly involved speed, fatigue and vehicle occupants not wearing available restraints.
Maintenance
RMS’ maintenance backlog of $3.7 billion is higher than the $3.4 billion reported in 2016.	Transport cluster agencies manage $134 billion in property, plant and equipment. The total backlog maintenance of $4.1 billion at 30 June 2017 represents 3.1 per cent of those assets.

14 December 2017

Published

Report on Education 2017

Education

Financial reporting

Internal controls and governance

Management and administration

Procurement

Project management

Workforce and capability

The Auditor-General, Margaret Crawford released her report on the results of the financial audits of agencies in the Education cluster. The report focuses on key observations and findings from the most recent audits of these agencies.

'I am pleased to report that unqualified audit opinions were issued on the financial statements for all agencies in the Education cluster', the Auditor-General said. 'The quality and timeliness of financial reporting remains strong'.

21 November 2017

Published

Central Agencies 2017

Finance

Premier and Cabinet

Asset valuation

Compliance

Financial reporting

Fraud

Information technology

Internal controls and governance

Project management

This report highlights the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters.

The report includes a range of findings in respect to service delivery. One repeat finding is that while the Government regularly reports on the 12 Premier's priorities, there is no comprehensive reporting on the 18 State priorities.

1. Financial reporting and controls

Audit Opinions	Unqualified audit opinions were issued for all agencies' 30 June 2017 financial statements.
Early close	Early close procedures continue to facilitate the timely preparation of financial statements and completion of audits, but agencies can make further improvement.
Deficient user administration access	User access administration over financial systems remains an area of weakness. Agencies need to strengthen user access administration to critical systems.
Transitioning to outsourced service providers	Transitioning of services to outsourced service providers can be improved. Outsourcing services can lead to better outcomes, which may include lower transaction costs and improved services, but it also introduces new risks.

2. Service delivery

Premier and State Priorities	A comprehensive report of performance against the 18 State Priorities is yet to be published. While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State Priorities would ensure all State Priorities are publicly reported, provide a single and easily accessible source of reference and improve transparency.
ICT and digital government	The Digital Government Strategy was released in May 2017. Targets will need to be set to assess and monitor progress against the Strategy.
Digital information security	Not all agencies are complying with the NSW Government's information security policy. This increases the risk of noncompliance with legislation, information security breaches and difficulty restoring data or maintaining business continuity in the event of a disaster or disruption.
Property and asset utilisation	Property NSW's performance reporting would be enhanced by developing and reporting on customer satisfaction, reporting against set targets and benchmarking cost of service to the private sector.

3. Government financial services

Prudential oversight of NSW Government superannuation funds	Prudential oversight of SAS Trustee Corporation Pooled Fund and Parliamentary Contributory Superannuation Fund has not been prescribed. Structured and comprehensive prudential oversight of these funds remains important as they operate in a specialised, complex and continuously changing investment market sector, have over 106,000 members and manage investments in excess of $42.4 billion.
Green slip scheme affordability	Currently, Green Slips in NSW are the most expensive in Australia. However, CTP reforms are expected to reduce the cost of Green Slips.

This report sets out the results of the 30 June 2017 financial statement audits of NSW Government's central agencies and their cluster agencies.

Central agencies play a key role in ensuring policy coordination, good administrative and people management practices and prudent fiscal management. The central agencies and their key responsibilities are set out below.

Confidence in public sector decision‑making and transparency is enhanced when financial reporting is accurate and timely. Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. This chapter outlines our audit observations, conclusions or recommendations related to financial reporting and controls of agencies for 2016–17.

Observation	Conclusion or recommendation
2.1 Quality of financial reporting
Unqualified audit opinions were issued for all agency financial statements.	The quality of financial reporting continues to remain strong across the clusters.
2.2 Timeliness of financial reporting
Most agencies complied with the statutory timeframes for completion of early close procedures and preparation and audit of financial statements.	Early close procedures continue to facilitate the timely preparation of financial statements and completion of audits, but agencies can make further improvement.
2.3 Financial performance and sustainability
We assessed the performance of agencies listed in Appendix six against some key financial sustainability indicators. This highlighted two agencies with negative operating margins of more than ten per cent and one agency with a liquidity ratio of less than 0.5.	These agencies have strategies in place to remain financially sustainability and manage their liquidity. Our analysis found that, overall, the agencies are not at high risk of sustainability concerns.
2.4 Internal Controls
User access administration over financial systems remains an area of weakness. Sixteen moderate risk and ten low risk issues related to user access administration across eight agencies were identified.	Recommendation: Agencies should review user access administration to critical systems to ensure: policies for user access creation, modification and deactivation are documented approval is being obtained to establish, modify or delete user accounts regular user access reviews are performed and highly privileged user account activity is logged and monitored evidence of review is maintained.
Transitioning of services to outsourced service providers can be improved. Our 2016–17 audits identified one high risk issue relating to Property NSW's outsourcing of property and facility management services to the private sector. While a high risk issue was identified in 2015–16 from the Department of Finance, Services and Innovation's outsourcing of transactional and information technology services to GovConnect there has been an improvement in GovConnect's internal control environment throughout 2016–17.	Outsourcing services can lead to better outcomes, which may include lower transaction costs and improved services, but it also introduces new risks. The transition needs to be carefully managed and requires thorough planning and effective project governance. This should be supported by oversight and direction from senior management and independent project assurance.
2.5 Human Resources
The percentage of full‑time equivalent staff with annual leave greater than 30 days in the Finance, Services and Innovation, Premier and Cabinet and the Treasury clusters is 7.9 per cent, 17.1 per cent and 18.4 per cent respectively.	Agencies have strategies in place to reduce annual leave balances that are greater than 30 days. The effectiveness of these strategies will need to be monitored to ensure they are helping to achieve the desired outcome.

