Main navigation

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

17 December 2020

Published

One TAFE NSW modernisation program

Education

Finance

Management and administration

Project management

Shared services and collaboration

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the management of the One TAFE NSW modernisation program.

In 2016, the Government released 'A Vision for TAFE NSW' which stated that TAFE NSW needed to become more flexible, efficient and competitive. It set out the need to progressively reduce significant cost inefficiencies, including by moving away from separate institutes to a single institute model. TAFE NSW established the One TAFE NSW modernisation program to deliver on that vision.

The Auditor General found that the One TAFE NSW modernisation program did not deliver against its key objectives within planned timeframes. The modernisation program originally aimed to realise $250 million in annual savings from 2018–19. Because of project delays and higher than expected transition costs, TAFE NSW did not meet the original savings target. TAFE NSW has made progress on key elements of the program and anticipates that savings will be realised in coming years.

The report makes two recommendations to improve governance arrangements for delivering on commercial objectives and increasing transparency of non commercial activities.

The report also identifies a series of lessons for future government transformation programs.

TAFE NSW is the public provider of Vocational Education and Training (VET) in New South Wales. In 2018, TAFE NSW enrolled 436,000 students in more than 1,200 courses at around 130 locations across the State.

There have been major policy changes impacting TAFE NSW over the past decade. Under the Smart and Skilled reform, TAFE NSW started to compete with other Registered Training Organisations (RTOs) for a share of the student market.

In 2016, the NSW Government released 'A Vision for TAFE NSW'. The Vision stated that a failure to adapt to market circumstances had left TAFE NSW with unsustainable costs and inefficiencies. To address this, TAFE NSW needed to become more flexible, efficient and competitive. It set out that TAFE NSW must progressively reduce significant cost inefficiencies, including by moving away from a model of separate institutes to a One TAFE NSW model. The NSW Government set TAFE NSW a target to achieve savings through implementing the Vision.

TAFE NSW established the One TAFE NSW modernisation program to deliver on that vision. The program initially aimed to deliver savings of $250 million per year from 2018–19, but this target was reviewed and updated as the program was being delivered.

This audit assessed whether TAFE NSW effectively managed the One TAFE NSW modernisation program to deliver on the NSW Government's vision for TAFE NSW. In making this assessment, the audit examined whether:

delivery of the program was well planned
the program was driven by sound governance arrangements
TAFE NSW is making progress against the intended outcomes of the program.

The audit focused on the effectiveness of planning, governance and reporting arrangements. It examined five projects within the overall modernisation program as case studies.

Conclusion

The One TAFE NSW modernisation program was an ambitious plan to deliver on the NSW Government’s vision for TAFE NSW, while achieving ongoing savings. Several factors contributed to TAFE NSW not effectively managing the program to deliver on planned timeframes and objectives. These factors include unclear expectations of the primary role of TAFE NSW, unrealistic timeframes, undertaking a large number of complex projects concurrently, governance arrangements that were not fit-for-purpose and poor-quality data.

Planning for the modernisation program and its projects was driven by top-down savings targets and pre-determined timeframes. This led to TAFE NSW attempting to deliver a large number of programs concurrently within tight timeframes. Program management capability was underdeveloped at the commencement of the program and this affected the quality of planning for delivery.

There was a lack of clarity around TAFE NSW's primary purpose. Part of the NSW Government's vision for TAFE NSW was for it to be more commercial, competitive and efficient. These objectives were not fully supported by existing legislation. The commercial objectives of the modernisation program conflicted with legislated social objectives for TAFE NSW. TAFE NSW did not have the autonomy to operate like a government-owned business in a market environment. And while TAFE NSW received separate funding to support students facing disadvantage this did not cover the costs of other non-commercial activities undertaken for social purposes, such as delivering uneconomic courses. The role of the TAFE Commission Board was ambiguous during the initial years of the program, which increased reporting requirements and blurred accountabilities for decision-making.

TAFE NSW's Strategic Plan 2016-22 nominated ten key milestones for delivery by January 2019. TAFE NSW has made progress against several important milestones, including that TAFE ‘is a single TAFE NSW brand’ and has 'industry specific TAFE NSW SkillsPoints'. Other key elements have yet to be delivered, including that TAFE NSW achieves 'integrated enterprise-wide business systems'. Because of delays to projects and higher than expected transition costs, TAFE NSW reported that it did not meet the originally targeted $250 million in annual savings for 2018–19 (which was reviewed and updated as the program was being delivered).

Appendix three – Performance auditing

Parliamentary reference - Report number #346 - released 17 December 2020

10 December 2020

Published

Central Agencies 2020

Premier and Cabinet

Treasury

Financial reporting

Internal controls and governance

Management and administration

Risk

This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

Audit opinions and timeliness of reporting	Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified. All agencies met statutory deadlines for submitting financial statements.
Agencies were financially impacted by recent emergency events	The NSW Government allocated $1.4 billion to provide small business support and bushfire recovery relief, support COVID-19 quarantine compliance management, recruit more staff to respond to increased customer demand, and meet additional COVID-19 cleaning requirements. Agencies spent $901 million (64 per cent of the allocated funding) for the financial year ended 30 June 2020. NSW Self Insurance Corporation reported an increase of $850 million in its liability for claims related to emergency events.
AASB 16 'Leases' resulted in significant changes to agencies' financial position	The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected.
Implementation of new revenue standards	NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue, which have been corrected in the final financial statements.

2. Audit observations

Management letter findings and repeat issues	Our 2019–20 audits identified nine high risk and 122 moderate risk issues across central agencies and the Legislature. The high risk issues were identified in the audits of: Insurance and Care NSW New South Wales Government Telecommunications Authority Rental Bond Board Independent Commission Against Corruption NSW Treasury Crown Entity Department of Premier and Cabinet. High risk findings include: Insurance and Care NSW (icare) allocates service costs to the Workers Compensation Nominal Insurer, and the other schemes it supports. The documentation supporting cost allocations does not demonstrate how these allocations reflect actual costs. There is a risk of the Workers Compensation Nominal Insurer being overcharged. New South Wales Government Telecommunications Authority's delay in capitalisation and valuation of material capital projects; and insufficient work performed to implement the new accounting standard AASB 16 ‘Leases’. NSW Treasury's four-year plan to transition RailCorp to a for-profit State Owned Corporation called Transport Asset Holding Entity of New South Wales (TAHE) by 1 July 2019, remains to be implemented. On 1 July 2020, RailCorp converted to TAHE. A large portion of the planned arrangements are still to be implemented. As at the time of the audit, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements were not finalised. In the absence of commercial arrangements with the public rail operators, there is a lack of evidence to demonstrate TAHE’s ability to create a commercial return in the long term. This matter has been included as a high risk finding in our management letter as there may be financial reporting implications to the State if TAHE does not generate a commercial return for its shareholders in line with the original intent. NSW Treasury and TAHE should ensure the commercial arrangements, operating model and SCI are finalised in 2020–21. Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records.
Grants administration for disaster relief	Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by emergency events for the financial year ended 30 June 2020. A performance audit of grants administration for disaster relief is planned for 2020–21. It will assess whether grants programs administered under the Small Business Support Fund were effectively designed and implemented to provide disaster relief.
Internal controls at GovConnect NSW service providers require enhancement	GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued: unqualified opinions on information technology and business process controls at Infosys and Unisys, but there was an increase in control deficiencies identified in the user access controls at these service providers a qualified opinion on DCS's information technology (IT) security monitoring controls because security tools were not implemented and monitored for the entire financial year. Responsibility for IT security monitoring transitioned from Unisys to DCS in 2019–20. These control deficiencies can increase the risk of fraud and inappropriate use of sensitive data. These may impact on the ability of agencies to detect and respond to a cyber incident. Recommendation: We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority.
The NSW Public Sector's cyber security resilience needs to improve	The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8. Repeat recommendation: Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency
Three Insurance and Care NSW (icare) entities had net asset deficiencies at 30 June 2020	The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. These icare entities did not hold sufficient assets to meet the estimated present value of all of their future payment obligations at 30 June 2020. The deterioration in net assets was largely due to increases in outstanding claims liabilities. Notwithstanding the overall net asset deficiencies, the financial statements for these entities were prepared on a going concern basis. This is because future payment obligations are not all due within the next 12 months. Settlement is instead expected to occur over years into the future, depending on the nature of the benefits provided by each scheme.
icare has not been able to demonstrate that its allocation of costs reflects the actual costs incurred by the Workers Compensation Nominal Insurer and other schemes	Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements. Recommendation: icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs.
icare did not comply with GIPA requirements	icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20 and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020.
Implementation of Machinery of Government (MoG) changes	MoG changes impacted the governance and business processes of some agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG implementation processes at Infrastructure NSW and in the Customer Service cluster.

This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.

Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.

Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.

Section highlights

Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. All agencies met the statutory deadlines for submitting their financial statements.
The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified as a result of a payment made without a Treasurer's delegation.
Agencies were impacted by emergency events during 2019–20. This included additional grants to fund specific deliverables.
The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected.
NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue in the financial statements. These misstatements were due to incorrect revenue calculations performed by the Transport agencies. The Crown Entity relies on information from Transport agencies as they are responsible for carrying out the State’s contractual obligations for Commonwealth funded transport projects. The extent of misstatements could have been reduced with more robust quality review processes in place by Treasury and Transport.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines:

our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.

Section highlights

The 2019–20 audits identified nine high risk and 122 moderate risk issues across the agencies. Of the 122 moderate risk issues, 44 (36 per cent) were repeat issues. The most common repeat issue relates to weaknesses in controls over information technology user access administration.
Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by these emergency events for the financial year ended 30 June 2020.
GovConnect NSW engaged an independent auditor (the service auditor) from the private sector to evaluate the internal controls of its service providers. DCS's information technology security monitoring controls were qualified by the service auditor because security tools were not implemented and monitored for the entire financial year. These may impact on the ability of agencies to detect and respond to a cyber incident.
NSW Government agency self-assessment results show that the NSW Public Sector's cyber security resilience needs urgent attention.
The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. The financial statements for these entities continued to be prepared on a going concern basis as their liabilities are not all due for settlement within the next 12 months.
icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20, and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020.
Machinery of Government (MoG) changes impacted the governance and business processes of affected agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG changes at Infrastructure NSW and in the Customer Service cluster.

Appendix one – Timeliness of financial reporting by agency

Appendix two – List of 2020 recommendations

Appendix three – Status of 2019 recommendations

Appendix four – Agencies most impacted by recent emergency events

Appendix five – Management letter findings by agency

Appendix six – Financial data

26 November 2020

Published

Education 2020

Education

Asset valuation

Compliance

Financial reporting

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford, released a report today titled Education 2020. This report focuses on key observations and findings from the most recent audits of agencies in the Education cluster.

Unqualified audit opinions were issued for all cluster agencies’ financial statements. However, internal control deficiencies were identified across the cluster agencies, including deficiencies in the management of purchasing cards and 15 internal control issues that were repeated from the previous year.

The 2019–20 natural disasters caused widespread damage in both Northern and Southern NSW. The COVID‑19 pandemic further challenged agencies, requiring social distancing and other infection control measures which disrupted the traditional means of teaching students. Agencies have adjusted their operations to respond to these emergency events.

The TAFE Commission’s revenues 2019–20 were impacted by the pandemic. Lower enrolments and an increase in fee-free short courses offered during the year contributed to the result.

Read the PDF report

This report analyses the results of our audits of financial statements of entities within the Education cluster for the year ended 30 June 2020. The table below summarises our key observations and recommendations.

1. Financial reporting

Audit opinions	Unqualified audit opinions were issued for all cluster agencies' 30 June 2020 financial statements audits.
New accounting standards	Agencies implemented three new accounting standards during the year. Our financial statement audits of the Department of Education (the Department) and NSW Education Standards Authority (NESA) identified issues with the leasing information provided by Property NSW (PNSW). Despite the outsourcing arrangement, both the Department and NESA remain ultimately responsible for the completeness and accuracy of this information, which would have benefited from a more thorough quality assurance, validation and review process before they placed reliance upon it. Recommendation: We recommend the Department and NESA: quality assure and validate the information provided by PNSW ensure changes made by PNSW to lease data are supported and that assumptions and judgements applied are appropriate document their review of the data supplied.
Changes were made to the financial reporting requirements this year to account for the impact of the pandemic	Emergency legislation was enacted during the year in response to the COVID-19 pandemic. The legislation revised the statutory reporting deadlines for agencies to submit their financial statements and allowed the Treasurer to continue authorising payments from the consolidated fund until the enactment of the 2020–21 budget. All cluster agencies prepared their financial statements on a going concern basis and submitted their financial statements within the revised statutory deadlines. The State provided $159.0 million in stimulus funding to support the operations of cluster agencies during emergency events. Nearly half of this funding was to support cleaning activities by the Department and the Technical and Further Education Commission (the TAFE Commission) during the COVID-19 pandemic.
Quality and timeliness of financial reporting	The number of monetary misstatements identified in agencies' financial statements decreased to 14 (23 in 2018–19). While the number of corrections made to the financial statements after the submission date increased to eight (two in 2018–19), it is important to note these corrections provide parliament and other users of the financial statements increased confidence in the accuracy and presentation of agencies' performance and financial position.
Sustainability of cluster agencies	The TAFE Commission's enrolments declined, and operating margins reduced, both being impacted by the COVID-19 pandemic.

2. Audit observations

Internal control deficiencies	We identified 33 internal control issues, including 15 findings that were repeated from previous years. A high-risk issue was reported at the Department relating to the inadequate monitoring and follow up of privileged user activity in its enterprise resource planning system – SAP. Repeat findings relate to ongoing deficiencies in information technology controls and management policies, practices and procedures. Recommendation: Cluster agencies should: prioritise and action recommendations to address internal control deficiencies review and confirm the appropriateness of existing privileged user access accounts implement a rigorous monitoring regime to ensure that any improper use of privileged user accounts can be detected in a timely manner.
Agency responses to emergency events	The Department established a separate bushfire relief directorate and COVID-19 Taskforce to assist and support school communities in response to recent emergencies. Other cluster agencies have established committees or response teams to oversee and address all aspects of the impact of COVID-19.
Schools review 2019	We continue to identify instances of non-compliance in relation to cash management and procurement at schools.
Use of purchasing cards at the Department of Education	Since 2015, the NSW Government has encouraged the use of purchasing cards by public sector agencies. Purchasing cards are efficient to transact low value, high volume procurement of goods and services, but the use must be effectively monitored. Our review of the Department's purchasing cards identified weaknesses in its oversight and monitoring controls, including the issue and cancellation of purchasing cards Opportunities exist for the Department to better monitor card use. Tools such as data analytics are an efficient and effective detective control to identify irregular activity or misuse by cardholders. Recommendation: The Department should: improve the accuracy and completeness of exit procedures for terminated employees to ensure cards are returned and cancelled perform periodic reviews to ensure active cards are held only by current employees set transaction limits that do not exceed the limits of the user’s financial delegation establish a data analytics regime to help analyse and identify high risk patterns and anomalies in their purchasing card usage, augmenting their existing monitoring and detective controls.

This report provides parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
the impact of emergencies and the COVID-19 pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The COVID-19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID-19 pandemic. These amendments:

allowed the Treasurer to authorise payments from the consolidated fund until the enactment of the 2020–21 budget – supporting the going concern assessments of cluster agencies
revised budgetary, financial and annual reporting time frames – impacting the timeliness of financial reporting
exempted certain statutory bodies and departments from preparing financial statements.

This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster for 2020, including any financial implications from the recent emergency events.

Section highlights

Unqualified audit opinions were issued on the financial statements of cluster agencies.

All cluster agencies met the revised statutory deadlines for completing early close procedures and submitting their financial statements.

Emergency legislation allowing the Treasurer to continue authorising payments from the consolidated fund under the existing Appropriations Act enabled cluster agencies to prepare financial statements on a going concern basis.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

observations and insights from our financial statement audits of agencies in the Education cluster. It also comments on our review of elements of the financial control framework applied by schools in NSW whose financial results form part of the Department of Education's (the Department) financial statements.
assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Section highlights

A high-risk issue regarding inadequate monitoring of privileged user access was identified at the Department.
We continue to observe issues by schools in relation to cash management and non-compliance with procurement guidelines and purchasing card use.
Opportunities exist for the Department and cluster agencies to enhance their monitoring and review of purchasing card activities. Tools such as data analytics procedures provide an efficient and effective detective control, particularly when used in conjunction with independent spot-checks.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 and 2018 recommendations

Appendix three – Financial data

Copyright notice

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

20 October 2020

Published

The effectiveness of the financial arrangements and management practices in four integrity agencies

Premier and Cabinet

Treasury

Management and administration

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of the financial arrangements and management practices of four integrity agencies: the Independent Commission Against Corruption, the NSW Electoral Commission, the NSW Ombudsman, and the Law Enforcement Conduct Commission. The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding. The Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

The audit found that the current approach to determining and administering annual funding for the integrity agencies presents threats to their independent status. The approach used by NSW Treasury and DPC is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies. Specific mechanisms that present threats to the independence of the integrity agencies include the absence of transparency in decisions about funding for the integrity agencies, the means of applying efficiency dividends and budget savings and reform measures, the process of providing additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.

The Auditor-General outlined the principles that inform the report’s recommendations in order to strengthen the financial arrangements for the integrity agencies. These principles are:

There should be structured oversight by Parliament of the performance and financial management of the integrity agencies.
Parliament’s role in the budget process should be expanded to ensure Cabinet is provided with more independent advice on the funding requirements for the integrity agencies.
There should be transparency to Parliament and the relevant agency for decisions made about funding for the integrity agencies.
The integrity agencies should be required to demonstrate their accountability as prudent managers of their financial resources.

The report also notes that the NSW Parliament should be consulted when considering the report’s recommendations.

Appendix one – Response from agencies

This audit examined the effectiveness of the financial arrangements and management practices of four integrity agencies. It was conducted with reference to the legislative and Constitutional framework that is currently in place for financial management in New South Wales.

This report appropriately recognises that the government of the day is responsible for the prudent and responsible management of the state’s finances. It identifies several areas of ambiguity in the way the current financial arrangements apply to the integrity agencies that are the subject of this audit. It also highlights threats to the independence of the integrity agencies that may arise from the involvement of the Executive Government in the decision making about funding. The report argues these risks are not mitigated sufficiently under the current financial arrangements.

The recommendations in this report outline the principles that should inform the financial arrangements for the integrity agencies. Consistent with the Audit Office of NSW’s role in auditing NSW Government departments and agencies, the recommendations are directed to NSW Treasury and the Department of Premier and Cabinet. However, the report recognises that the current role of these entities in the funding arrangements for the integrity agencies poses a threat to their independence. Consequently, it is important to recognise the important role of the NSW Parliament in determining the appropriate funding model for the integrity agencies. The audited agencies should consult closely with the NSW Parliament when considering these recommendations to ensure the views of Parliament are reflected appropriately in any changes arising from the implementation of these recommendations. This recognises the appropriate role of the NSW Parliament in safeguarding the independence of its integrity agencies.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding.

The NSW Government, through the Treasurer, is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. The annual budget is the primary process that the NSW Government uses for financial management. Decisions about funding for the integrity agencies are made through this budget process. NSW Treasury provides guidance to all government departments and agencies, including the integrity agencies that are the focus of this audit, on the Government’s priorities for the budget. NSW Treasury also reviews and provides advice to the Expenditure Review Committee of Cabinet on proposals for funding through the budget.

The integrity agencies are subject to the application of ‘efficiency dividends’ and ‘budget savings and reform measures’, which limit their access to the full funding that has been approved by Parliament. NSW Treasury and DPC manage the application of these limits to the integrity agencies. The integrity agencies are grouped within the DPC ‘cluster’, which is an administrative arrangement created by the NSW Government. Clusters do not have legal status but are used for administrative and financial management. DPC has provided additional funding during the financial year to some of the integrity agencies in the years covered in this audit. DPC also oversees the involvement of the integrity agencies in developing and reporting on their outcomes. This is a requirement of NSW Treasury’s outcome budgeting reforms, which are currently being implemented.

Each of the integrity agencies is overseen by a parliamentary committee that includes members of both houses of the NSW Parliament. These committees are responsible for reviewing the performance of the integrity agencies that they oversee. They do not have a role in funding decisions. ICAC and LECC each have additional oversight from an Inspector. The Inspector of the ICAC’s role is to oversee the operations and conduct of ICAC to ensure that it complies with the law. The Inspector of the LECC’s role is to oversee the way LECC carries out its functions, with a focus on the legality of LECC’s use of its powers. Neither of these Inspectors has a role in funding decisions.

The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:

not considering or commenting on the financial arrangements for our office
requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies. The inquiry includes the four integrity agencies that are the subject of this audit and our office
seeking independent legal advice on the framework for the financial arrangements for the integrity agencies
using additional internal review processes to provide quality assurance to audit conclusions.

Conclusion

The current approach to determining annual funding for the integrity agencies presents threats to their independent status. The approach is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies.

The government of the day is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. Accordingly, the government of the day has a central role in decisions about funding for departments and agencies and in determining the financial management processes to be applied. This is clearly established in the legislative framework and conventions for managing public funds in New South Wales. This system is primarily designed to determine the funding for departments and agencies that are responsible to ministers. It is less appropriate for integrity agencies because it does not provide additional protection against the risk that funding decisions could be influenced by previous or planned investigations by the integrity agencies. This risk has the potential to limit the ability of the integrity agencies to fulfil their legislative mandate. The extent and nature of this risk differs for each of the integrity agencies. This is outlined in the key findings section below and described in detail in Chapters 2–5 of this report.

Aspects of the financial management mechanisms used to administer funding for the integrity agencies create tensions with their independent status. These mechanisms include the means of applying efficiency dividends and budget savings and reform measures, the provision of additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.

NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures to the integrity agencies. This results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC focus on the fact that the Appropriation Act provides funding for the integrity agencies to a Premier, rather than the agency, and does not state that a Premier must provide the full amount of funding approved to the agency. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative interpretation of the Appropriation Act would consider factors specific to the integrity agencies that differentiate them from other agencies subject to these measures. These factors include that the integrity agencies are independent of ministerial control, accountable to Parliament for performing specific legislated functions, and some may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is used, then the reduction of the integrity agencies’ access to appropriation funding approved by Parliament could diminish the independent status of the integrity agencies and limit their ability to fulfil their legislative mandate.

DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019 (the Act), because of a change to the Act compared to previous appropriation legislation. The additional funding that was provided to ICAC in 2019–20 by DPC had been appropriated to DPC under Part 2 of the Act. The Act specified that funding appropriated under Part 2 could only be used for the purposes specified in that Part. ICAC receives its appropriation under Part 4 of the Act. It is contestable as to whether the purpose of an appropriation under Part 2 of the Act would include providing funding for an agency that receives an appropriation under another part of the Act.

The integrity agencies have been asked to report on activities and outcomes to DPC as part of the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier.

Our audit also assessed the integrity agencies’ systems for planning, budgeting and monitoring the efficiency of their work. We did not find major deficiencies in the management practices of the integrity agencies. We did identify opportunities for improvement in each agency. These are specific to the circumstances of each agency and are outlined in the key findings section below and Chapters 2–5 of this report.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments have a role in the financial arrangements for the integrity agencies. NSW Treasury manages the budget process that determines the annual funding for the integrity agencies. DPC has a role in managing access to this funding because the integrity agencies are placed within the DPC ‘cluster’.

not considering or commenting on the financial arrangements for our office
requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies and the NSW Parliament, including the four integrity agencies in this audit and our office
seeking independent legal advice on the framework for the financial arrangements of the four integrity agencies in this audit
using additional internal review processes to provide quality assurance to audit conclusions.

Conclusion

Financial arrangements for ICAC

ICAC's main functions are to investigate and prevent corruption in the public sector. Its legislation establishes it as an independent agency that is accountable to Parliament.

Decisions about the annual appropriation for ICAC are made by the Cabinet, with advice from NSW Treasury. Members of Cabinet or NSW Treasury could be involved in or affected by an ICAC investigation. There is no independent advice to Cabinet on ICAC’s funding requirements and there is no transparency to Parliament about the reasons for decisions made about ICAC’s budget. The absence of these safeguards in the current financial arrangements creates a threat to ICAC’s independence and have the potential to limit its ability to fulfil its legislative mandate.

ICAC submitted budget proposals seeking increases to its appropriation funding in several recent years. The budget proposals related to funding to expand its workforce to respond to increases in the volume and complexity of its work. Some of these proposals were rejected without reasons being provided. There are no formal mechanisms available to ICAC to question or challenge these decisions. The process available to ICAC to request additional funding outside the annual budget creates further risks to its independence.

ICAC’s management practices

ICAC’s staff use structured processes for prioritising work against its legislative mandate and it has conducted recent reviews to assess its operational efficiency. ICAC's internal budgeting processes are adequate but could be improved with better documentation of the reasons for its budget decisions.

Conclusion

Financial arrangements for NSWEC

NSWEC conducts elections and is responsible for maintaining the integrity of the electoral system in New South Wales. NSWEC’s legislation states that it should conduct elections and investigate potential breaches of electoral law independently and be accountable to Parliament. Decisions about the annual appropriation for NSWEC are made by the Cabinet. It is possible that NSWEC’s investigations of electoral integrity could include members of Cabinet or the political party that holds government. There is a risk that decisions about its funding could be influenced by the conduct of these investigations. If realised, this would be a threat to NSWEC’s independence and ability to fulfil its legislative mandate. NSWEC has not received the full funding amount it has requested in recent years. There is inadequate transparency about how funding decisions were made and there are no formal mechanisms to question or challenge these decisions.

The conduct of elections is a key element of a democratic system and under-funding this function could have serious implications. NSWEC’s requests for additional appropriation funding are assessed alongside the priorities of the government of the day. Its role transcends these immediate priorities and there is a risk that its funding requirements may not be prioritised.

NSWEC’s management practices

NSWEC’s internal budgeting processes and efficiency programs are clear and well documented. NSWEC has identified options to improve its operational and corporate efficiency but has not implemented all of these.

Conclusion

Financial arrangements for NSWO

NSWO oversees government agencies and some government-funded private sector bodies that provide services to the community or exercise administrative functions. NSWO’s legislation makes it clear that it should operate independently of the agencies it oversees and be accountable to Parliament.

NSWO’s investigations do not include members of Cabinet, except in relation to Public Interest Disclosures made about a minister, so the risk that decisions about its budget could be affected by its investigations is relatively lower. However, NSWO's investigations can comment on and make recommendations about government policies, which may have been endorsed by Cabinet or an individual minister, and its investigations cover systemic issues for which ministers and the heads of government departments are responsible. NSWO faces a further challenge in its ability to make compelling budget proposals under the current financial arrangements. Its funding requests are assessed alongside the government’s priorities, but its work is unlikely to align directly with these priorities.

NSWO’s management practices

NSWO has assessed its operational and corporate efficiency recently and has implemented major changes to its operating model in response to this. Its internal budgeting process is adequate but could be improved by being documented more thoroughly.

Conclusion

Financial arrangements for LECC

LECC's main functions are to investigate allegations of misconduct by law enforcement and oversee police handing of complaints. LECC’s legislation states it should operate independently of the agencies it oversees and be accountable to Parliament. LECC’s jurisdiction does not include members of Cabinet, NSW Treasury or DPC. However, LECC’s investigations have the potential to have a negative impact on a Minister for Police, who is a member of Cabinet, and the government of the day. There is a risk that decision makers for LECC’s funding could be influenced by these considerations. While LECC has not sought increases to its appropriation funding in recent years, there are no formal mechanisms to question or challenge these decisions if it did have concerns about its funding in the future.

Unlike the other integrity agencies in this audit, LECC is not classified as a separate GSF agency under the Government Sector Finance Act 2018. This difference means that LECC has less independence from the Executive Government, because LECC would have to comply with a Treasurer’s Direction even if it believes it is not consistent with the independent exercise of its functions.

LECC's management practices

LECC's internal budgeting processes are clear and documented and it has identified and implemented operational and corporate efficiency savings in several areas. LECC published a new strategic plan in July 2020. Over the first three years of its operations since 2017, LECC had not conducted effective strategic planning which made it difficult for LECC to demonstrate that it had a cohesive approach to its operations across the agency during this time.

Conclusion

Aspects of the financial management mechanisms used by NSW Treasury and DPC to administer funding for the integrity agencies create tensions with their independent status.

NSW Treasury and DPC have administered efficiency dividends and budget savings and reform measures which results in the integrity agencies not being able to access the full funding approved by Parliament. There are two competing interpretations of appropriation legislation that lead to different conclusions about whether there is a clear legal basis for doing this. NSW Treasury and DPC take the view that the Appropriation Act provides funding for the integrity agencies to a Premier and does not state that a Premier must provide the full amount of funding to the agencies. This interpretation leads to the view that a Premier can restrict access to appropriation funding that was approved by Parliament. An alternative approach to interpreting the Appropriation Act would consider the contextual factors specific to the integrity agencies. These factors include: the integrity agencies are independent of ministerial control, the integrity agencies are accountable to Parliament for performing specific legislated functions, and the integrity agencies may conduct investigations that involve a Premier, or DPC or NSW Treasury. If this alternative interpretation is accepted, then the reduction of the integrity agencies’ access to appropriation funding could diminish the independent status of the integrity agencies.

DPC has given additional funding to three of the integrity agencies in recent years in response to requests from the agencies. If the integrity agencies require additional funding during the year, the only mechanism available is to seek funding from DPC. This creates a potential threat to the independence of the integrity agencies. Asking DPC to make decisions about funding allocations between an integrity agency and another agency in the DPC cluster is inappropriate because DPC is not responsible for the functions or actions of an integrity agency. It is also possible that DPC could be the subject of an investigation conducted by an integrity agency. Separately, DPC’s provision of $2.5 million in additional funding to ICAC in 2019–20 may not have been consistent with the Appropriation Act 2019. The appropriations for DPC and ICAC were made under different parts of the Act. Appropriation funding can only be paid out for the purpose specified in each part of the Act. It is not clear whether it is permissible to transfer funding between agencies that receive appropriations from different Parts of the Act.

The integrity agencies have recently been asked to report activity and outcome measures to DPC, as the principal department for the cluster that they have been placed in, under the outcome budgeting reforms that are being implemented by NSW Treasury. This is inconsistent with their independent status because the integrity agencies are accountable to Parliament for their activities, not DPC or a Premier. DPC has advised that it considers the risks to the independence of the integrity agencies described above to be more theoretical than real.

Appendix three – Opinion from the Crown Solicitor’s Office

Copyright notice

24 July 2020

Published

Their Futures Matter

Justice

Community Services

Education

Health

Whole of Government

Cross-agency collaboration

Internal controls and governance

Management and administration

Project management

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Communities and Justice had effective governance and partnership arrangements in place to deliver ‘Their Futures Matter’.

Their Futures Matter was intended to place vulnerable children and families at the heart of services, and direct investment to where funding and programs deliver the greatest social and economic benefits. It was a four-year whole-of-government reform in response to the 2015 Tune Review of out-of-home care.

The Auditor-General found that while important foundations were put in place, and new programs trialled, the key objective to establish an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW was not achieved.

Governance and cross-agency partnership arrangements to deliver Their Futures Matter were found to be ineffective. 'Their Futures Matter lacked mechanisms to secure cross portfolio buy‑in and did not have authority to drive reprioritisation of government investment', the Auditor-General said.

At the reform’s close, the majority of around $380 million in investment funding remains tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives. The reform concluded on 30 June 2020 without a strategy or plan in place to achieve its intent.

The Auditor-General made four recommendations to the Department of Communities and Justice, aimed at improving implementation of outstanding objectives, revising governance arrangements, and utilising the new human services data set to address the intent of the reform. However, these recommendations respond only in part to the findings of the audit.

According to the Auditor-General, ‘Cross-portfolio leadership and action is required to ensure a whole-of-government response to delivering the objectives of Their Futures Matter to improve outcomes for vulnerable children, young people and their families in New South Wales.’

In 2016, the NSW Government launched 'Their Futures Matter' (TFM) - a whole-of-government reform aimed at delivering improved outcomes for vulnerable children, young people and their families. TFM was the government's key response to the 2015 Independent Review of Out of Home Care in New South Wales (known as 'the Tune Review').

The Tune Review found that, despite previous child protection reforms, the out of home care system was ineffective and unsustainable. It highlighted that the system was not client-centred and was failing to improve the long-term outcomes for vulnerable children and families. The review found that the greatest proportion of relevant expenditure was made in out of home care service delivery rather than in evidence-based early intervention strategies to support children and families when vulnerabilities first become evident to government services (such as missed school days or presentations to health services).

The then Department of Family and Community Services (FACS) designed the TFM reform initiatives, in consultation with central and human services agencies. A cross-agency board, senior officers group, and a new unit in the FACS cluster were established to drive the implementation of TFM. In the 2016–17 Budget, the government allocated $190 million over four years (2016–17 to 2019–20) to the reform. This resourced the design and commissioning of evidence-based pilots, data analytics work, staffing for the implementation unit and secretariat support for the board and cross-agency collaboration.

As part of the TFM reform, the Department of Premier and Cabinet, NSW Treasury and partnering agencies (NSW Health, Department of Education and Department of Justice) identified various existing programs that targeted vulnerable children and families (such as the preceding whole-of-government ‘Keep Them Safe’ reform coming to an end in June 2020). Funding for these programs, totalling $381 million in 2019–20, was combined to form a nominal ‘investment pool’. The government intended that the TFM Implementation Board would use this pool to direct and prioritise resource allocation to evidence-based interventions for vulnerable children and families in NSW.

This audit assessed whether TFM had effective governance and partnership arrangements in place to enable an evidence-based early intervention investment approach for vulnerable children and families in NSW. We addressed the audit objective with the following audit questions:

Was the TFM reform driven by effective governance arrangements?
Was the TFM reform supported by effective cross-agency collaboration?
Has the TFM reform generated an evidence base to inform a cross-agency investment approach in the future?

The audit did not seek to assess the outcomes for children, young people and families achieved by TFM programs and projects.

Conclusion

The governance and cross-agency partnership arrangements used to deliver the Their Futures Matter reform were ineffective. Important foundations were put in place, and new programs trialled over the reform's four years. However, an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW − the key objective of the reform − was not established. The reform concluded in June 2020 without a strategy or plan in place to achieve its intent.

The governance arrangements established for the Their Futures Matter (TFM) reform did not provide sufficient independence, authority and cross-agency clout to deliver on the reform’s intent. This hindered delivery of the reform's key elements, particularly the redirection of funding to evidence-based earlier intervention supports, and limited the impact that TFM could have on driving system change.

TFM increased focus on the contribution that other agencies outside of the former Family and Community Services portfolio could make in responding to the needs of vulnerable children and families, and in reducing the demand costs of related government service delivery. Despite being a whole-of-government reform, TFM lacked mechanisms to secure cross-portfolio buy-in and lacked the powers to drive reprioritisation of government investment in evidence-based and earlier intervention supports across agencies. At the reform’s close, the majority of the reform's investment pool funding remained tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives.

TFM began building an evidence base about ‘what works’, including piloting programs and creating a new dataset to identify risk factors for vulnerability and future costs to government. However, this evidence base does not yet comprehensively map how existing services meet needs, identify system duplications or gaps, nor demonstrate which government funded supports and interventions are most effective to make a difference to life outcomes for vulnerable children and families in NSW.
Despite these issues, the need, intent and vision for Their Futures Matter remains relevant and urgent, as issues identified in the Tune Review remain pertinent.

Their Futures Matter (TFM) is a whole-of-government reform to deliver improved outcomes for vulnerable children, young people and their families.

Supported by a cross-agency TFM Board, and the TFM Unit in the then Department of Family and Community Services (FACS), the reform aimed to develop whole-of-government evidence-based early intervention investment approaches for vulnerable children and families in NSW.

Governance refers to the structures, systems and practices that an organisation has in place to:

assign decision-making authorities and establish the organisation's strategic direction
oversee the delivery of its services, the implementation of its policies, and the monitoring and mitigation of its key risks
report on its performance in achieving intended results, and drive ongoing improvements.

We examined whether the TFM reform was driven by effective governance arrangements and cross-agency collaboration.

The reform agenda and timeframe set down for Their Futures Matter (TFM) were ambitious. This chapter assesses whether the TFM Board and TFM Unit had the capability, capacity and clout within government to deliver the reform agenda.

Creating a robust evidence base was important for Their Futures Matter, in order to:

identify effective intervention strategies to improve supports and outcomes for vulnerable children and families
make efficient use of taxpayer money to assist the maximum number of vulnerable children and families
inform the investment-based approach for future funding allocation.

This chapter assesses whether the TFM reform has developed an evidence base to inform cross-agency investment decisions.

Appendix two – TFM governance entities

Appendix three – TFM Human Services Data Set

Appendix four – TFM pilot programs

Appendix five – About the audit

Appendix six – Performance auditing

Copyright notice

Parliamentary reference - Report number #337 - released 24 July 2020

8 April 2020

Published

Local Schools, Local Decisions: needs-based equity funding

Education

Internal controls and governance

Management and administration

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the Department of Education’s (the department’s) support and oversight of school planning and use of needs-based funding under the Local Schools, Local Decisions reform.

The report found the department has not had adequate oversight of how schools are using needs-based funding to improve student outcomes since it was introduced in 2014.

The department had not set measures or targets for needs-based equity funding. It had also not been clear enough in how it expected schools to report on the outcomes of additional funding. This means it has not been able to effectively demonstrate the impact of funding at a school, or state-wide level.

To assist with the transition to greater local decision-making, the department provided schools with guidance materials, additional resources and systems support. However, guidance material was not clear enough on the purpose of funding, school budgeting systems were not fit-for-purpose when initially introduced, and support for schools was spread across different areas of the department.

The department has recently increased executive oversight of progress to improve educational outcomes for Aboriginal students and students from a low socio-economic background. It has also developed a consistent set of school-level targets to be implemented from 2020. This may help the department more reliably monitor progress in lifting outcomes for students with additional learning needs.

The report makes eight recommendations aimed at clarifying requirements of schools, better coordinating support and strengthening oversight of the use of needs-based equity funding.

The Local Schools, Local Decisions reform was launched in 2012 to give public schools more authority to make local decisions about how best to meet the needs of their students. A major element of the reform was the introduction of a new needs-based school funding model. Core elements of the model address staffing and operational requirements, while needs-based elements reflect the characteristics of schools and students within them. This includes equity funding designed to support students with additional needs. The four categories of equity funding are:

socio-economic background
Aboriginal background
English language proficiency
low-level adjustment for disability.

Around $900 million in equity funding was allocated in 2019. School principals decide how to use these funds and account for them through their school annual reports. The Department of Education (the department) supports schools in making these choices with tools and systems, guidelines, and good practice examples.

The objective of this audit was to assess the department's support and oversight of school planning and use of needs-based funding under the Local Schools, Local Decisions reform. To address this objective, the audit examined whether:

effective accountability arrangements have been established
effective support is provided to schools.

Conclusion

The department has not had adequate oversight of how schools are using needs-based equity funding to improve student outcomes since it was introduced in 2014. While it provides guidance and resources, it has not set measures or targets to describe the outcomes expected of this funding, or explicit requirements for schools to report outcomes from how these funds were used. Consequently, there is no effective mechanism to capture the impact of funding at a school, or state-wide level. The department has recently developed a consistent set of school-level targets to be implemented from 2020. This may help it to better hold schools accountable for progress towards its strategic goal of reducing the impact of disadvantage.

A significant amount of extra funding has been provided to schools over recent years in recognition of the additional learning needs of certain groups of students facing disadvantage. Under the Local Schools, Local Decisions reform, schools were given the ability to make decisions about how best to use the equity funding in combination with their overall school resources to meet their students’ needs. However, multiple guidelines provided to schools contain inconsistent advice on how the community should be consulted, how funding could be used, and how impact should be reported. Because of this, it is not clear how schools have used equity funding for the benefit of identified groups. School annual reports we reviewed did not fully account for the equity funding received, nor adequately describe the impact of funding on student outcomes.

To help in the transition to greater local decision-making, the department provided extra support by; establishing peer support for new principals, increasing the number of directors, developing data analysis and financial planning systems, targeted training and showcasing good practice. Multiple roles and areas of the department provide advice to schools in similar areas and this support could be better co-ordinated.

Financial planning systems designed to help schools budget for equity and other funding sources were not fit-for-purpose when originally introduced. Schools reported a lack of trust in their budget figures and so were not fully spending their allocated funding. Since then, the department developed and improved a budgeting tool in consultation with stakeholder and user groups. It provided extra funding for administrative support and one-to-one training to help schools develop their capabilities. Despite this, schools we spoke to reported they were not yet fully confident in using the system and needed ongoing training and support.

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #331 - released 8 April 2020.

7 April 2020

Published

Integrity of data in the Births, Deaths and Marriages Register

Justice

Premier and Cabinet

Whole of Government

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Conclusion

BD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register.

BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required.

BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected.

BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls.