Reports
Actions for Internal controls and governance 2024
Internal controls and governance 2024
About this report
Internal controls are key to the accuracy and reliability of agencies’ financial reporting processes. This report analyses the internal controls and governance of 26 of the NSW public sector’s largest agencies for the 2023–24 financial year.
Findings
There are gaps in key business processes, which expose agencies to risks. These gaps are identified in 121 findings across the 26 agencies—including 4 high risk, 73 moderate risk and 44 low risk findings. All four high-risk issues related to IT controls and 19% of control deficiencies were repeat issues. Thirty-five per cent of agencies had deficiencies in control over privileged access.
Shared IT services
Six agencies provide IT shared services to 120 other customer agencies. All six had control deficiencies—three of these were high risk. Four agencies provide no independent assurance to their customers about the effectiveness of their own IT controls.
Cyber security
Eighteen agencies assessed cyber risk as being above their risk appetite. Fourteen of these agencies had not set a timeframe to resolve these risks and two agencies have not funded plans to improve cyber security.
Fraud and corruption control
Agencies need to improve fraud and corruption control. Instances of non-compliance with TC18-02 NSW Fraud and Corruption Policy were identified, including gaps such as a lack of comprehensive employment screening policies and not reporting matters to the audit and risk committee.
Gifts and benefits
Management of gifts and benefits requires better governance and transparency. All agencies had policy and guidance but all had gaps in management and implementation—such as not publishing registers nor providing ongoing training.
Information Technology
Nine agencies did not effectively restrict or monitor user access to privileged accounts.
Recommendations
The report makes recommendations to agencies to implement proper controls and improve processes in relation to:
- organisational processes
- information technology
- cyber security
- fraud and corruption, and
- gifts and benefits.
Read the PDF report
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies found across agencies.
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security.
This chapter outlines our audit observations, conclusions and recommendations from our review of agencies' fraud and corruption control framework, policies and practices. Our Internal Controls and Governance 2018 found a number of fraud and corruption control gaps in NSW Government.
The NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy (the Circular) requires NSW government agencies to develop, implement and maintain a fraud and corruption control framework. The Circular sets out minimum standards for a NSW Government agency’s fraud and corruption control framework.
Previous Audit Office report on agency fraud and corruption control
Report on Internal Controls and Governance 2018 (published October 2018) The report found there were gaps in the fraud and corruption controls by some agencies, which increased the risk of reputational damage and financial loss. Where relevant, we have included the results from our 2018 report on Internal Controls and Governance below for comparison purposes. |
This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' managing of gifts and benefits.
Actions for State Finances 2024
State Finances 2024
This report will focus on the 2023–24 consolidated financial statements of the NSW general government and total state sectors. It will comment on the key matters that have been the focus of our audits and highlight significant factors that have contributed to the State’s financial results.
Actions for State Government 2024
State Government 2024
This report will analyse the results of the 2023–24 financial statement audits of NSW Government agencies. It will comment on financial reporting and performance, key accounting issues and areas of interest that are in focus during the conduct of our audits.
Actions for Members’ additional entitlements 2024
Members’ additional entitlements 2024
This report will analyse whether members of New South Wales Parliament complied with requirements outlined in the Parliamentary Remuneration Tribunal’s Determination.
Actions for Emergency relief grants
Emergency relief grants
Under Section 27B(3) (c) of the Government Sector Audit Act 1983, the Special Minister of State has requested that the Audit Office perform a recurring performance audit of emergency relief grants commencing in 2024-25.
In accordance with the Protocol for Auditing Emergency Relief grants, the Audit Office will select particular grants processes for review.
Actions for Cyber security insights
Cyber security insights
This report will highlight themes and insights from the last six years of our audits focusing on cyber security. It will include analysis across our performance audits, compliance audits and the outcomes of financial audits.
Actions for Governance of NSW Government agencies’ use of artificial intelligence and automation
Governance of NSW Government agencies’ use of artificial intelligence and automation
The NSW Artificial Intelligence Ethics Policy and NSW Artificial Intelligence Assurance Framework describe the role of artificial intelligence to help the NSW Government free up the workforce for critical and frontline tasks, cut costs and enable delivery of better, more targeted services.
This audit will examine the effectiveness of the governance of artificial intelligence and automation used to deliver services in NSW across a selection of agencies.
Actions for Public access to information – compliance with the GIPA Act
Public access to information – compliance with the GIPA Act
The Government Information (Public Access) Act 2009 authorises and encourages the proactive release of information by NSW public sector agencies and gives members of the public a legally enforceable right to access government information.
This audit will examine a selection of agencies’ compliance with the Government Information (Public Access) Act 2009.
Actions for Government advertising 2022-23
Government advertising 2022-23
About this report
The Government Advertising Act 2011 requires the Auditor-General to undertake a performance audit of the activities of one or more government agencies in relation to government advertising campaigns in each financial year.
This year, we examined two campaigns run by Transport for New South Wales (TfNSW) - 'Don't trust your tired self' (DTYTS) and 'Saving lives on country roads' (SLCR).
The audit assessed whether they were carried out effectively, economically, and efficiently, and complied with regulatory and policy requirements.
Audit findings
The DTYTS campaign complied with all requirements set out in the Act, the Regulation, and Government Advertising Guidelines - except for the requirement to complete an approved and complying cost-benefit analysis (CBA), as per the Guidelines.
The campaign had a clear target audience. It achieved many of its stated objectives and other performance measures and represented an economical and efficient spend.
However, TfNSW has not measured the campaign's long-term impact and this, combined with the lack of a complying CBA, meant that TfNSW could not confidently demonstrate the campaign's effectiveness.
The SLCR campaign (which commenced in 2017) was last run fully in 2021–22. TfNSW could have improved the formal documentation of its decision-making process when it cancelled the SLCR campaign.
TfNSW continued to run state-wide advertising campaigns – with regional components - to address road safety in regional NSW.
Recommendations
By 31 October 2024, TfNSW should implement processes that ensure:
- CBAs prepared for government advertising campaigns comply with the Government Advertising Guidelines
- long-term impacts of advertising campaigns are evaluated
- strategic and operational decision-making about advertising campaigns, such as starting, stopping or significantly changing a campaign, is well-documented and follows good practice.
The Government Advertising Act 2011 (the Act) sets out requirements that must be followed by a government agency when it carries out a government advertising campaign. The requirements prohibit any political advertising and require a peer review and cost-benefit analysis to be completed before the campaign commences. The accompanying Government Advertising Regulation 2018 (the Regulation) and 2012 NSW Government Advertising Guidelines (the Guidelines) address further matters of detail.
Section 14 of the Act requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit must assess whether a government agency (or agencies) has carried out activities in relation to government advertising campaigns in an effective, economical and efficient manner and in compliance with the Act, the Regulation, other laws and the Guidelines.
This audit examined Transport for NSW's (TfNSW) advertising campaigns 'Don't Trust Your Tired Self' and 'Saving Lives on Country Roads' for the 2022–23 financial year.
TfNSW is the NSW Government agency responsible for leading the development of safe, integrated and efficient transport systems for the people of New South Wales.
The Don't Trust Your Tired Self (DTYTS) campaign, which cost $3.04 million in 2022–23, aimed to educate drivers on how to avoid driving tired and encouraged them to consider how tired they were before driving.
The Saving Lives on Country Roads (SLCR) campaign, which commenced in December 2017, aimed to encourage country drivers1 to re-think the common excuses used to justify their behaviour on the road. In early 2024, after the audit commenced, the Department of Customer Service (DCS) advised the audit team that TfNSW did not run the SLCR campaign in 2022–23. This was subsequently confirmed by TfNSW. Instead, the SLCR branding was used for the regional element of the state-wide drink driving campaign. As a result, this audit examined the reasons and decision-making process for its cancellation.
The SLCR campaign cost $3.11 million in 2021–22, the last full year in which it was run, and $17,038 in 2022–23.
This part of the report sets out key aspects of Transport for NSW's (TfNSW) compliance with the Government Advertising regulatory framework for Don't Trust Your Tired Self (DTYTS). It considers whether the agency complied with the:
- Government Advertising Act 2011 (the Act)
- Government Advertising Regulation 2018 (the Regulation)
- NSW Government Advertising Guidelines 2012 (the Guidelines) and other relevant policy.
This part of the report considers whether Transport for NSW's (TfNSW) advertising campaign Don't Trust Your Tired Self (DTYTS) was carried out in an effective, efficient and economical manner.
This part of the report examines the cancellation of the Saving Lives on Country Roads (SLCR) campaign. It focuses on the decision-making process and evidence for the cancellation of this campaign following its last delivery in 2021–22. It also draws out key implications.
Appendix one – Response from agencies
Appendix two – About the campaigns
Appendix three – About the audit
Appendix four – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #396 released 25 June 2024.
Actions for Regulation insights
Regulation insights
What this report is about
In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.
This analysis includes performance audits, compliance audits and the outcomes of financial audits.
Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.
The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.
Audit findings
The analysis of findings and recommendations is structured around four key themes related to effective regulation:
- governance and accountability
- processes and procedures
- data and information management
- support and guidance.
The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.
In this report, we also draw out insights for agencies that provide a public sector stewardship role.
The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.
The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.
I am pleased to present this report, Regulation insights. This report highlights themes and generates insights about effective regulation from the last six years of audit.
Effective regulation is necessary to ensure compliance with the law. Effective regulation also promotes social, economic, and environmental outcomes, and minimises risks or negative impacts associated with certain activities. But regulation can be challenging and costly for governments to implement. It can also involve costs and impact on the regulated parties, including other public sector and private entities, and individuals. As such, effective regulation needs to be administered efficiently, and with integrity.
Having a clearly articulated and communicated regulatory approach is essential to achieving this outcome, particularly when this promotes voluntary compliance and sets performance standards that are informed by community expectations. A consistent approach to exercising regulatory powers is important: it should be supported by robust information about regulatory risks and issues, and accompanied with timely, proportionate responses. Providing relevant support to the regulated parties and coordinating activities to facilitate compliance and performance can generate efficiencies.
Finally, transparency matters. It matters so that government has oversight of and can be held accountable for its leadership of public sector compliance, and in regulating the activities of third parties. Transparency also matters because it can provide insights into the effective exercise of government power. To achieve this, meaningful regulatory information needs to be reported.
While these issues are most pertinent for government agencies that exercise traditional regulatory functions, they are also relevant to lead government agencies that provide a stewardship role in promoting compliance and performance by other government agencies in relation to particular areas of risk.
Over the past six years, our audit work has found many common and repeat performance gaps, creating risks, inefficiencies, and limiting outcomes of regulatory activities. In considering these gaps, this report provides public sector leaders with insights into the challenges and opportunities they may encounter when aiming for more effective regulation, including the good governance of regulatory activities. This includes insights for lead agencies that provide a public sector stewardship role. Through applying these insights and maximising regulatory effectiveness, unintended impacts on the people and sectors government serves and protects can be avoided or at the very least minimised.
Margaret Crawford PSM
Auditor-General for NSW
This report brings together key findings and recommendations relevant to regulation from selected performance and compliance audits between 2018 and early 2024 (19 in total), and from two reports that summarise results of financial audits during the same period. It aims to provide insights into the challenges and opportunities the public sector may encounter when aiming to enhance regulatory effectiveness.
The report is structured in two sections, each setting out insights from relevant audits and providing summaries as illustrative examples.
Section 3 is focused on insights from audits of agencies that administer regulatory powers and functions over other entities or activities (typically known as 'regulators'). The powers and functions of regulators are defined in law, and often relate to issuing approvals (e.g., licensing) for certain activities, and/or monitoring allowable activities within certain limits. Regulators often have compliance and enforcement powers that can be exercised in particular circumstances, such as when a regulated entity has not complied with relevant requirements.
Agencies may be primarily established as regulators or perform regulatory activities alongside other functions. Depending on the context, the regulated activity may relate to other state agencies, local government entities, non-government entities or individuals.
Section 4 summarises insights from a selection of audits of agencies that provide a stewardship role in promoting compliance by and performance of other state agencies and local government entities in relation to specific regulations or policies. These policies may or may not be mandatory and, unlike a more traditional regulator, the coordinating agency may not have enforcement powers to ensure compliance.
These policies, and accompanying guidelines and frameworks, are typically issued by ‘central agencies’ such as the Premier's Department that have a public sector stewardship role. They can also be issued by agencies with a leadership role in particular policy areas ('lead agencies'). While individual agencies and local government entities implementing these policies are responsible for their own compliance and performance, lead and central agencies have an oversight role including by promoting accountability and coordinating activities towards achieving compliance and performance outcomes across the public sector.
Readers are encouraged to view the full reports for further information. Links to versions published on our website are provided throughout this document, and a full list is in Appendix one. An overview of the rationale for selecting these audits and the approach to developing this report is in Appendix two.
The status of agencies' responses to audit recommendations
Findings from the audits referred to in this report were current at the time each respective report was published. In many cases, agencies accepted audit recommendations, as reflected in the letters from agency heads that are included in the appendix of each audit report.
The Public Accounts Committee of the NSW Parliament has a role in reporting on and ensuring that agencies respond appropriately to audit recommendations. Readers are encouraged to review the Public Accounts Committee's inquiries on agencies' implementation of audit recommendations, which can be found on the Committee's website.