This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17.

Observation	Conclusion or recommendation
3.1 Premier and State priorities
The Department of Premier and Cabinet monitors the achievement of targets and the implementation of initiatives to deliver the 12 Premier’s Priorities. Responsible ministers and agencies manage the 18 State Priorities. A comprehensive report of performance against the 18 State Priorities is yet to be published.	While some measures are publicly reported through agency annual reports or other sources, a comprehensive report of performance against the 18 State Priorities would ensure all State Priorities are publicly reported, provide a single and easily accessible source of reference and improve transparency. Where possible, independent sources are used to measure performance, however without independent assurance there is an increased risk that the target measures are inaccurate, not relevant or do not fairly represent actual performance.
Performance against the State Priority to make NSW the easiest state to start a business is not currently published. A key aspect of making NSW the easiest state to start a business is making regulatory obligations easier to understand and implement.	Initiatives, such as easy to do business and red tape reduction are in place to help achieve this priority. The regulatory policy framework is under review following an October 2016 performance audit on ‘Red tape reduction’ that found the regulatory burden of legislation had increased.
3.2 Financial management
Revenue NSW earned record crown revenue of $30.0 billion in 2016–17 to support the state's finances.	Record crown revenue has been driven by the sustained increase in duties revenue, which has increased by 93.7 per cent over the last five years. This is a consequence of the continued strength in the property market over this time and large one off NSW Government business asset sales and leases.
3.3 ICT and digital government
The Digital Government Strategy (the Strategy) was released in May 2017 to build on reforms set out in previous ICT strategies.	The Strategy’s priorities and enablers aim to support digital innovation. Targets and measures will need to be set to assess and monitor progress against the Strategy.
The Digital Information Security Policy (DISP) is a key tool that helps ensure a minimum set of information security controls are implemented across NSW Government agencies. A review of 2016 annual reports found 15 agencies (13 in 2015) did not attest to compliance with the DISP and of the agencies that attested to compliance, 34 reported issues associated with their compliance.	The Strategy’s priorities and enablers aim to support digital innovation. Targets and measures will need to be set to assess and monitor progress against the Strategy. Failure to comply with the DISP increases the risk of noncompliance with legislation, information security breaches and difficulty restoring data or maintaining business continuity in the event of a disaster or disruption.
3.4 Property and asset utilisation
Property NSW's performance reporting could be improved. M2012-20 'Government Property NSW and Government Property Principles' required Property NSW to set key performance indicators to measure property and asset utilisation performance.	Property NSW's performance reporting would be enhanced by developing and reporting on customer satisfaction, reporting against set targets and benchmarking cost of service to the private sector.

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Observation	Conclusion or recommendation
4.1 Key issues
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). Amendments to relevant legislation allows the Minister for Finance, Services and Property to prescribe applicable prudential standards and audit requirements.	Structured and comprehensive prudential oversight of these funds remains important as they operate in a specialised, complex and continuously changing investment market sector, have over 106,000 members and manage investments of more than $42.4 billion. Recommendation: The Treasury should liaise with the respective Trustees to implement appropriate prudential standards and oversight arrangements for the exempt public sector superannuation funds.
Currently, Green Slips in NSW are the most expensive in Australia. Average premiums for Sydney Metropolitan vehicles increased by 10.4 per cent between 1 January 2016 and 31 December 2016.	CTP reforms are expected to reduce the cost of Green Slips. The State Insurance Regulatory Authority will need to ensure it has appropriate processes in place to track and report against the expected benefits.
4.2 Financial performance and sustainability
Net unfunded superannuation liabilities were $15.0 billion at 30 June 2017. Under the Fiscal Responsibility Act 2012, the NSW Government’s target is to eliminate unfunded superannuation liabilities by 2030.	The superannuation funds’ strategic asset allocation and investment strategies are monitored and adjusted to help achieve a fully funded position by 2030.
The Home Warranty Scheme commenced in 2011. Over this time total premiums collected have not been sufficient to cover expected claim costs.	Funding arrangements introduced during 2016–17 allow the Home Building Compensation Fund to apply to the Crown for reimbursement of unfunded realised losses from under-pricing of premiums. Other reforms are planned to address the long term sustainability of the home building compensation scheme.
4.3 Investment performance
The NSW Government’s main superannuation funds have maintained the management expense ratio (MER) at consistent levels over the past two years. The Parliamentary Contributory Superannuation (PCS) Fund does not set an MER target.	MER is an industry recognised ratio to measure the performance of funds and investment managers. Recommendation: The Fund Secretary for the PCS Fund, in conjunction with the Trustee, should consider establishing an appropriate management expense ratio target to measure performance.