Reports
Actions for Workers compensation claims management
Workers compensation claims management
What this report is about
Workers compensation schemes in NSW provide compulsory workplace injury insurance. The effective management of workers compensation is important to ensure injured workers are provided with prompt support to ensure timely, safe and sustainable return to work.
Insurance and Care NSW (icare) manages workers compensation insurance. The State Insurance Regulatory Authority (SIRA) regulates workers compensation schemes. NSW Treasury has a stewardship role but does not directly manage the schemes.
This audit assessed the effectiveness and economy of icare’s management of workers compensation claims, and the effectiveness of SIRA’s oversight of workers compensation claims.
Findings
icare is implementing major reforms to its approach to workers compensation claims management - but it is yet to demonstrate if these changes are the most effective or economical way to improve outcomes.
icare’s planning and assurance processes for its reforms have not adequately assessed existing claims models or analysed other reform options.
icare's activities have not focused enough on its core responsibilities of improving return to work and maintaining financial sustainability.
SIRA has improved the effectiveness of its workers compensation regulatory activities in recent years. Prior to 2019, SIRA was mostly focussed on developing regulatory frameworks and was less active in its supervision of workers compensation schemes.
NSW Treasury's role in relation to workers compensation has been unclear, which has limited its support for performance improvements.
Recommendations
icare should:
- Ensure that its annual Statement of Business Intent clearly sets out its approach to achieving its legislative objectives.
- Monitor and evaluate its workers compensation scheme reforms.
- Develop a quality assurance program to ensure insurance claim payments are accurate.
NSW Treasury should:
- Work with relevant agencies to improve public sector workers compensation scheme outcomes.
- Engage with the icare Board to ensure icare's management is in line with relevant NSW Treasury policies.
SIRA should:
- Address identified gaps in its fraud investigation.
- Develop a co-ordinated research strategy.
Read the PDF report
Parliamentary reference - Report number #393 - released 2 April 2024
Actions for State Finances 2023
State Finances 2023
What this report is about
Results of the audit of the Consolidated State Financial Statements of the New South Wales General Government Sector (GGS) and Total State Sector (TSS) for the year ended 30 June 2023.
Findings
The audit opinion on the 2022–23 Consolidated State Financial Statements was qualified in relation to two issues and included an emphasis of matter.
The first qualification matter is a continuation of the prior year limitation of scope on the audit relating to the Catholic Metropolitan Cemeteries Trust (CMCT), a controlled state entity, who continued to deny access to its management, books and records for the purposes of a financial audit. As a result, the Audit Office was unable to obtain sufficient appropriate audit evidence to support the assets, liabilities, income and expenses relating to CMCT recorded in the TSS and the equity investment recognised in the GGS relating to the net assets of CMCT.
The second qualification matter relates to the limitations on the accuracy and reliability of financial information relating to Statutory Land Managers (SLMs) and Common Trust entities (CTs) controlled by the State and were either exempted from requirements to prepare financial reports, or who were required to submit financial reports and have not done so. The Audit Office was unable to obtain sufficient appropriate audit evidence to determine the impact on the value of non-land assets and liabilities, income and expenses that should be recognised in the 2022–23 Consolidated State Financial Statements and which have not been recorded in the Consolidated State Financial Statements.
The independent audit opinion also includes an emphasis of matter drawing attention to key decisions made by the NSW Government regarding the future of the Transport Asset Holding Entity of New South Wales (TAHE).
Recommendations
The report includes recommendations for NSW Treasury to address several high-risk findings, including:
- ensuring accurate and reliable financial information is available to recognise the non-land balances of SLMs and CTs
- ensuring the CMCT, SLMs and CTs meet their statutory reporting obligations
- conducting a broader review of the financial reporting exemption framework
- continued monitoring of TAHE's control over its assets
- providing timely guidance to the sector relating to legislative or policy changes that impact financial reporting
- developing an accounting policy for the reimbursement of unsuccessful tender bid cost contributions.
Read the PDF report
Actions for Treasury 2023
Treasury 2023
What this report is about
Result of the Treasury portfolio of agencies’ financial statement audits for the year ended 30 June 2023.
The results of the audit of the NSW Government’s consolidated Total State Sector Accounts (TSSA), which are prepared by NSW Treasury, will be reported separately in our report on ‘State Finances 2023’.
The audit found
Unqualified audit opinions were issued on all general purpose financial statement audits.
Qualified audit opinions were issued on two of the 24 other engagements prepared by portfolio agencies. These related to payments made from Special Deposit Accounts that did not comply with the relevant legislation.
The number of monetary misstatements identified in our audits increased from 29 in 2021–22 to 39 in 2022–23.
The new parental leave policy impacted agencies across all portfolios. NSW Treasury should perform annual assessments to identify changes in legislation and regulation and provide timely guidance to the sector.
Transport for NSW and Sydney Metro have capitalised over $300 million of tender bid costs paid to unsuccessful tender bidders relating to significant infrastructure projects. Whilst NSW Treasury policy provides clarity on the reimbursement of unsuccessful bidders’ costs, clearer guidance on how to account for these costs in agencies’ financial statements is required.
The key audit issues were
Five high-risk issues were reported in 2022–23. Three were new findings on contract management, accounting treatments for workers compensation renewal premium adjustments and the management and oversight of a Special Deposit Account. Two repeat issues referred to the need to improve quality review processes over financial reporting and the timely approval of administration costs.
Portfolio agencies should prioritise and action recommendations to address internal control deficiencies.
This report provides Parliament and other users of the Treasury portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury portfolio of agencies (the portfolio) for 2023.
Section highlights
- Unqualified audit opinions were issued on all Treasury portfolio agencies’ 2022–23 financial statements.
- Two qualified audit opinions were issued on special purpose financial reports, relating to whether payments from the Electricity Retained Interest Corporation – Ausgrid (ERIC-A) Fund and the Electricity Retained Interest Corporation – Endeavour (ERIC-E) Fund, complied with the relevant legislation.
- The total number of errors (both corrected and uncorrected) in the financial statements increased from 29 in 2021–22 to 39 in 2022–23.
Reported corrected misstatements increased from 15 in 2021–22 to 25 with a gross value of $7.1 billion in 2022–23. Reported uncorrected misstatements increased from 13 in 2021–22 to 14 in 2022–23, with a gross value of $277.6 million in 2022–23.
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury portfolio.
Section highlights
- Five high-risk issues were reported in 2022–23. Three were new findings on contract management, accounting treatments for workers compensation renewal premium adjustments and the management and oversight of a Special Deposit Account.
- A further 35 moderate risk findings were reported in 2022–23, of which ten were repeat findings.
- Some agencies have again spent monies without an authorised delegation.
- The quality of information provided for audit purposes needs to improve.
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
Appendix five – Acquittals and other opinions
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Natural disasters
Natural disasters
What this report is about
This report draws together the financial impact of natural disasters on agencies integral to the response and impact of natural disasters during 2021–22.
What we found
Over the 2021–22 financial year $1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters.
Total expenses were less than the budget due to underspend in the following areas:
- clean-up assistance, including council grants
- anticipated temporary accommodation support
- payments relating to the Northern Rivers Business Support scheme for small businesses.
Natural disaster events damaged council assets such as roads, bridges, waste collection centres and other facilities used to provide essential services. Additional staff, contractors and experts were engaged to restore and repair damaged assets and minimise disruption to service delivery.
At 30 June 2022, the estimated damage to council infrastructure assets totalled $349 million.
Over the first half of the 2022–23 financial year, councils experienced further damage to infrastructure assets due to natural disasters. NSW Government spending on natural disasters continued with a further $1.1 billion spent over this period.
Thirty-six councils did not identify climate change or natural disaster as a strategic risk despite 22 of these having at least one natural disaster during 2021–22.
Section highlights
|
Section highlights
|
Actions for Treasury 2022
Treasury 2022
What the report is about
Results of the Treasury cluster agencies' financial statement audits for the year ended 30 June 2022.
The results of the audit of the NSW Government's consolidated Total State Sector Accounts (TSSA), which is prepared by NSW Treasury, are reported separately in our report on 'State Finances 2022'.
What we found
Unmodified audit opinions were issued on all 30 June 2022 general purpose financial statement audits.
Qualified audit opinions were issued on three of the 25 other engagements prepared by cluster agencies. These related to payments made from Special Deposit Accounts (SDA) that did not comply with the relevant legislation.
What the key issues were
Commercial agreements were signed between TAHE, the operators and Transport for NSW in June 2022, which reflected an expected rate of return of 2.5% on contributed equity. However, it remains critical that the government continue to provide sufficient funding to the operators so they can pay for access and use TAHE assets. These findings are reported in our report on 'State Finances 2022'.
Eight high-risk issues were raised in 2021–22, of which five relate to NSW Treasury.
A number of previously reported audit findings and recommendations with respect to icare continue to be ongoing issues. This includes the Workers Compensation Nominal Insurer continuing to hold less assets than the estimated present value of its future payment obligations, when measured in accordance with the accounting framework.
What we recommended
Our report on 'State Finances 2022' made several recommendations to improve NSW Treasury's processes.
In this report, we recommended icare should ensure:
- it has sufficient controls in place over claim payments, including an effective quality assurance program, to minimise claim payment errors
- that documentation to support PIAWE calculations is appropriately maintained, and that the minimum documentation requirements are set out in a policy.
This report provides Parliament and other users of the Treasury cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury cluster (the cluster) for 2022.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury cluster.
Section highlights
|
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
Appendix five – Acquittals and other opinions
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for State Finances 2022
State Finances 2022
What the report is about
Results of the 2021–22 consolidated General Government Sector (GGS) and Total State Sector (TSS) financial statements audits.
What we found
The Independent Auditor’s Report on the 2021–22 GGS and TSS financial statements was modified with a limitation of scope and also contained an emphasis of matter.
The opinion in the TSS Independent Auditor’s Report was modified with a limitation of scope on certain balances consolidated in the TSS financial statements because the Catholic Metropolitan Cemeteries Trust (CMCT) denied access to its management, books and records for the purpose of conducting a financial audit.
The Independent Auditor’s Report also includes an emphasis of matter drawing attention to the significant uncertainties associated with the GGS’s equity investment in Transport Asset Holding Entity (TAHE). The significant uncertainty relates to key assumptions and estimates used to forecast a 2.5% return from GGS investments into TAHE that supports the accounting treatment as an equity injection, including:
- funding to support the Rail Operators to pay TAHE’s contracted and forecast access and licence fees up until 2045–46. The Rail Operators are dependent on funding from the GGS to pay access and licence fees. Forecast modelling notes a requirement of a further $10.2 billion in budget funding to pay TAHE to the end of the ten-year contract period in 2030–31, in addition to the $5.5 billion allocated in the forward estimates and up to $50.8 billion for the period 2032 to 2046
- a significant portion of the projected returns are earnt outside of the ten-year contract period and there is a risk that TAHE may not be able to recontract fees at levels consistent with current projections.
What we recommended
The report includes a number of recommendations including:
- continued monitoring that TAHE controls the reported assets ensuring the CMCT, Category 2 Statutory Land Managers (SLM) and Commons Trusts meet their statutory reporting obligations
- ensuring accounting and audit position papers are sufficiently consulted with key stakeholders and are concluded on a timely basis
- ensuring agencies support the timely conclusion of audits by bringing to the auditors' attention key Cabinet records and identifying references relating to accounting issues impacting the financial statements
- for Special Deposit Accounts (SDA) responsible managers should ensure amounts appropriated under any Act or law for payment into the account are appropriately recorded, ensuring payments from SDAs are allowable and made in accordance with Treasurer's delegations and standing authorisation.
Pursuant to section 52A of the Government Sector Audit Act 1983 I am pleased to present my Auditor-General’s Report on State Finances 2022.
Once again this year has presented considerable challenges for the state sector and my Office as we collectively grapple with uncertainties related to COVID-19 and the disruption of emergency events impacting New South Wales. In addition, there were many recommendations arising from last year’s audit to be addressed.
While there is more to do to ensure good financial stewardship of the State, resolution of matters was helped by constructive engagement with the NSW Treasury at the most senior levels. Personally I wish to thank the Treasurer and Secretary for their commitment to instilling integrity in financial management systems and processes. The support Treasury provided for recent amendments to the Government Sector Audit Act 1983 to provide ‘follow the dollar’ powers and other changes recommended by the Public Accounts Committee quadrennial review of my Office is also acknowledged.
Finally I want to thank the teams that contributed to this year’s audit of the Total State Accounts for their diligence, professionalism and commitment. I am very proud of your work.
Margaret Crawford
Auditor-General for New South Wales
The Independent Auditor's Report was qualified and also included an emphasis of matter
The audit opinion on the State's 2021–22 financial statements was modified. The delayed signing of the NSW Total State Sector Accounts (TSSA) by NSW Treasury was in order to resolve significant accounting issues that were material to the TSSA. The key areas requiring significant audit effort included reviewing the State's accounting for TCorp Investment Management (IM) Funds and responding to the risks related to the Catholic Metropolitan Cemeteries Trust (CMCT) denying access to its management and books and records, which is detailed in this Report.
NSW Treasury aimed to sign the TSSA by 19 October 2022. This was delayed by nearly six weeks and the TSSA audit opinion was subsequently signed on the statutory deadline imposed on the Treasurer for tabling of the TSSA in the Legislative Assembly of 30 November 2022.
The Independent Auditor’s Report was modified due to a limitation of scope on the balances consolidated in the TSSA relating to the CMCT
The opinion in the Independent Auditor’s Report was modified with a limitation of scope due to the inability to access management, books and records of a controlled entity, the CMCT.
This year, NSW Treasury, after reconsidering all facts and the perspectives of the CMCT, reconfirmed that the CMCT is a controlled entity of the State for financial reporting purposes. This means CMCT is a GSF agency under the provisions of the Government Sector Finance Act 2018 (GSF Act). As such NSW Treasury is required by Australian Accounting Standards to consolidate the CMCT into the Total State Sector Accounts (TSSA). The value of assets and liabilities of CMCT consolidated into the TSSA is $310.3 million and $15.1 million, respectively, and the loss of CMCT consolidated into the TSSA for the year is $2.4 million.
To date, CMCT has not met its statutory obligations to prepare financial statements under the GSF Act and give them to the Auditor-General. CMCT has not submitted its financial statements to the Auditor-General for audit as required despite repeated requests and has not provided access to its books and records for the purposes of a financial audit. The Secretary of the Department of Planning and Environment wrote to CMCT to request it work with, and offer full assistance to, the Auditor-General in the exercise of her duties.
NSW Treasury has met with and considered CMCT's perspectives. NSW Treasury’s position remains that CMCT is a controlled entity of the State for financial reporting purposes. Consequently, CMCT has not met its statutory obligations as a controlled entity to submit its financial statements for audit and provide access to its books and records. Therefore, the Audit Office was unable to obtain sufficient appropriate audit evidence about the carrying amount of assets and liabilities consolidated into the Total State Sector Accounts as at 30 June 2022 and of the amount of income and expenses for the year then ended. Accordingly a modified audit opinion was issued on the NSW Government's 2021–22 consolidated financial statements.
Section 3 of this report titled 'Limitation of Scope relating to CMCT' discusses this matter in further detail.
An emphasis of matter drawing attention to uncertainty relating to the General Government Sector's investment in the Transport Asset Holding Entity (TAHE) remains
The Independent Auditor’s Report also includes an emphasis of matter, drawing attention to the significant uncertainties associated with the General Government Sector's (GGS) equity investment in TAHE. The significant uncertainty relates to key assumptions used to forecast returns from investments into TAHE in order to support the recognition of the government's funding of TAHE as an equity injection.
At the time of signing the Independent Auditor's Report, there was significant uncertainty with regards to assumptions and estimates used to forecast a return from the GGS investment into TAHE, which supports the recognition of an equity injection. There is significant uncertainty relating to:
- the 2022–23 Budget committed $5.5 billion to fund TAHE's key customers, Sydney Trains and NSW Trains (the operators), to support their payment of access and licence fees agreed on 23 June 2022. However, this funding only extends out to the end of the forward estimates period in 2025–26, which falls short of the ten-year contractual periods to 2030–31 and the projected period to 2045–46 to achieve a 2.5% return from the government's equity investment. The government will need to fund the operators an additional $10.2 billion in Budget funding so that they can meet their contractual obligations to TAHE from 2026–27 to 2030–31, and a further projected funding of $50.8 billion from 2031 to 2046. This additional funding is not within the government's published Budget figures, leading to uncertainty on whether the government-funded operators can pay access and licence fees beyond the forward estimates period of 2025–26
- a significant portion of the projected returns are earnt outside the ten-year contract period (terminating 30 June 2031) and there is a risk that TAHE will not be able to recontract for access and licence fees at a level that is consistent with current projections. There is also a risk that funding for TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections.
The 'State Finances 2021' report made recommendations regarding the significant accounting issues relating to TAHE. The State's response to these recommendations are detailed in Section 4 of this report titled ‘Investment in the Transport Asset Holding Entity’. Other significant matters related to the TSSA audit are covered in Section 8 titled ‘Key audit findings’.
Other financial reporting matters
All government agencies were granted an extra week to submit financial statements for audit
A one-week extension provided agencies across the sector with additional time to resolve key accounting issues and submit financial statements for audit by 1 August 2022.
Further extensions were approved for the following seven agencies (ten in 2020–21):
- State Insurance Regulatory Authority (3 August 2022)
- Dams Safety NSW (8 August 2022)
- Jenolan Caves Reserve Trust (8 August 2022)
- Transport for NSW (8 August 2022)
- Department of Enterprise, Investment and Trade (22 August 2022)
- Transport Asset Holding Entity (22 August 2022)
- Department of Transport (26 August 2022).
Additional extensions provided agencies with more time to complete:
- asset valuations
- valuations of actuarially assessed liabilities.
An initial draft of the TSSA was provided to audit on 15 September 2022. This version was incomplete and excluded the impact of consolidating the State's TCorp IM funds under the correct Australian Accounting Standards. An additional three versions of the draft TSSA were provided to audit progressively to update the TCorp IM fund consolidated balances. The final complete version of the TSSA was submitted on 27 October 2022 which included all adjustments relating to the TCorp IM fund consolidation. Refer to section 8.1 for more details on the material restatements relating to the consolidation of the TCorp IM funds.
In 2021–22, agency financial statements presented for audit contained 20 errors exceeding $20 million (24 in 2020–21). The total value of these errors was $973 million, a decrease from the previous year ($6.6 billion in 2020–21).
The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.
The errors resulted from:
- incorrect application of Australian Accounting Standards and NSW Treasury policies
- incorrect judgements and assumptions when valuing non-current physical assets and liabilities.
NSW Treasury concluded CMCT is a controlled entity of the State
In response to our recommendation in the ‘State Finances 2021’ report, NSW Treasury reconfirmed that the Catholic Metropolitan Cemeteries Trust (CMCT) is a controlled entity of the State. The Audit Office accepted the position of NSW Treasury.
The reaffirmation of this position means CMCT is a GSF agency under the provisions of the Government Sector Finance Act 2018 (GSF Act). Section 7.6 of the GSF Act places an obligation on CMCT to prepare financial statements and give them to the Auditor-General. Further, section 34 of the Government Sector Audit Act 1983 (the GSA Act) requires the Auditor-General to furnish an audit report on these financial statements.
To date, CMCT has not met its statutory obligations to prepare financial statements under the GSF Act and give them to the Auditor-General. CMCT has not submitted their financial statements to the Auditor-General for audit despite repeated requests and has not provided access to its books and records for the purposes of a financial audit. There was extensive correspondence between the Audit Office of NSW, CMCT, NSW Treasury and the Department of Planning and Environment in 2022 regarding this matter.
RecommendationNSW Treasury and the Department of Planning and Environment should ensure the Catholic Metropolitan Cemeteries Trust meets its statutory reporting obligations. |
In addition, on 10 December 2021, the then Minister for Water, Property and Housing wrote to the Auditor-General requesting a financial and performance audit be performed pursuant to section 27B(3)(c) of the GSA Act. The audit would cover the financial affairs of CMCT, including whether funds have been used for the proper purpose. The Audit Office of New South Wales has written to CMCT on a number of occasions to request the provision of documentation and access to management in order to conduct the performance audit. CMCT has not provided the Audit Office of New South Wales access to its management, books and records for the purpose of the required performance audit.
NSW Treasury has met with and considered CMCT's perspectives. NSW Treasury’s position remains that CMCT is a controlled entity of the State for financial reporting purposes. Consequently, CMCT did not meet its statutory obligations as a controlled entity to submit its financial statements for audit and provide access to its books and records.
The TSSA audit opinion included a limitation of scope
The opinion in the TSSA Independent Auditor’s Report was modified with a limitation of scope due to an inability to access management and the books and records of CMCT. This limitation was appropriately disclosed in Note 1 'Statement of Significant Accounting Policies' of the TSSA. The Statement of Compliance signed by the Secretary of Treasury and the Treasurer on 29 November 2022 was also updated to acknowledge the disclosure in Note 1 regarding CMCT.
The Audit Office was unable to obtain sufficient appropriate audit evidence about the carrying amount of assets and liabilities consolidated into the Total State Sector Accounts as at 30 June 2022 and of the amount of income and expenses for the year then ended. Accordingly a modified audit opinion was issued on the NSW Government's 2021–22 consolidated financial statements.
The process of information sharing by NSW Treasury continues to require improvement
In last year’s ‘State Finances 2021’ report an extreme risk management letter finding was reported for NSW Treasury to ensure it significantly improve its processes so that all relevant information is identified and shared with the Audit Office to support material transactions and balances of the State.
A number of events reconfirmed that NSW Treasury needs to continue improving its process with respect to information sharing with the Audit Office. Notably, NSW Treasury’s finance team had not demonstrated that all available information (on their systems) was considered by them when assessing the State’s control over CMCT.
Critical information relating to CMCT was in the possession of NSW Treasury since late October 2021 but not considered when reconfirming their accounting position on the State's control of CMCT this year. A further reconfirmation of the State's control over CMCT was needed by NSW Treasury to ensure this information was considered in their accounting assessment.
The above demonstrates that more effective consultation is required by NSW Treasury with key stakeholders to ensure all information relevant to forming an accounting position relating to the TSSA is captured. This will ensure new information is not identified late in the audit process and NSW Treasury considers all information when concluding on the accounting position of the State.
RecommendationNSW Treasury should ensure when drafting position papers and concluding on accounting issues impacting the State, these are provided to audit on a timely basis and reflect a complete and accurate understanding of the key public sector issues being considered. |
Last year's report highlighted that NSW Government actions avoided a qualified opinion in 2020–21 relating to the General Government Sector's $2.4 billion cash contribution to Transport Asset Holding Entity (TAHE). These actions included the NSW Government agreeing to provide additional future funding to TAHE's key government customers Sydney Trains and NSW Trains (the operators) to support increases in access and licence fees to be paid to TAHE.
The additional funding by the government was necessary to demonstrate that a reasonable expectation of a sufficient rate of return would be earned on its equity invested in TAHE. Last year, there was no government policy on what the minimum return should be on investments in other public sector entities, so the long-term inflation rate was used as a benchmark. A recommendation was made in last year's State Finances report that NSW Treasury establish a policy on the minimum expected return from its investments.
On 6 September 2022, NSW Treasury finalised its policy relating to the government’s returns on equity investments. The application of this policy is limited to State Owned Corporations and similar to the Commonwealth framework for commercial businesses, which requires the expected return be at least equal to the long-term inflation rate.
The government's commitment to additional funding was conveyed last year through revised shareholder expectations being published in the 2021–22 'NSW Budget-Half yearly Review' on 16 December 2021, increasing the expected returns on equity from 1.5% to the expected long-term inflation rate of 2.5%. On 18 December 2021, Transport for NSW (TfNSW) and the operators entered into a Heads of Agreement (HoA). This formed the basis of negotiations to revise the pricing within the existing ten-year contracts and deliver upon the shareholders’ expected return of 2.5% on contributed equity to be earned over the estimated weighted average remaining useful lives of TAHE's assets.
Further information on last year's audit of the government’s investment in TAHE can be found in our 'State Finances 2021' report.
Ten-year commercial agreements were signed between TAHE, operators and TfNSW
Last year's State Finances report recommended that NSW Treasury facilitate revised commercial agreements to reflect the access and licence fees detailed in the HoA. As these agreements were not executed by 30 June 2021, last year's audit opinion of the Total State Sector Accounts (TSSA) included an Emphasis of Matter drawing attention to the uncertainty that existed at balance date as these agreements were not finalised.
On 23 June 2022, commercial agreements were signed between TAHE, the operators and Transport for NSW through a deed of variation. The revised access and licence fees for the ten-year period 2021–22 to 2030–31 was $16.6 billion, which is $520 million less than the HoA fees of $17.1 billion.
Comparison | FY22 $m |
FY23 $m |
FY24 $m |
FY25 $m |
FY26 $m |
FY27 $m |
FY28 $m |
FY29 $m |
FY30 $m |
FY31 $m |
Total $m |
Revised commercial agreements | 641.1 | 911.8 | 1,298.1 | 1,585 | 1,807.3 | 1,921.8 | 1,992 | 2,065.4 | 2,139.1 | 2,252.8 | 16,614.4 |
HoA | 679.9 | 1,081.4 | 1,236 | 1,398.9 | 1,645.8 | 1,826.1 | 2,023.3 | 2,209.4 | 2,404.5 | 2,629.2 | 17,134.6 |
Difference | (38.8) | (169.6) | 62.1 | 186.1 | 161.5 | 95.7 | (31.3) | (144) | (265.4) | (376.4) | (520.2) |
TAHE's main customers principally rely on government funding to pay access and licence fees
Whilst TAHE has agreed ten-year access and licence fees of $16.6 billion with its two main customers Sydney Trains and NSW Trains, these two operators significantly rely on government funding when making these payments to TAHE. At 30 June 2022, TAHE's expected return of 2.5% is contingent upon the GGS funding the operators to support their payment of access and licence fees that have been agreed with TAHE for the ten-year contracted period and for non-contracted periods from 2031–32 to 2045–46.
The 2022–23 NSW Budget has allocated $5.5 billion to fund the operators, to support their payment of access and licence fees. However, this funding extends to the end of the forward estimates period in 2025–26, which falls short of the ten-year contractual period to 2030–2031 and the projected period to 2045–46 to achieve the 2.5% return.
2022–261 $b |
2027–20312 $b |
2032–46 $b |
Total $b |
|
Access and licence fees3 | 5.5 | 10.2 | 50.8 | 66.5 |
The government will need to fund the operators an additional $10.2 billion in budget funding to meet their contractual obligations to TAHE from 2026–27 to 2030–2031, and a further projected funding of $50.8 billion from 2032 to 2046. This is needed to ensure the government continues to demonstrate its expected return on investment of 2.5%. This additional funding is not within the government's published 2022–23 NSW Budget figures, leading to uncertainty on whether the government funded operators can pay access and licence fees beyond the forward estimate period of 2025–26.
Significant funding uncertainties remain
While the ten-year access and licence fee agreements were communicated to the NSW Government's Expenditure Review Committee, it is yet to be fully provided for in the government's budget figures. As TAHE's projections are highly dependent on the operators as its key customers, it remains critical that the government continue to provide sufficient funding to the operators so they can pay for access and use of TAHE assets. This means the significant funding uncertainties reported in last year's TSSA audit opinion remain for 2021–22.
The government has estimated $37.9 billion in returns (equivalent to 2.5% on contributed equity) is to be earned from its investment in TAHE over the period from 1 July 2022 to 30 June 2046. As previously reported, TAHE derives most of its revenue from access and licence fee agreements from the operators, who in turn are both funded by grants through TfNSW from the GGS. More than 95% of these returns are estimated to be earned outside of the ten-year contract period (terminating 30 June 2031).
2022–261 $b |
2027–20312 $b |
2032–46 $b |
Total $b |
|
Returns to GGS | 1.8 | 4.7 | 31.5 | 37.9 |
There remains risk that:
- TAHE will not be able to recontract for access and licence fees at a level that is consistent with current projections
- future governments' funding to TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections
- TAHE will be unable to grow its non-government revenues.
This significant funding uncertainty was also reported in last year's TSSA audit opinion and will remain for 2021–22.
In 2021–22, TAHE and NSW Treasury prepared further modelling to support the Government's intent to earn a 2.5% return inclusive of recovering the holding (revaluation) loss of $20.3 billion on its investment in TAHE
Last year's State Finances report highlighted that NSW Treasury, with TAHE, should prepare robust projections and business plans to support the expected returns forecast beyond FY2031.
This year TAHE engaged an expert to help develop a model demonstrating the government's expected returns from its investment in TAHE. The model mathematically forecasts that returns of 2.5% will be achieved by 2046 and this will include recovery of the revaluation losses of $20.3 billion relating to 2020–21.
The current model includes some key assumptions:
- The main source of revenue is the access and licence fees expected from the two public rail operators (Sydney Trains and NSW Trains) contributing to more than 80% of TAHE's projected revenue. The rail operators are largely funded by the government when paying access and licence fees to TAHE.
- For the first ten years, the access and licence fees are based on the signed agreements between TAHE and the public rail operators.
- Beyond the ten-year contracted period, the model assumes existing contractual terms for access and licence fees will continue unchanged allowing for an annual rise for inflation (2.5% per annum), and increased fees to enable a 7.62% return for renewed assets.
- The capital expenditure included in the model is only the amounts approved by the Expenditure Review Committee (ERC) as part of the ten-year forecast. The model beyond ten years includes expected investment in renewed and replacement assets but excludes any forecasts relating to growth capex that is not approved by the ERC, and any related depreciation expenses for growth capex.
While management has developed a 35-year long term financial model to support the returns, we note this will need to be refined over the next few years. Furthermore, these are forecasted figures and we have not seen sufficient evidence of whether this reflects reality (that is, the achievement of dividends representing a return on equity) as it is still very early. Therefore, this will remain a high-risk matter until we have seen sufficient evidence of reality to the forecasted figures.
There is negative net impact on the budget after 2024–25 and this will grow in the future
There are some key points to highlight with this modelling and these are best conveyed with the graph below. This graph shows total cash injections made by the GGS since the government first announced the creation of TAHE as a for-profit entity in the 2015–16 NSW Budget. It also conveys the forecast returns from TAHE to the GGS and the level of funding operators will need from the GGS to pay TAHE's access and licence fees over the 30-year period. These cash flows are key inputs used in the modelling which calculates a 2.5% return from TAHE inclusive of recovering the holding (revaluation) loss of $20.3 billion.
The government continues to respond to the impact of the COVID-19 pandemic on New South Wales through its economic stimulus measures
The COVID-19 pandemic continued to significantly impact the State’s finances, reducing revenue and increasing expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health. In October 2021, the government announced through the 'COVID-19 Economic Recovery Strategy' an additional $2.8 billion in economic stimulus and response measures following the conclusion of the three-month lockdown due to the Delta COVID-19 outbreak. Measures included:
- $739 million in household and social support, including housing support for Aboriginal communities and survivors of domestic violence, and vouchers to thank parents for their efforts to support learning from home
- $500 million to consumers and businesses including expansion of the 'Dine & Discover' and 'Stay & Rediscover' voucher programs
- $495 million in education support addressing learning gaps for children and helping schools prepare for future learning disruptions
- $487 million in combined funding for tourism, events, sports, and recreation throughout New South Wales
- $130 million to fund mental health services for individuals whose mental health was impacted by the pandemic.
The 2021–22 financial year included $21.9 billion for pandemic response and economic stimulus measures. Of this, $17.9 billion was spent in 2021–22 while a further $1 billion of the budgeted amount from 2021–22 was carried forward into 2022–23. The graph below shows the total allocation and spend by cluster for 2022 compared to target spend.
There were 14 natural disaster declarations including four severe weather events in 2021–22
Natural disasters such as bushfires, storms, floods, and other adverse weather events can have a significant impact on the State's finances. Costs associated with natural disasters include direct response costs such as clean-up and recovery, temporary accommodation, and as well as financial assistance provided to impacted communities such as recovery and business support grants.
The NSW Government can make a natural disaster declaration allowing eligible individuals and communities from impacted Local Government Areas access to a range of special financial assistance measures.
In 2021–22, there were 14 natural disaster declarations announced comparable to 14 in the previous year. These natural disaster declarations largely related to storms and floods throughout the State. In 2021–22, there was a larger number of 'severe weather' events declared, with four in 2021–22 (nil in 2020–21).
Natural disaster expenses increased 143% to $1.4 billion in 2021–22, up from $569 million last year
Over 2021–22, the budgeted cost for declared natural disasters was $1.9 billion ($725 million in 2020–21). Actual expenditure by the State on disaster response increased by $815 million to $1.4 billion. The graph below shows the total allocation and spend by cluster for 2022 compared to their budget spend.
Deficit of $15.3 billion compared with a budgeted deficit of $8.6 billion
The outcomes of the government’s overall activity and policies are reflected in its net operating balance (budget result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.
The General Government Sector, which comprises 196 entities, generally provides goods and services funded centrally by the State.
In addition to the 196 entities within the General Government Sector, a further 85 government controlled businesses are included within the consolidated Total State Sector financial statements. These businesses generally provide goods and services, such as water, electricity and financial services for which consumers pay for directly, and form part of the PNFC (31) and PFC (54) sectors.
The budget result for the 2021–22 financial year was a deficit of $15.3 billion compared to an original forecast of a budget deficit of $8.6 billion.
Revenues increased $16.1 billion to $106.7 billion
The State’s total revenues increased $16.1 billion to $106.7 billion, an increase of 17.8% compared to the previous year. Total revenue growth in 2020–21 was 5.1%. The State's increase in revenue was mostly from $9.2 billion in grants and subsidies and $4.6 billion in taxation.
Taxation revenue increased by 13.3%
Taxation revenue increased by $4.6 billion, mainly due to the net of:
- $4.9 billion higher stamp duties collected from property sales driven by growth in property transaction volumes and prices during 2021–22. This was growth was experienced across residential and commercial property markets
- $296 million lower gambling and betting taxes compared to 2020–21. Decrease was primarily attributed to the ongoing effects of COVID-19 restrictions and venue closures within the first half of 2021–22.
Stamp duties of $16.6 billion remains the largest source of taxation revenue, $7.7 billion higher than payroll tax of $8.9 billion, the second-largest source of taxation revenue.
Assets grew by $53 billion to $571 billion
The State’s assets include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $53.2 billion or 10.3% to $571 billion. The increase was largely due to increases in the carrying value of land, buildings and infrastructure systems.
Valuing the State’s physical assets
State’s physical assets valued at $437 billion
The value of the State’s physical assets increased by $46.8 billion to $437 billion in 2021–22 ($724 million increase in 2020–21). The State’s physical assets include land and buildings ($198 billion), infrastructure systems ($221 billion), and plant and equipment ($18 billion).
The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include assets reclassified to held for sale and other opening balance adjustments.
Appendix one – Prescribed entities
Appendix three – TSS sectors and entities
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Audit Insights 2018-2022
Audit Insights 2018-2022
What the report is about
In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.
This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.
The report is framed by recognition that the past four years have seen significant challenges and emergency events.
The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.
The report is a resource to support public sector agencies and local government to improve future programs and activities.
What we found
Our analysis of findings and recommendations is structured around six key themes:
- Integrity and transparency
- Performance and monitoring
- Governance and oversight
- Cyber security and data
- System planning for disruption
- Resource management.
The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.
In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.
The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.
A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.
Fast facts
- 72 audits included in the Audit Insights 2018–2022 analysis
- 4 years of audits tabled by the Auditor-General for New South Wales
- 6 key themes for Audit Insights 2018–2022.
I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.
The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.
A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.
However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.
While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.
Margaret Crawford
Auditor-General for New South Wales
Integrity and transparency | Performance and monitoring | Governance and oversight | Cyber security and data | System planning | Resource management |
Insufficient documentation of decisions reduces the ability to identify, or rule out, misconduct or corruption. | Failure to apply lessons learned risks mistakes being repeated and undermines future decisions on the use of public funds. | The control environment should be risk-based and keep pace with changes in the quantum and diversity of agency work. | Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture. | Priorities to meet forecast demand should incorporate regular assessment of need and any emerging risks or trends. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination. | Governments must weigh up the cost of reliance on consultants at the expense of internal capability, and actively manage contracts and conflicts of interest. |
Government entities should report to the public at both system and project level for transparency and accountability. | Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact. | Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls. | In implementing strategies to mitigate cyber risk, agencies must set target cyber maturity levels, and document their acceptance of cyber risks consistent with their risk appetite. | Service planning should establish future service offerings and service levels relative to current capacity, address risks to avoid or mitigate disruption of business and service delivery, and coordinate across other relevant plans and stakeholders. | Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds. |
Entities must provide balanced advice to decision-makers on the benefits and risks of investments. | Benefits realisation should identify responsibility for benefits management, set baselines and targets for benefits, review during delivery, and evaluate costs and benefits post-delivery. | Active review of policies and procedures in line with current business activities supports more effective risk management. | Governments hold repositories of valuable data and data capabilities that should be leveraged and shared across government and non-government entities to improve strategic planning and forecasting. | Formal structures and systems to facilitate coordination between agencies is critical to more efficient allocation of resources and to facilitate a timely response to unexpected events. | Transformation programs can be improved by resourcing a program management office. |
Clear guidelines and transparency of decisions are critical in distributing grant funding. | Quality assurance should underpin key inputs that support performance monitoring and accounting judgements. | Governance arrangements can enable input into key decisions from both government and non-government partners, and those with direct experience of complex issues. | Workforce planning should consider service continuity and ensure that specialist and targeted roles can be resourced and allocated to meet community need. | ||
Governments must ensure timely and complete provision of information to support governance, integrity and audit processes. | |||||
Read more | Read more | Read more | Read more | Read more | Read more |
This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.
- Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
- Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
- Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.
This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.
The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.
This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.
Appendix one – Included reports, 2018–2022
Appendix two – About this report
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Internal controls and governance 2020
Internal controls and governance 2020
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Internal Controls and Governance 2019
Internal Controls and Governance 2019
This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.
The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:
- financial controls
- information technology controls
- gifts and benefits
- internal audit
- contingent labour
- sensitive data.
The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.
1. Internal control trends
New, repeat and high risk findings |
There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies. Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time. |
Common findings |
A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:
|
2. Information technology controls
IT general controls |
We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:
We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required. |
3. Gifts and benefits
Gifts and benefits registers |
All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers. Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour. |
Managing gifts and benefits |
We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites. Agencies can improve management of gifts and benefits by:
|
Reporting and monitoring |
Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee. Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits. |
4. Internal audit
Obtaining value from the internal audit function |
Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee. Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer. Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks. |
Role of the Chief Audit Executive |
Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE. The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO. Agencies should ensure:
|
Quality assurance and improvement program |
Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function. The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually. Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments. |
5. Managing contingent labour
Obtaining value for money from contingent labour |
According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces. Agencies can improve their management of contingent labour by:
We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'. |
6. Managing sensitive data
Identifying and assessing sensitive data |
Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked. Agencies can improve processes to manage sensitive data by:
|
Managing data breaches |
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents. Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach. |
This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.
Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.
This report offers insights into internal controls and governance in the NSW public sector
This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.
Areas of specific focus of the report have changed since last year
Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:
- internal control trends
- information technology controls, including access to agency systems
- protecting sensitive information held within agencies
- managing large and diverse workforces (controls around employing and managing contingent workers)
- maintaining an ethical culture (management of gifts and benefits)
- effectiveness of internal audit function and its oversight by Audit and Risk Committees.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Key conclusions and sector wide learnings
- out of date policies or an absence of policies to guide appropriate decisions
- poor record keeping and document retention
- incomplete or inaccurate centralised registers or gaps in these registers.
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.
Key conclusions and sector wide learnings
We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.
Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.
Areas where agencies can improve their management of gifts and benefits include:
- ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
- establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
- updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
- providing on-going training, awareness activities and support to employees, not just at induction
- regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
- publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.
Key conclusions and sector wide learnings
We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:
- documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
- ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
- involving the CAE more extensively in executive forums as an observer
- documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
- reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.
Key conclusions and sector wide learnings
Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.
There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:
- preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
- involving agency human resources units in decisions about engaging contingent labour
- regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
- strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.
Key conclusions and sector wide learnings
Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.
It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.
Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.
Key areas where agencies can improve their management of sensitive data include:
- identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
- assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
- developing comprehensive data breach management policies to ensure data breaches are appropriately managed
- maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
- providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.
Appendix one – List of 2019 recommendations
Appendix two – Status of 2018 recommendations
Appendix three – In-scope agencies
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Internal Controls and Governance 2018
Internal Controls and Governance 2018
The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.
This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.
This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.
This report offers insights into internal controls and governance in the NSW public sector
This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:
- Internal control trends
- Information technology (IT), including IT vendor management
- Transparency and performance reporting
- Management of purchasing cards and taxis
- Fraud and corruption control.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.
The focus of the report has changed since last year
Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Agencies selected for the volume account for 95 per cent of the state's expenditure
While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.
Observation | Conclusions and recommendations |
---|---|
2.1 High risk findings | |
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16. | Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority. |
2.2 Common findings | |
We found several internal controls and governance findings common to multiple agencies. | Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective. |
2.3 New and repeat findings | |
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies. | The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies. |
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases |
Recommendation: Agencies should reduce IT risks by:
|
Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.
Observation | Conclusions and recommendations |
---|---|
3.1 Management of IT vendors | |
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review. |
Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by:
|
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract. |
Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination. |
Performance management Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance. |
Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by:
|
Transitioning services Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor. |
Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'. |
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete. |
Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by:
Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations. |
3.2 IT general controls | |
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review. |
Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments. |
User access administration
|
Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems. |
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities. |
Recommendation: Agencies should:
|
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters. |
Recommendation: Agencies should ensure IT password settings comply with their password policies. |
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment. |
Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed. |
This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.
Observation | Conclusion or recommendation |
4.1 Reporting on performance | |
Only 57 per cent of agencies linked reporting on performance to their strategic objectives. The use of targets and reporting performance over time was limited and applied inconsistently. |
Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information. Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports. |
There is no independent assurance that the performance metrics agencies report in their annual reports are accurate. Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported. |
Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited. The relevance and accuracy of performance information is enhanced when:
|
4.2 Reporting on reports | |
Agency reporting on major projects does not meet the requirements of the annual reports regulation. Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations. |
NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations. Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress. |
The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works. Sixteen of 30 agencies reported some information on completed major works. |
Conclusion: Agencies could improve their transparency if they reported, or were required to report:
|
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.
Observation | Conclusion or recommendation |
5.1 Management of purchasing cards | |
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement. |
Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards. |
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy. |
Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'. |
Preventative controls We found that:
|
Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as:
|
Detective controls Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used. |
Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to:
|
5.2 Management of taxis | |
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition:
|
Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies:
|
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews. |
Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program. |
Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.
Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:
- unreported frauds in organisations can be almost three times the number of reported frauds
- our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
- fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
- agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.
Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.
Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.
Observation | Conclusion or recommendation |
6.1 Prevention systems | |
Prevention systems Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies. |
Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by:
|
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be. | Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified. |
6.2 Detection systems | |
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program. |
Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment. |
6.3 Notification systems | |
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption. |
Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture |