Refine search Expand filter

Audit progress

- Any -

Sector

- Any -

Year

- Any -

Report type

- Any -

Topic

- Any -

Reports

Published

Planning and Environment 2018

Planning
Environment
Asset valuation
Financial reporting
Information technology
Infrastructure
Internal controls and governance
Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released her report today on the NSW Planning and Environment cluster. The report focuses on key observations and findings from the most recent financial audits of these agencies. Unqualified audit opinions were issued for all agencies' financial statements. However, some cultural institutions had challenges valuing collection assets in 2017–18. These issues were resolved before the financial statements were finalised.

This report analyses the results of our audits of financial statements of the Planning and Environment cluster for the year ended 30 June 2018. The table below summarises our key observations.

This report provides parliament and other users of the Planning and Environment cluster agencies' financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations
  • service delivery.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making is enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning and Environment cluster for 2018.

Observation Conclusions and recommendations
2.1 Quality of financial reporting
Unqualified audit opinions were issued for all agencies' financial statements. The quality of financial reporting remains high across the cluster.
2.2 Key accounting issues
There were errors in some cultural institutions' collection asset valuations. Recommendation: Collection asset valuations could be improved by:
  • early engagement with key stakeholders regarding the valuation method and approach
  • completing revaluations, including quality review processes earlier 
  • improving the quality of asset data by registering all items in an electronic database. 
2.3 Timeliness of financial reporting
Except for two agencies, the audits of cluster agencies’ financial statements were completed within the statutory timeframe.  Issues with asset revaluations delayed the finalisation of two environment and heritage agencies' financial statement audits. 

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

  • our financial statement audits of agencies in the Planning and Environment cluster for 2018
  • the areas of focus identified in the Audit Office work program.

The Audit Office annual work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.

Observation Conclusions and recommendations
3.1 Internal controls
One in five internal control weaknesses reported in 2017–18 were repeat issues. Delays in implementing audit recommendations can prolong the risk of fraud and error.
Recommendation (repeat issue): Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues.
One extreme risk was identified relating to the National Art School. The School does not have an occupancy agreement for the Darlinghurst campus. Lack of formal agreement creates uncertainty over the School's continued occupancy of the Darlinghurst site.

The School should continue to liaise with stakeholders to formalise the occupancy arrangement. 
 
3.2 Information technology controls
The controls and governance arrangements when migrating payroll data from the Aurion system to SAP HR system were effective. Data migration from the Aurion system to SAP HR system had no significant issues.
The Department can improve controls over user access to SAP system. The Department needs to ensure the SAP user access controls are appropriate, including investigation of excess access rights and resolving segregation of duties issues. 
3.3 Annual work program
Agencies used different benchmarks to monitor their maintenance expenditure. The cluster agencies under review operate in different industries. As a result, they do not use the same benchmarks to assess the adequacy of their maintenance spend. 

This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited. 

We report this information on service delivery to provide additional context to understand the operations of the Planning and Environment cluster, and to collate and present service information for different segments of the cluster in one report. 

In our recent performance audit, ‘Progress and measurement of Premier's Priorities’, we identified 12 limitations of performance measurement and performance data. We recommended the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all relevant agency data sources.

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three- Cluster agencies

Appendix four - Financial data

Appendix five - Timeliness of financial reporting

Appendix six - Management letter findings by risk rating

Published

Central Agencies 2018

Treasury
Premier and Cabinet
Finance
Financial reporting
Internal controls and governance
Management and administration
Risk

The Auditor-General for New South Wales, Margaret Crawford, released her report today on the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters. While clear audit opinions were issued on all agency financial statements, the report notes that some complex accounting requirements caused significant errors in agency financial statements submitted for audit, which were corrected before the financial statements were approved. 

This report analyses the results of our audits of the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster agencies for the year ended 30 June 2018. The table below summarises our key observations.

This report provides parliament and other users of the NSW Government's central agencies and their cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations
  • liquidity risk management
  • government financial services.

The central agencies and their key responsibilities are set out below.

Central agencies Key central agency responsibilities Cluster responsibilities
The Treasury
  • Financial and economic advisor to NSW Government
  • Manages the NSW Government’s financial resources.

The cluster:

  • provides investment and debt management services though TCorp
  • manages residual business arising from privatisation of government businesses
  • provides insurance and compensation cover, including workers compensation insurance
  • includes NSW Government superannuation funds.
Department of Premier and Cabinet
  • Drives NSW Government’s objectives and sets targets
  • Works with clusters to coordinate policy and achieve NSW Government priorities.

The cluster:

  • includes integrity agencies, such as the Independent Commission Against Corruption, Audit Office of NSW and Ombudsman’s Office
  • other agencies, such as Barangaroo Delivery Authority and Infrastructure NSW.
Department of Finance, Services and Innovation
  • Supports agency service delivery in relation to the key enabling functions of NSW Government, including procurement, property and asset management, ICT and digital innovation.

The cluster:

  • is responsible for state revenue and rental bond administration
  • regulates statutory insurance schemes, workplace safety and consumer protection
  • provides access to a range of NSW Government services via Service NSW
  • manages the NSW Government communications network.
Public Service Commission
  • Works to promote and maintain a strong ethical culture across the government sector and improve the capabilities, performance and configuration of the sector’s workforce to deliver better services to the public.
  • The Public Service Commission is an independent agency within the Premier and Cabinet cluster.
Note: The Audit Office of NSW is an independent agency included in the Premier and Cabinet cluster for administrative purposes, but not commented on in this report.


A full list of agencies that this report covers by relevant cluster is included in Appendix three.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation clusters for 2018.

Observation Conclusions and recommendations
2.1 Quality of financial reporting
Unqualified opinions were issued for all agencies' financial statements submitted to the Audit Office.

Complex accounting requirements caused significant errors in some agency financial statements, which were corrected before the financial statements were approved.		 Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement.
Recommendation: Agencies should respond to key accounting issues when they are identified by preparing accounting papers and engaging with Treasury, the Audit Office and their Audit and Risk Committee when these matters are identified.
2.2 Timeliness of financial reporting
Most agencies complied with the statutory timeframe for completion of early close procedures, 48 agencies in the Treasury cluster did not comply with the statutory requirement to prepare financial statements, and the audits of nine agencies in the Treasury cluster were not completed within the statutory timeframe.
All financial statement information of the 48 agencies that did not prepare financial statements has been captured in the consolidated financial statements of their parent entity, which was subject to audit.		 Early close procedures allow financial reporting issues and risks to be addressed early in the audit process. The timeliness of financial reporting can be improved by performing more robust early close procedures.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

  • our financial statement audits of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster for 2018
  • the areas of focus identified in the Audit Office work program.

The Audit Office work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.

Observation Conclusions and recommendations
3.1 Internal controls
The 2017–18 audits found one high risk issue and 83 moderate risk issues across the agencies. Nineteen per cent of all issues were repeat issues. Agencies should focus on rectifying repeat issues.
The high risk issue at Service NSW related to several deficiencies in procurement and contract management processes. Service NSW may not be achieving value-for-money
from their procurement and contract management activities. The high risk issue should be rectified as a matter of priority. This includes updating and implementing its procurement, vendor and contract management frameworks and delivering training to key staff involved in procurement and contract management activities.
Property NSW has implemented several controls during the year to rectify the high risk issue identified last year related to its transition to a new property and facility management service provider. However, the service providers performance remains below expectations and there are further opportunities to improve oversight and lift performance. Property NSW can better define roles and accountabilities with the service provider and formalise policies and processes associated with its monitoring and oversight of the service provider.

Implementing relevant KPIs, receiving timely reports and providing timely review and feedback to the service provider may help to lift performance.
GovConnect received unqualified opinions from their service auditor on all business process controls, except for information technology controls provided by Unisys, where a qualified opinion was received from the service auditor. A qualified opinion was received because of several deficiencies in user access controls. These internal control deficiencies increase the risk of unauthorised access to key business systems, and increase audit effort and costs associated with addressing the risks arising from the deficiencies.
3.2 Audit Office annual work program

Remediation of the Barangaroo site is now estimated to cost the Barangaroo Delivery Authority in excess of net $400 million.
 
The increase in the estimate over the last five years is mainly due to the extent of remediation required, as more evidence of contamination has become known.

 Measuring the remaining costs to remediate requires the use of estimation techniques and judgements, making the actual outcome inherently uncertain. We reviewed evidence to support the provision for remediation, including future costs estimates and this evidence supported management’s estimate.
The State Insurance Regulatory Authority have administered the refund of $138 million in Green slip refunds to policy holders through Service NSW during 2017–18. At 30 June 2018, $112 million in refunds are yet to be claimed.
 
We reviewed the systems and processes supporting the refund process. While we found that this supports the disbursement of refunds to policyholders there were some deficiencies in Service NSW’s project controls when the program was being developed.
 		 Service NSW should apply the lessons learnt from this program to other programs it is delivering or will be delivering for agencies.
Revenue NSW recorded $30.4 billion from taxes, fines and fees in 2017–18 ($30.0 billion in 2016–17) to support the State’s finances. 
 		 Crown revenue has steadily increased over the last five years predominately driven by rises in payroll tax and land tax and responsibility for collection of the Emergency Services Levy transferring to Revenue NSW under the Emergency Services Levy Act 2017 effective from July 2017. 
3.3 Managing maintenance
Place Management NSW manages significant commercial and retail leases and maintains public domain spaces and other assets around the harbour foreshore. It has consistently underspent its asset maintenance budget. In 2017–18, asset maintenance expenses were only 34 per cent of budgeted maintenance expense.

Currently, Place Management NSW does not use any ratios or benchmarks to determine the adequacy of its maintenance spend or to monitor whether it is achieving its budgeted maintenance program. 		 This may be contributing to a high proportion of unplanned maintenance, which Place Management NSW reports was 38 per cent of total maintenance expense in 2017–18.

Place Management NSW is outsourcing its property and facilities management function from 1 December 2018 to an external service provider. 
 

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Observation Conclusions and recommendation
5.1 Superannuation funds
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). 
However, legislation allows the responsible Minister to prescribe prudential standards, reporting and audit requirements. 		 Structured and comprehensive prudential oversight of these Funds is important as they operate in a volatile financial sector, have 103,000 members and manage investments of $43.3 billion.
Recommendation: Treasury should consult with the Trustees of the STC Pooled Fund and PCS Fund to prescribe appropriate prudential standards and requirements, including oversight arrangements.
5.2 Insurance and compensation
Nominal Insurer and NSW Self Insurance Corporation investment performance marginally exceeded benchmark over the past five years. Investment returns can impact on the premiums required to maintain an adequate funding ratio in addition to other factors such as claims experience and discount rates.
The Workers Compensation Nominal Insurer (Nominal Insurer) and NSW Self Insurance Corporation's net collected premiums and contributions decreased over the past five years.  The insurance schemes' investment performance and stable claim payments have enabled less reliance on net collected premiums and contributions as a source of funding, over the past five years. 
Reforms were introduced to manage the Home Warranty Scheme's financial sustainability risks.  The Home Warranty Scheme has not collected sufficient premiums to fund expected claims costs, since commencing operations in 2011. In 2017–18, the Crown contributed $181 million for historical shortfalls. New reforms started on 1 January 2018 enabling the Scheme to price premiums based on risk. 

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

Appendix four - Timeliness of financial reporting and audit reporting

Appendix five - Management letter findings by risk rating

Appendix six – Financial data

Published

Internal Controls and Governance 2018

Education
Community Services
Finance
Health
Industry
Justice
Planning
Premier and Cabinet
Transport
Treasury
Whole of Government
Environment
Compliance
Cyber security
Financial reporting
Fraud
Information technology
Internal controls and governance
Management and administration
Procurement
Project management

The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.

This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.

This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.

This report offers insights into internal controls and governance in the NSW public sector

This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

  • highlighting the potential risks posed by weaknesses in controls and governance processes
  • helping agencies benchmark the adequacy of their processes against their peers
  • focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:

  1. Internal control trends
  2. Information technology (IT), including IT vendor management
  3. Transparency and performance reporting
  4. Management of purchasing cards and taxis
  5. Fraud and corruption control.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.

The focus of the report has changed since last year

Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Agencies selected for the volume account for 95 per cent of the state's expenditure

While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.

Internal controls are processes, policies and procedures that help agencies to:

  • operate effectively and efficiently
  • produce reliable financial reports
  • comply with laws and regulations
  • support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.

Observation Conclusions and recommendations
2.1 High risk findings
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16. Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority.
2.2 Common findings
We found several internal controls and governance findings common to multiple agencies. Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective.
2.3 New and repeat findings
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies. The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies.
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases

Recommendation: Agencies should reduce IT risks by:

  • assigning ownership of recommendations to address IT control deficiencies, with timeframes and actions plans for implementation
  • ensuring audit and risk committees and agency management regularly monitor the implementation status of recommendations.

 

Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.

Observation Conclusions and recommendations
3.1 Management of IT vendors
Contract management framework 
Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review.
 

Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by:

  • internal audit focusing on key contracting activities
  • experienced officers who are independent of contract administration performing spot checks or peer reviews
  • targeted analysis of data in contract registers.
Contract risk management
Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract.
 		 Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination.

Performance management
Eighty-six per cent of agencies meet with vendors to discuss performance. 

Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance.

Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by:

  • a more active, rigorous approach to both risk and performance management
  • checking the accuracy of vendor reporting against those KPIs and where appropriate seeking assurance over their accuracy
  • invoking performance based payments clauses in contracts when performance falls below agreed standards.

Transitioning services
Forty-three per cent of the IT vendor contracts did not contain transitioning-out provisions.

Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor.

 Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'.
Contract Registers
Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete.

Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by:

  • monitoring contract end dates and contract extensions, and commence new procurements through their central procurement teams in a timely manner
  • managing their contractual commitments, budgeting and cash flow requirements.

Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations.
3.2 IT general controls
Governance
Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review.
 		 Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments. 

User access administration
Seventy-two deficiencies were identified related to user access administration, including:

  • thirty issues related to granting user access across 43 per cent of agencies
  • sixteen issues related to removing user access across 30 per cent of agencies
  • twenty-six issues related to periodic reviews of user access across 50 per cent of agencies.
 Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems.
Privileged access
Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities.

Recommendation: Agencies should:

  • review the number of, and access granted to privileged users, and assess and document the risks associated with their activities
  • monitor user access to address risks from unauthorised activity.
Password controls
Twenty-three per cent of agencies did not comply with their own policy on password parameters.		 Recommendation: Agencies should ensure IT password settings comply with their password policies.
Program changes
Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment.		 Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed.

 

This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.

Observation Conclusion or recommendation
4.1 Reporting on performance

Only 57 per cent of agencies linked reporting on performance to their strategic objectives.

The use of targets and reporting performance over time was limited and applied inconsistently.

Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information.

Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports.

There is no independent assurance that the performance metrics agencies report in their annual reports are accurate.

Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported.

Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited.

The relevance and accuracy of performance information is enhanced when:

  • policies and guidance support the consistent and accurate collection of data
  • internal review processes and management oversight are effective
  • independent review processes are established to provide effective challenge to the assumptions, judgements and methodology used to collect the reported performance information.
4.2 Reporting on reports

Agency reporting on major projects does not meet the requirements of the annual reports regulation.

Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations.

NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations.

Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress.

The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works.

Sixteen of 30 agencies reported some information on completed major works.

Conclusion: Agencies could improve their transparency if they reported, or were required to report:

  • on both works in progress and projects completed during the year
  • actual costs and completion dates, and forecast completion dates for major works, against original and revised budgets and original expected completion dates
  • explanations for significant cost overruns, delays and key project performance metrics.

 

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.

Observation Conclusion or recommendation
5.1 Management of purchasing cards
Volume of credit card spend
Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement.
 		 Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards.
Policy framework
We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy.		 Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'.
Preventative controls
We found that:
  • all agencies maintained purchasing card registers
  • seventy-six per cent provided training to cardholders prior to being issued with a card
  • eighty-nine per cent appointed a program administrator, but only half of these had clearly defined roles and responsibilities
  • thirty-two per cent of agencies place merchant blocks on purchasing cards
  • forty-seven per cent of agencies place geographic restrictions on purchasing cards.

Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards.

Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as:

  • updating purchasing card registers to contain all mandatory fields required by TPP17–09
  • appointing a program administrator for the agency's purchasing card framework and defining their role and responsibility for the function
  • strengthening preventive controls to prevent misuse.

Detective controls
Ninety-two per cent of agencies have designed and implemented at least one control to monitor purchasing card activity.

Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used.

Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards.

Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to:

  • detect misuse and investigate exceptions
  • analyse trends to highlight cost saving opportunities.
5.2 Management of taxis
Policy framework
Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition:
  • a further 41 per cent of agencies have not reviewed their policies by the scheduled revision date, or do not have a scheduled revision date
  • more than half of all agencies’ policies do not offer alternative travel options. For example, only 36 per cent of policies promoted the use of general Opal cards.
 Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies:
  • limit the circumstances where taxi use is appropriate
  • offer alternate, lower cost options to using taxis, such as general Opal cards and rideshare.
Detective controls
All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews.		 Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program.

 

Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.

Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:

  • unreported frauds in organisations can be almost three times the number of reported frauds
  • our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
  • fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
  • agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.

Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018. 

Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.

Observation Conclusion or recommendation
6.1 Prevention systems

Prevention systems
Ninety-two per cent of agencies have a fraud control plan in place, 81 per cent maintain a fraud database and 79 per cent report fraud and corruption matters as a standing item on audit and risk committee agendas.

Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies.

Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data.

Agencies can improve their fraud prevention systems by:

  • completing regular fraud risk assessments, embedding fraud risk assessment into their enterprise risk management process and reporting the results of the assessment to the audit and risk committee
  • maintaining a fraud database and reviewing it regularly for systemic issues and reporting a redacted version of the database on the agency's website to inform corruption prevention networks
  • developing policies and procedures for employee screening and benchmarking their current processes against ICAC's publication ‘Strengthening Employment Screening Practices in the NSW Public Sector’
  • developing and maintaining up to date IT security policies and monitoring compliance with the policy.
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be.  Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified.
6.2 Detection systems
Detection systems
Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program.
 

Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses.

Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment.
6.3 Notification systems
Notification system
All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption.		 Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture

 

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

Published

Regulation of water pollution in drinking water catchments and illegal disposal of solid waste

Environment
Compliance
Internal controls and governance
Management and administration
Regulation
Risk

There are important gaps in how the Environmental Protection Authority (EPA) implements its regulatory framework for water pollution in drinking water catchments and illegal solid waste disposal. This limits the effectiveness of its regulatory responses, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford.

The NSW Environment Protection Authority (the EPA) is the State’s primary environmental regulator. The EPA regulates waste and water pollution under the Protection of the Environment Operations Act 1997 (the Act) through its licensing, monitoring, regulation and enforcement activities. The community should be able to rely on the effectiveness of this regulation to protect the environment and human health. The EPA has regulatory responsibility for more significant and specific activities which can potentially harm the environment.

Activities regulated by the EPA include manufacturing, chemical production, electricity generation, mining, waste management, livestock processing, mineral processing, sewerage treatment, and road construction. For these activities, the operator must have an EPA issued environment protection licence (licence). Licences have conditions attached which may limit the amount and concentrations of substances the activity may produce and discharge into the environment. Conditions also require the licensee to report on its licensed activities.

This audit assessed the effectiveness of the EPA’s regulatory response to water pollution in drinking water catchments and illegal solid waste disposal. The findings and recommendations of this review can be reasonably applied to the EPA’s other regulatory functions, as the areas we examined were indicative of how the EPA regulates all pollution types and incidents.

 
Conclusion
There are important gaps in how the EPA implements its regulatory framework for water pollution in drinking water catchments and illegal solid waste disposal which limit the effectiveness of its regulatory response. The EPA uses a risk-based regulatory framework that has elements consistent with the NSW Government Guidance for regulators to implement outcomes and risk-based regulation. However, the EPA did not demonstrate that it has established reliable practices to accurately and consistently detect the risk of non compliances by licensees, and apply consistent regulatory actions. This may expose the risk of harm to the environment and human health.
The EPA also could not demonstrate that it has effective governance and oversight of its regulatory operations. The EPA operates in a complex regulatory environment where its regional offices have broad discretions for how they operate. The EPA has not balanced this devolved structure with an effective governance approach that includes appropriate internal controls to monitor the consistency or quality of its regulatory activities. It also does not have an effective performance framework that sets relevant performance expectations and outcome-based key performance indicators (KPIs) for its regional offices. 
These deficiencies mean that the EPA cannot be confident that it conducts compliance and enforcement activities consistently across the State and that licensees are complying with their licence conditions or the Act.
The EPA's reporting on environmental and regulatory outcomes is limited and most of the data it uses is self reported by industry. It has not set outcome-based key result areas to assess performance and trends over time. 
The EPA uses a risk-based regulatory framework for water pollution and illegal solid waste disposal but there are important gaps in implementation that reduce its effectiveness.
Elements of the EPA’s risk-based regulatory framework for water pollution and illegal solid waste disposal are consistent with the NSW Government Guidance for regulators to implement outcomes and risk-based regulation. There are important gaps in how the EPA implements its risk-based approach that limit the effectiveness of its regulatory response. The EPA could not demonstrate that it effectively regulates licensees because it has not established reliable practices that accurately and consistently detect licence non compliances or breaches of the Act and enforce regulatory actions.
The EPA lacks effective governance arrangements to support its devolved regional structure. The EPA's performance framework has limited and inconclusive reporting on regional performance to the EPA’s Chief Executive Officer or to the EPA Board. The EPA cannot assure that it is conducting its regulatory responsibilities effectively and efficiently. 
The EPA does not consistently evaluate its regulatory approach to ensure it is effective and efficient. For example, there are no set requirements for how EPA officers conduct mandatory site inspections, which means that there is a risk that officers are not detecting all breaches or non-compliances. The inconsistent approach also means that the EPA cannot rely on the data it collects from these site inspections to understand whether its regulatory response is effective and efficient. In addition, where the EPA identifies instances of non compliance or breaches, it does not apply all available regulatory actions to encourage compliance.
The EPA also does not have a systematic approach to validate self-reported information in licensees’ annual returns, despite the data being used to assess administrative fees payable to the EPA and its regulatory response to non-compliances. 
The EPA does not use performance frameworks to monitor the consistency or quality of work conducted across the State. The EPA has also failed to provide effective guidance for its staff. Many of its policies and procedures are out-dated, inconsistent, hard to access, or not mandated.
Recommendations
By 31 December 2018, to improve governance and oversight, the EPA should:
1. implement a more effective performance framework with regular reports to the Chief Executive Officer and to the EPA Board on outcomes-based key result areas that assess its environmental and regulatory performance and trends over time
By 30 June 2019, to improve consistency in its practices, the EPA should:
2. progressively update and make accessible its policies and procedures for regulatory operations, and mandate procedures where necessary to ensure consistent application
3. implement internal controls to monitor the consistency and quality of its regulatory operations. 
The EPA does not apply a consistent approach to setting licence conditions for discharges to water.
The requirements for setting licence conditions for water pollution are complex and require technical and scientific expertise. In August 2016, the EPA approved guidance developed by its technical experts in the Water Technical Advisory Unit to assist its regional staff. However, the EPA did not mandate the use of the guidance until mid-April 2018. Up until then, the EPA had left discretion to regional offices to decide what guidance their staff use. This meant that practices have differed across the organisation. The EPA is yet to conduct training for staff to ensure they consistently apply the 2016 guidance.
The EPA has not implemented any appropriate internal controls or quality assurance process to monitor the consistency or quality of licence conditions set by its officers across the State. This is not consistent with good regulatory practice.
The triennial 2016 audit of the Sydney drinking water catchment report highlighted that Lake Burragorang has experienced worsening water quality over the past 20 years from increased salinity levels. The salinity levels were nearly twice as high as in other storages in the Sydney drinking water catchment. The report recommended that the source and implication of the increased salinity levels be investigated. The report did not propose which public authority should carry out such an investigation. 
To date, no NSW Government agency has addressed the report's recommendation. There are three public authorities, the EPA, DPE and WaterNSW that are responsible for regulating activities that impact on water quality in the Sydney drinking water catchment, which includes Lake Burragorang. 
Recommendation
By 30 June 2019, to address worsening water quality in Lake Burragorang, the EPA should:
4. (a) review the impact of its licensed activities on water quality in Lake Burragorang, and
  (b) develop strategies relating to its licensed activities (in consultation with other relevant NSW Government agencies) to improve and maintain the lake's water quality.
The EPA’s risk-based approach to monitoring compliance of licensees has limited effectiveness. 
The EPA tailors its compliance monitoring approach based on the performance of licensees. This means that licensees that perform better have a lower administrative fee and fewer mandatory site inspections. 
However, this approach relies on information that is not complete or accurate. Sources of information include licensees’ annual returns, EPA site inspections and compliance audits, and pollution reports from the public. 
Licensees report annually to the EPA on their performance, including compliance against their licence conditions. The Act contains significant financial penalties if licensees provide false and misleading information in their annual returns. However, the EPA does not systematically or consistently validate information self-reported by licensees, or consistently apply regulatory actions if it discovers non-compliance. 
Self-reported compliance data is used in part to assess a licensed premises’ overall environmental risk level, which underpins the calculation of the administrative fee, the EPA’s site inspection frequency, and the licensee’s exposure to regulatory actions. It is also used to assess the load-based licence fee that the licensee pays.
The EPA has set minimum mandatory site inspection frequencies for licensed premises based on its assessed overall risk level. This is a key tool to detect non-compliance or breaches of the Act. However, the EPA has not issued a policy or procedures that define what these mandatory inspections should cover and how they are to be conducted. We found variations in how the EPA officers in the offices we visited conducted these inspections. The inconsistent approach means that the EPA does not have complete and accurate information of licensees’ compliance. The inconsistent approach also means that the EPA is not effectively identifying all non-compliances for it to consider applying appropriate regulatory actions.
The EPA also receives reports of pollution incidents from the public that may indicate non-compliance. However, the EPA has not set expected time frames within which it expects its officers to investigate pollution incidents. The EPA regional offices decide what to investigate and timeframes. The EPA does not measure regional performance regarding timeframes. 
The few compliance audits the EPA conducts annually are effective in identifying licence non-compliances and breaches of the Act. However, the EPA does not have a policy or required procedures for its regulatory officers to consistently apply appropriate regulatory actions in response to compliance audit findings. 
The EPA has not implemented any effective internal controls or quality assurance process to check the consistency or quality of how its regulatory officers monitor compliance across the State. This is not consistent with good regulatory practice.
Recommendations
To improve compliance monitoring, the EPA should implement procedures to:
5. by 30 June 2019, validate self-reported information, eliminate hardcopy submissions and require licensees to report on their breaches of the Act and associated regulations in their annual returns
6. by 31 December 2018, conduct mandatory site inspections under the risk-based licensing scheme to assess compliance with all regulatory requirements and licence conditions.
 
The EPA cannot assure that its regulatory enforcement approach is fully effective.
The EPA’s compliance policy and prosecution guidelines have a large number of available regulatory actions and factors which should be taken into account when selecting an appropriate regulatory response. The extensive legislation determining the EPA’s regulatory activities, and the devolved regional structure the EPA has adopted in delivering its compliance and regulatory functions, increases the risk of inconsistent compliance decisions and regulatory responses. A good regulatory framework needs a consistent approach to enforcement to incentivise compliance. 
The EPA has not balanced this devolved regional structure with appropriate governance arrangements to give it assurance that its regulatory officers apply a consistent approach to enforcement.
The EPA has not issued standard procedures to ensure consistent non-court enforcement action for breaches of the Act or non-compliance with licence conditions. Given our finding that the EPA does not effectively detect breaches and non-compliances, there is a risk that it is not applying appropriate regulatory actions for many breaches and non-compliances.
A recent EPA compliance audit identified significant non-compliances with incident management plan requirements. However, the EPA has not applied regulatory actions for making false statements on annual returns for those licensees that certified their plans complied with such requirements. The EPA also has not applied available regulatory actions for the non-compliances which led to the false or misleading statements.
Recommendation
By 31 December 2018 to improve enforcement, the EPA should:
7. Implement procedures to systematically assess non-compliances with licence conditions and breaches of the Act and to implement appropriate and consistent regulatory actions.
The EPA has implemented the actions listed in the NSW Illegal Dumping Strategy 2014–16. To date, the EPA has also implemented four of the six recommendations made by the ICAC on EPA's oversight of Regional Illegal Dumping Squads.
The EPA did not achieve the NSW Illegal Dumping Strategy 2014–16 target of a 30 per cent reduction in instances of large scale illegal dumping in Sydney, the Illawarra, Hunter and Central Coast from 2011 levels. 
In the reporting period, the incidences of large scale illegal dumping more than doubled. The EPA advised that this increase may be the result of greater public awareness and reporting rather than increased illegal dumping activity. 
By June 2018, the EPA is due to implement one outstanding recommendation made by the ICAC but has not set a time for the other outstanding recommendation.  

Appendix one – Response from agency

Appendix two – List of enforcement tools

Appendix three – The EPA's organisational structure

Appendix four – The EPA's regions and branches

Appendix five – About the audit

Appendix six – Performance auditing

 

Parliamentary reference - Report number #304 - released 28 June 2018

Published

Assessment of the use of a training program

Finance
Internal controls and governance
Management and administration

The Department of Finance, Services and Innovation (DFSI) and Service NSW's use of Franklin Covey's '7 Habits' program (the Program) met identified business needs according to a report released today by the Auditor-General for New South Wales Margaret Crawford. 

This audit assesses the effectiveness and economy of the Department of Finance, Services and Innovation's, including Service NSW's, use of the Franklin Covey ‘7 Habits’ program (the Program). On 15 March 2018, the Hon. Victor Dominello MP, Minister for Finance, Services and Property, requested the Auditor General conduct this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 (the Act).

About the agencies

The Department of Finance, Services and Innovation (the Department) is the lead agency of the Finance, Services and Innovation cluster. The Department has a number of divisions and business units, including: ICT and Digital Government, Property and Advisory Group, Better Regulation, NSW Fair Trading, Government and Corporate Services, and Revenue NSW. At 30 June 2017, the Department (excluding Service NSW) had 5,239 full-time equivalent staff.

Service NSW is a central point of contact for customers accessing NSW Government Services. It is a Division of the Finance, Services and Innovation cluster and operates as an executive agency. As an executive agency, Service NSW is led by a Chief Executive Officer, who is responsible to the Minister for Finance, Services and Property but appointed by the Secretary of the Department of Finance, Services and Innovation. Service NSW was established in 2013 and has operated under the Finance, Services and Innovation cluster since July 2015. At 30 June 2017, Service NSW had 1,989 full-time equivalent staff.

About the Program

The Program that the Department and Service NSW are implementing, and which is the subject of this audit, is a professional development training course which focusses on organisational culture emphasising personal effectiveness, leadership development and change management. All staff in the Department and Service NSW will receive the training, which involves:

  • a 360-degree assessment where every staff member receives feedback from their manager, direct reports, and peers
  • a two-day training workshop, which will be delivered face to face by accredited facilitators
  • 2 years of online access to all training materials created by the provider of the Program.

As part of the licensing arrangement purchased by the agencies, the Program also provides access (at no extra cost) to the full range of the provider's training and development courses that might be useful for other learning and development activities. This includes courses to improve staff capability in communication skills, leadership, productivity and customer engagement. The Department is considering using one of these courses to develop leadership capabilities. Service NSW has integrated three of these courses into its people development curriculum.

Service NSW commenced the first sessions of the Program in May 2017. At 24 April 2018, around 1,000 staff had undertaken the training. Service NSW expects all staff to complete the Program by June 2019.

The Department of Finance, Services and Innovation commenced the first sessions of the Program in August 2017. At 18 April 2018, around 175 staff had undertaken the training. The Department expects all staff to complete the Program by December 2019.

Audit objective and criteria

The audit sought to assess the effectiveness and economy of the Finance, Services and Innovation cluster’s use of the Program. In making this assessment, we considered whether:

  1.  the Program is being used effectively, including whether
    1. there is an identified need for the Program
    2. the use of the Program meets the identified need
    3. Finance, Services and Innovation cluster agencies evaluate the effectiveness of the Program
  2. the Program is economical, including whether:
    1. the procurement complies with all relevant policies and processes
    2. funding and resources allocated to the Program are reasonable.
Conclusion
The Department of Finance, Services and Innovation, and Service NSW developed workforce strategies which identified a business need to improve organisational culture and staff engagement. The Program met the identified business needs and both agencies negotiated value for money contracts for the delivery of the Program when compared to other available options for training all staff.
However, the agencies did not document evidence to show that training all staff members was necessary to meet their business needs, as compared with training fewer staff members at a lower overall cost. As a result, we are unable to form a view on whether the approach to train all staff members was economical. The agency heads have subsequently provided information supporting their decisions to train all staff members. This information indicates their decisions were based on evidence that this would meet the goals of their workforce strategies, including improving employee engagement scores and organisational culture change.
The Department is paying $1,320,700, over three years, for up to 5,600 staff to participate in the Program ($235.84 per person). Service NSW is paying $595,000, over two years, for up to 2,400 staff to participate in the Program ($247.92 per person).
The agencies are collecting the data they need to evaluate the Program and there is some evidence that the Program is achieving its objectives in Service NSW. Due to the timing of this audit, there is not yet enough information available to comment on whether the Program is achieving its objectives in the Department.

Sector-wide learnings

Implementing robust learning and development frameworks

  1. Agencies should evidence decisions about how proposed learning and development opportunities will meet staff and business needs - both in the program design, and through evaluation. In many cases, organisations may have unique needs or circumstances, or may want to trial innovative approaches to improving organisational capability. Innovation should be encouraged, to avoid the risk that agencies are locked into outdated training and development models. However such approaches should be balanced by ensuring that business needs are well scoped and defined.
     
  2. Agencies implementing innovative or new approaches to learning and development should build-in iterative evaluations (such as pulse surveys, or collecting post-participation qualitative feedback) to ensure that the training is delivered on intended benefits, and to inform improvements to ongoing rollout.
     
  3. Agencies implementing innovative or new training programs should ensure they build enough flexibility into contracts so that they can assess how well programs are meeting staff and business needs, and use evidence to inform whether further rollout should occur.

Appendix one – Response from agencies

Appendix two – Evaluation methodologies

Appendix three – About the audit

Published

Managing risks in the NSW public sector: risk culture and capability

Finance
Health
Justice
Treasury
Internal controls and governance
Management and administration
Risk
Workforce and capability

The Ministry of Health, NSW Fair Trading, NSW Police Force, and NSW Treasury Corporation are taking steps to strengthen their risk culture, according to a report released today by the Auditor-General, Margaret Crawford. 'Senior management communicates the importance of managing risk to their staff, and there are many examples of risk management being integrated into daily activities', the Auditor-General said.

We did find that three of the agencies we examined could strengthen their culture so that all employees feel comfortable speaking openly about risks. To support innovation, senior management could also do better at communicating to their staff the levels of risk they are willing to accept.

Effective risk management is essential to good governance, and supports staff at all levels to make informed judgements and decisions. At a time when government is encouraging innovation and exploring new service delivery models, effective risk management is about seizing opportunities as well as managing threats.

Over the past decade, governments and regulators around the world have increasingly turned their attention to risk culture. It is now widely accepted that organisational culture is a key element of risk management because it influences how people recognise and engage with risk. Neglecting this ‘soft’ side of risk management can prevent institutions from managing risks that threaten their success and lead to missed opportunities for change, improvement or innovation.

This audit assessed how effectively NSW Government agencies are building risk management capabilities and embedding a sound risk culture throughout their organisations. To do this we examined whether:

  • agencies can demonstrate that senior management is committed to risk management
  • information about risk is communicated effectively throughout agencies
  • agencies are building risk management capabilities.

The audit examined four agencies: the Ministry of Health, the NSW Fair Trading function within the Department of Finance, Services and Innovation, NSW Police Force and NSW Treasury Corporation (TCorp). NSW Treasury was also included as the agency responsible for the NSW Government's risk management framework.

Conclusion
All four agencies examined in the audit are taking steps to strengthen their risk culture. In these agencies, senior management communicates the importance of managing risk to their staff. They have risk management policies and funded central functions to oversee risk management. We also found many examples of risk management being integrated into daily activities.
That said, three of the four case study agencies could do more to understand their existing risk culture. As good practice, agencies should monitor their employees’ attitude to risk. Without a clear understanding of how employees identify and engage with risk, it is difficult to tell whether the 'tone' set by the executive and management is aligned with employee behaviours.
Our survey of risk culture found that three agencies could strengthen a culture of open communication, so that all employees feel comfortable speaking openly about risks. To support innovation, senior management could also do better at communicating to their staff the levels of risk they are willing to accept.
Some agencies are performing better than others in building their risk capabilities. Three case study agencies have reviewed the risk-related skills and knowledge of their workforce, but only one agency has addressed the gaps the review identified. In three agencies, staff also need more practical guidance on how to manage risks that are relevant to their day-to-day responsibilities.
NSW Treasury provides agencies with direction and guidance on risk management through policy and guidelines. Its principles-based approach to risk management is consistent with better practice. Nevertheless, there is scope for NSW Treasury to develop additional practical guidance and tools to support a better risk culture in the NSW public sector. NSW Treasury should encourage agency heads to form a view on the current risk culture in their agencies, identify desirable changes to that risk culture, and take steps to address those changes. 

In assessing an agency’s risk culture, we focused on four key areas:

Executive sponsorship (tone at the top)

In the four agencies we reviewed, senior management is communicating the importance of managing risk. They have endorsed risk management frameworks and funded central functions tasked with overseeing risk management within their agencies.

That said, we found that three case study agencies do not measure their existing risk culture. Without clear measures of how employees identify and engage with risk, it is difficult for agencies to tell whether employee's behaviours are aligned with the 'tone' set by the executive and management.

For example, in some agencies we examined we found a disconnect between risk tolerances espoused by senior management and how these concepts were understood by staff.

Employee perceptions of risk management

Our survey of staff indicated that while senior leaders have communicated the importance of managing risk, more could be done to strengthen a culture of open communication so that all employees feel comfortable speaking openly about risks. We found that senior management could better communicate to their staff the levels of risk they should be willing to accept.

Integration of risk management into daily activities and links to decision-making

We found examples of risk management being integrated into daily activities. On the other hand, we also identified areas where risk management deviated from good practice. For example, we found that corporate risk registers are not consistently used as a tool to support decision-making.

Support and guidance to help staff manage risks

Most case study agencies are monitoring risk-related skills and knowledge of their workforce, but only one agency has addressed the gaps it identified. While agencies are providing risk management training, surveyed staff in three case study agencies reported that risk management training is not adequate.

NSW Treasury provides agencies with direction and guidance on risk management through policy and guidelines. In line with better practice, NSW Treasury's principles-based policy acknowledges that individual agencies are in a better position to understand their own risks and design risk management frameworks that address those risks. Nevertheless, there is scope for NSW Treasury to refine its guidance material to support a better risk culture in the NSW public sector.

Recommendation

By May 2019, NSW Treasury should:

  • Review the scope of its risk management guidance, and identify additional guidance, training or activities to improve risk culture across the NSW public sector. This should focus on encouraging agency heads to form a view on the current risk culture in their agencies, identify desirable changes to that risk culture, and take steps to address those changes.

Appendix one - Response from agencies

Appendix two - Survey results

Appendix three - About the audit

Appendix four - Performance auditing

 

Parliamentary reference - Report number #298 - released 23 April 2018

Published

Detecting and responding to cyber security incidents

Finance
Cyber security
Information technology
Internal controls and governance
Management and administration
Workforce and capability

A report released today by the Auditor-General for New South Wales, Margaret Crawford, found there is no whole-of-government capability to detect and respond effectively to cyber security incidents. There is very limited sharing of information on incidents amongst agencies, and some agencies have poor detection and response practices and procedures.

The NSW Government relies on digital technology to deliver services, organise and store information, manage business processes, and control critical infrastructure. The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.

This audit examined cyber security incident detection and response in the NSW public sector. It focused on the role of the Department of Finance, Services and Innovation (DFSI), which oversees the Information Security Community of Practice, the Information Security Event Reporting Protocol, and the Digital Information Security Policy (the Policy).

The audit also examined ten case study agencies to develop a perspective on how they detect and respond to incidents. We chose agencies that are collectively responsible for personal data, critical infrastructure, financial information and intellectual property.

Conclusion
There is no whole‑of‑government capability to detect and respond effectively to cyber security incidents. There is limited sharing of information on incidents amongst agencies, and some of the agencies we reviewed have poor detection and response practices and procedures. There is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost.
Given current weaknesses, the NSW public sector’s ability to detect and respond to incidents needs to improve significantly and quickly. DFSI has started to address this by appointing a Government Chief Information Security Officer (GCISO) to improve cyber security capability across the public sector. Her role includes coordinating efforts to increase the NSW Government’s ability to respond to and recover from whole‑of‑government threats and attacks.

Some of our case study agencies had strong processes for detection and response to cyber security incidents but others had a low capability to detect and respond in a timely way.

Most agencies have access to an automated tool for analysing logs generated by their IT systems. However, coverage of these tools varies. Some agencies do not have an automated tool and only review logs periodically or on an ad hoc basis, meaning they are less likely to detect incidents.

Few agencies have contractual arrangements in place for IT service providers to report incidents to them. If a service provider elects to not report an incident, it will delay the agency’s response and may result in increased damage.

Most case study agencies had procedures for responding to incidents, although some lack guidance on who to notify and when. Some agencies do not have response procedures, limiting their ability to minimise the business damage that may flow from a cyber security incident. Few agencies could demonstrate that they have trained their staff on either incident detection or response procedures and could provide little information on the role requirements and responsibilities of their staff in doing so.

Most agencies’ incident procedures contain limited information on how to report an incident, who to report it to, when this should occur and what information should be provided. None of our case study agencies’ procedures mentioned reporting to DFSI, highlighting that even though reporting is mandatory for most agencies their procedures do not require it.

Case study agencies provided little evidence to indicate they are learning from incidents, meaning that opportunities to better manage future incidents may be lost.

Recommendations

The Department of Finance, Services and Innovation should:

  • assist agencies by providing:
    • better practice guidelines for incident detection, response and reporting to help agencies develop their own practices and procedures
    • training and awareness programs, including tailored programs for a range of audiences such as cyber professionals, finance staff, and audit and risk committees
    • role requirements and responsibilities for cyber security across government, relevant to size and complexity of each agency
    • a support model for agencies that have limited detection and response capabilities
       
  • revise the Digital Information Security Policy and Information Security Event Reporting Protocol by
    • clarifying what security incidents must be reported to DFSI and when
    • extending mandatory reporting requirements to those NSW Government agencies not currently covered by the policy and protocol, including State owned corporations.

DFSI lacks a clear mandate or capability to provide effective detection and response support to agencies, and there is limited sharing of information on cyber security incidents.

DFSI does not currently have a clear mandate and the necessary resources and systems to detect, receive, share and respond to cyber security incidents across the NSW public sector. It does not have a clear mandate to assess whether agencies have an acceptable detection and response capability. It is aware of deficiencies in agencies and across whole‑of‑government, and has begun to conduct research into this capability.

Intelligence gathering across the public sector is also limited, meaning agencies may not respond to threats in a timely manner. DFSI has not allocated resources for gathering of threat intelligence and communicating it across government, although it has begun to build this capacity.

Incident reporting to DFSI is mandatory for most agencies, however, most of our case study agencies do not report incidents to DFSI, reducing the likelihood of containing an incident if it spreads to other agencies. When incidents have been reported, DFSI has not provided dedicated resources to assess them and coordinate the public sector’s response. There are currently no formal requirements for DFSI to respond to incidents and no guidance on what it is meant to do if an incident is reported. The lack of central coordination in incident response risks delays and increased damage to multiple agencies.

DFSI's reporting protocol is weak and does not clearly specify what agencies should report and when. This makes agencies less likely to report incidents. The lack of a standard format for incident reporting and a consistent method for assessing an incident, including the level of risk associated with it, also make it difficult for DFSI to determine an appropriate response.

There are limited avenues for sharing information amongst agencies after incidents have been resolved, meaning the public sector may be losing valuable opportunities to improve its protection and response.

Recommendations

The Department of Finance, Services and Innovation should:

  • develop whole‑of‑government procedure, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including follow-up and communicating lessons learnt
  • develop a means by which agencies can report incidents in a more effective manner, such as a secure online template, that allows for early warnings and standardised details of incidents and remedial advice
  • enhance NSW public sector threat intelligence gathering and sharing including formal links with Australian Government security agencies, other states and the private sector
  • direct agencies to include standard clauses in contracts requiring IT service providers report all cyber security incidents within a reasonable timeframe
  • provide assurance that agencies have appropriate reporting procedures and report to DFSI as required by the policy and protocol by:
    • extending the attestation requirement within the DISP to cover procedures and reporting
    • reviewing a sample of agencies' incident reporting procedures each year.

Appendix one - Response from agency

Appendix two - ISMS maturity model

Appendix three - About the audit

Appendix four - Performance auditing

 

Parliamentary reference - Report number #297 - released 2 March 2018

Published

Internal Controls and Governance 2017

Finance
Education
Community Services
Health
Justice
Whole of Government
Asset valuation
Compliance
Cyber security
Information technology
Internal controls and governance
Project management
Risk

Agencies need to do more to address risks posed by information technology (IT).

Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
 

1. Overall trends

New and repeat findings

 The number of reported financial and IT control deficiencies has fallen, but many previously reported findings remain unresolved.

High risk findings

 Poor systems implementations contributed to the seven high risk internal control deficiencies that could affect agencies.

Common findings

 Poor IT controls are the most commonly reported deficiency across agencies, followed by governance issues relating to cyber security, capital projects, continuous disclosure, shared services, ethics and risk management maturity.

2. Information Technology

IT security

 Only two-thirds of agencies are complying with their own policies on IT security. Agencies need to tighten user access and password controls.

Cyber security

 Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.

Other IT systems

 Agencies can improve their disaster recovery plans and the change control processes they use when updating IT systems.

3. Asset Management

Capital investment

 Agencies report delays delivering against the significant increase in their budgets for capital projects.

Capital projects

 Agencies are underspending their capital budgets and some can improve capital project governance.

Asset disposals

 Eleven per cent of agencies were required to sell their real property through Property NSW but didn’t. And eight per cent of agencies can improve their asset disposal processes.

4. Governance

Governance arrangements

 Sixty-four per cent of agencies’ disclosure policies support communication of key performance information and prompt public reporting of significant issues.

Shared services

 Fifty-nine per cent of agencies use shared services, yet 14 per cent do not have service level agreements in place and 20 per cent can strengthen the performance standards they set.

5. Ethics and Conduct

Ethical framework

 Agencies can reinforce their ethical frameworks by updating code‑of‑conduct policies and publishing a Statement of Business Ethics.

Conflicts of interest

 All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

6. Risk Management 

Risk management maturity

 All agencies have implemented risk management frameworks, but with varying levels of maturity.

Risk management elements

 Many agencies can improve risk registers and strengthen their risk culture, particularly in the way that they report risks to their lead agency.

This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.

This new report offers strategic insight on the public sector as a whole

In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.

This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.

Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.

These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.

Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:

  1. Overall trends
  2. Information technology
  3. Asset management
  4. Governance
  5. Ethics and conduct
  6. Risk management.

Internal controls are processes, policies and procedures that help agencies to:

  • operate effectively and efficiently
  • produce reliable financial reports
  • comply with laws and regulations.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.

Issues

Recommendations

1.1 New and repeat findings

The number of internal control deficiencies reduced over the past three years, but new higher-risk information technology (IT) control deficiencies were reported in 2016–17.

Deficiencies repeated from previous years still make up a sizeable proportion of all internal control deficiencies.

Recommendation

Agencies should focus on emerging IT risks, but also manage new IT risks, reduce existing IT control deficiencies, and address repeat internal control deficiencies on a more timely basis.

1.2 High risk findings

We found seven high risk internal control deficiencies, which might significantly affect agencies.

Recommendation

Agencies should rectify high risk internal control deficiencies as a priority

1.3 Common findings

The most common internal control deficiencies related to poor or absent IT controls.

We found some common governance deficiencies across multiple agencies.

Recommendation

Agencies should coordinate actions and resources to help rectify common IT control and governance deficiencies.

Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.

Issues Recommendations

2.1 IT security

User access administration

While 95 per cent of agencies have policies about user access, about two-thirds were compliant with these policies. Agencies can improve how they grant, change and end user access to their systems.

Recommendation

Agencies should strengthen user access administration to prevent inappropriate access to sensitive systems. Agencies should:

  • establish and enforce clear policies and procedures
  • review user access regularly
  • remove user access for terminated staff promptly
  • change user access for transferred staff promptly.

Privileged access

Sixty-eight per cent of agencies do not adequately manage who can access their information systems, and many do not sufficiently monitor or restrict privileged access.

Recommendation

Agencies should tighten privileged user access to protect their information systems and reduce the risks of data misuse and fraud. Agencies should ensure they:

  • only grant privileged access in line with the responsibilities of a position
  • review the level of access regularly
  • limit privileged access to necessary functions and data
  • monitor privileged user account activity on a regular basis.

Password controls

Forty-one per cent of agencies did not meet either their own standards or minimum standards for password controls.

Recommendation

Agencies should review and enforce password controls to strengthen security over sensitive systems. As a minimum, password parameters should include:

  • minimum password lengths and complexity requirements
  • limits on the number of failed log-in attempts
  • password history (such as the number of passwords remembered)
  • maximum and minimum password ages.

2.2 Cyber Security

Cyber security framework

Agencies do not have a common view on what constitutes a cyber attack, which limits understanding the extent of the cyber security threat.

Recommendation

The Department of Finance, Services and Innovation should revisit its existing framework to develop a shared cyber security terminology and strengthen the current reporting requirements for cyber incidents.

Cyber security strategies

While 82 per cent of agencies have dedicated resources to address cyber security, they can strengthen their strategies, expertise and staff awareness.

Recommendations

The Department of Finance, Services and Innovation should:

  • mandate minimum standards and require agencies to regularly assess and report on how well they mitigate cyber security risks against these standards
  • develop a framework that provides for cyber security training.

Agencies should ensure they adequately resource staff dedicated to cyber security.

2.3 Other IT systems

Change control processes

Some agencies need to improve change control processes to avoid unauthorised or inaccurate system changes.

Recommendation

Agencies should consistently perform user acceptance testing before system upgrades and changes. They should also properly approve and document changes to IT systems.

Disaster recovery planning

Agencies can do more to adequately assess critical business systems to enforce effective disaster recovery plans. This includes reviewing and testing their plans on a timely basis.

Recommendation

Agencies should complete business impact analyses to strengthen disaster recovery plans, then regularly test and update their plans.

Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:

  • manage their major capital projects
  • dispose of existing assets.
Issues Recommendations or conclusions

3.1 Capital investment

Capital asset investment ratios

Most agencies report high capital investment ratios, but one-third of agencies’ capital investment ratios are less than one.

Recommendation

Agencies with high capital asset investment ratios should ensure their project management and delivery functions have the capacity to deliver their current and forward work programs.

Volume of capital spending

Most agencies have significant forward spending commitments for capital projects. However, agencies’ actual capital expenditure has been below budget for the last three years.

Conclusion

The significant increase in capital budget underspends warrant investigation, particularly where this has resulted from slower than expected delivery of projects from previous years.

3.2 Capital projects

Major capital projects

Agencies’ major capital projects were underspent by 13 percent against their budgets.

Conclusion

The causes of agency budget underspends warrant investigation to ensure the NSW Government’s infrastructure commitment is delivered on time.

Capital project governance

Agencies do not consistently prepare business cases or use project steering committees to oversee major capital projects.

Conclusion

Agencies that have project management processes that include robust business cases and regular updates to their steering committees (or equivalent) are better able to provide those projects with strategic direction and oversight.

3.3. Asset disposals

Asset disposal procedures

Agencies need to strengthen their asset disposal procedures.

Recommendations

Agencies should have formal processes for disposing of surplus properties.

Agencies should use Property NSW to manage real property sales unless, as in the case for State owned corporations, they have been granted an exemption.

Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.

This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.

Issues Recommendations or conclusions

4.1 Governance arrangements

Continuous disclosure

Continuous disclosure promotes improved performance and public trust and aides better decision-making. Continuous disclosure is only mandatory for NSW Government Businesses such as State owned corporations.

Conclusion

Some agencies promote transparency and accountability by publishing on their websites a continuous disclosure policy that provides for, and encourages:

  • regular public disclosure of key performance information
  • disclosure of both positive and negative information
  • prompt reporting of significant issues.

4.2 Shared services

Service level agreements

Some agencies do not have service level agreements for their shared service arrangements.

Many of the agreements that do exist do not adequately specify controls, performance or reporting requirements. This reduces the effectiveness of shared services arrangements.

Conclusion

Agencies are better able to manage the quality and timeliness of shared service arrangements where they have a service level agreement in place. Ideally, the terms of service should be agreed before services are transferred to the service provider and:

  • specify the controls a provider must maintain
  • specify key performance targets
  • include penalties for non-compliance.

Shared service performance

Some agencies do not set performance standards for their shared service providers or regularly review performance results.

Conclusion

Agencies can achieve better results from shared service arrangements when they regularly monitor the performance of shared service providers using key measures for the benefits realised, costs saved and quality of services received.

Before agencies extend or renegotiate a contract, they should comprehensively assess the services received and test the market to maximise value for money.

All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.

This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.

We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.

Issues Recommendations or conclusions

5.1 Ethical framework

Code of conduct

All agencies we reviewed have a code of conduct, but they can still improve the way they update and manage their codes to reduce the risk of fraud and unethical behaviour.

Recommendation

Agencies should regularly review their code-of-conduct policies and ensure they keep their codes of conduct up-to-date.

Statement of business ethics

Most agencies maintain an ethical framework, but some can enhance their related processes, particularly when dealing with external clients, customers, suppliers and contractors.

Conclusion

Agencies can enhance their ethical frameworks by publishing a Statement of Business Ethics, which communicates their values and culture.

5.2 Potential conflicts of interest

Conflicts of interest

All agencies have a conflicts-of-interest policy, but most can improve how they identify, manage and avoid conflicts of interest.

Recommendation

Agencies should improve the way they manage conflicts of interest, particularly by:

  • requiring senior executives to make a conflict-of-interest declaration at least annually
  • implementing processes to identify and address outstanding declarations
  • providing annual training to staff
  • maintaining current registers of conflicts of interest.

Gifts and benefits

While all agencies already have a formal gifts-and-benefits policy, we found gaps in the management of gifts and benefits by some that increase the risk of unethical conduct.

Recommendation

Agencies should improve the way they manage gifts and benefits by promptly updating registers and providing annual training to staff.

Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.

This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.

Issues Recommendations or conclusions

6.1 Risk management maturity

All agencies have implemented risk management frameworks, but with varying levels of maturity in their application.

Agencies’ averaged a score of 3.1 out of five across five critical assessment criteria for risk management. While strategy and governance fared best, the areas that most need to improve are risk culture, and systems and intelligence.

Conclusion

Agencies have introduced risk management frameworks and practices as required by the Treasury’s:

  • 'Risk Management Toolkit for the NSW Public Sector'
  • 'Internal Audit and Risk Management Policy for the NSW Public Sector'.

However, more can be done to progress risk management maturity and embed risk management in agency culture.

6.2 Risk management elements

Risk culture

Most agencies have started to embed risk management into the culture of their organisation. But only some have successfully done so, and most agencies can improve their risk culture.

 

 

Conclusion

Agencies can improve their risk culture by:

  • setting an appropriate tone from the top
  • training all staff in effective risk management
  • ensuring desired risk behaviours and culture are supported, monitored, and reinforced through business plans, or the equivalent and employees' performance assessments.

Risk registers and reporting

Some agencies do not report their significant risks to their lead agency, which may impair the way resources are allocated in their cluster. Some agencies do not integrate risk registers at a divisional and whole-of-enterprise level.

Conclusion

Agencies not reporting significant risks at the cluster level increases the likelihood that significant risks are not being mitigated appropriately.

Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.

Appendix one - List of 2017 recommendations

Appendix two - Status of 2016 recommendations

Appendix three - Agencies selected for this volume

Published

Planning and Environment 2017

Planning
Environment
Asset valuation
Information technology
Internal controls and governance
Management and administration
Project management

The following report highlights results of financial audits of agencies in the Planning and Environment cluster. The report focuses on key observations and findings from the most recent audits of these agencies.

The audits were completed for most agencies in the cluster and unqualified audit opinions issued. Issues identified during the financial statement audits of seven small agencies delayed their finalisation beyond the statutory deadline, and six of these remain incomplete. Apart from these small agencies, the quality of financial reporting across the cluster remained at a high standard.

1. Financial reporting and controls

Financial reporting Unqualified audit opinions were issued for 39 of the 45 cluster agencies. Issues identified during the financial statement audits of seven small agencies delayed their finalisation beyond the statutory deadline. Six of these audits remain incomplete at the date of this report.
  Agencies completed early close procedures mandated by the Treasury. We noted opportunities for agencies to improve the effectiveness of these procedures.
Internal Controls One in six internal control weaknesses identified during the financial audits were repeat issues. Agencies should action audit recommendations promptly.
  User administration over financial systems needs to be strengthened to prevent inappropriate access to financial information.

2. Service Delivery

 
Housing completions Australian Bureau of Statistics data indicates the Department of Planning and Environment achieved the Premier's priority for housing completions in 2016–17. 
Increasing housing supply Australian Bureau of Statistics data shows the Department of Planning and Environment achieved the annual target of delivering over 50,000 housing approvals over the past three years.
Major project assessment Progress against the State priority target to reduce time taken to assess planning applications for State significant developments is difficult to determine as the measure is unclear.
Litter management The Environment Protection Authority's data indicates that progress towards the Premier's priority target for litter reduction slowed in 2016–17.
Cultural participation The Department of Planning and Environment’s data indicates overall attendance at cultural venues and events in New South Wales increased by 16 per cent in 2015–16.

This report provides Parliament and others with the audit results, observations and recommendations for Planning and Environment cluster agencies. The report has been structured into two chapters focussing on financial reporting and controls and service delivery.

The Planning and Environment cluster plays a role in ensuring each community across New South Wales receives the services and infrastructure it needs.

This chapter outlines our audit observations and recommendations related to financial reporting and controls of Planning and Environment cluster agencies for 2016–17.

Observation Conclusion or recommendation

2.1 Quality of financial reporting

Unqualified audit opinions were issued for 39 of the 45 cluster agencies' financial statements.

Issues identified during the financial statement audits of seven smaller agencies delayed their completion. Six audits remain incomplete at the date of this report.

Apart from these seven small agency audits, the quality of financial reporting across the cluster remained at a high standard.

2.2 Timeliness of financial reporting

Seven agencies' financial statement audits were not completed by the statutory deadline with six audits incomplete at the date of this report.

 Issues identified during the financial statement audits of seven smaller agencies delayed their finalisation beyond the statutory deadline. These agencies would benefit from performing additional early close procedures in future reporting periods.

2.3 Financial and sustainability analysis

Water and Electricity utility agencies continue to operate with low liquidity ratios.

A liquidity ratio below one is an indicator that an entity may not be able to pay its debts as and when they fall due.

Whilst liquidity ratios were below one, utility agencies demonstrated they can continue to support ongoing operations due to:

  • access to regulated revenue streams

  • assets with long useful lives to generate revenue

  • debt funding limits approved by the NSW Treasurer under the Public Authorities (Financial Arrangements) Act 1987.

2.5 Internal controls

One in six internal control weaknesses reported in 2016–17 were repeat issues.

Delays in implementing audit recommendations can prolong the risk of fraud and error.

Recommendation (repeat issue): anagement letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing repeat issues.

Nine of these internal control weaknesses related to the creation, modification, deletion and review of user access to financial systems.

These control weaknesses may compromise the integrity and security of financial data.

Recommendation (repeat issue): Management of user administration over financial systems should be strengthened to prevent inappropriate access to financial information.

This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17.

Observation Conclusion or recommendation

3.1 Premier's and State priorities
The Planning and Environment cluster is responsible for delivering five Premier's and State priorities.

One priority target was achieved in 2016–17, two targets are on track to be achieved and progress towards one target slowed.

Progress against one target cannot be determined.

3.2 Planning

Housing Completion

  
There were 63,506 housing completions in
2016–17. This was 4.1 per cent above the Premier’s priority target of delivering 61,000 housing completions per year.		 The Australian Bureau of Statistics data shows the housing completions target was achieved in
2016–17.

Housing supply
The number of approvals for new houses in
2016–17 was 72,472 against the State priority target of more than 50,000 approvals per year.		 The Australian Bureau of Statistics data indicates the housing approvals target was achieved in
2016–17.

Major project assessment

  
State significant developments are not clearly defined for the purposes of reporting against the State priority target. The Department of Planning and Environment will clarify with the Department of Premier and Cabinet which developments are captured by the State priority target.
The Department of Planning and Environment’s data shows the time taken to assess complex State significant developments increased by 16 per cent in 2016–17 while the time taken to assess less complex developments reduced by 20 per cent. The Department of Planning and Environment considers it is on track to meet the State priority target of halving the time taken to assess State significant developments, despite uncertainty over the target measure.

Housing acceleration fund

  

Program business cases were not developed for projects in Housing Acceleration Fund Rounds 1 to 4.

The Department advised a program business case will be developed for Housing Acceleration Fund Round 5 projects.

 A program business case is necessary to ensure related projects are evaluated, managed and coordinated effectively.
 

A benefit realisation review process has not yet been approved for Housing Acceleration Fund projects.

The Department of Planning and Environment advised it is developing a benefit realisation review process.

 A benefit realisation review process is necessary to determine whether funded projects achieved intended outcomes.

Greater Sydney Commission

  
The Greater Sydney Commission forecasts a further 725,000 dwellings in the greater Sydney region will be required up to 2036 to meet housing demand. In response to population growth, the Commission has set a five-year housing supply target of 189,100 houses across the five Greater Sydney Commission districts.

ePlanning system

  
The Department of Planning and Environment did not perform a benefit realisation review for phase one of the ePlanning project. It has committed to performing a benefit realisation review after completion of phase two in 2018. It cannot be determined if phase one of the project delivered expected outcomes as a benefit realisation review was not performed.

3.3. Environment and Heritage
Litter volume in New South Wales was 6.6 litres per 1,000 square metres in 2016–17, an increase of 16 per cent from the prior year. This is above the Premier's priority litter volume target of 4.2 litres per 1,000 square metres by 2020. The Environment Protection Authority's data indicates the progress towards the target of reducing the volume of litter by 40 per cent by 2020 has slowed.
The NSW Government plans to invest $240 million to facilitate strategic biodiversity conservation on private land. Performance measures have not yet been developed for the private land conservation program.

3.4 Water
IPART reduced water usage charges for most Sydney Water Corporation customers in 2016–17. Water usage prices in New South Wales compare favourably to larger water utilities in other jurisdictions.

Hunter Water Corporation's water recycling and water conservation performance has been stable over recent years.

The volume of Sydney Water Corporation’s recycled water reduced by 12 per cent in 2016–17 compared to the previous year.

 Sydney Water Corporation experienced reduced industry demand for recycled water. Several large industrial customers relocated away from Sydney.

3.5 Arts and culture
A State priority target is to increase overall attendance at cultural venues and events in New South Wales by 15 per cent from 2014–15 levels by 2019. The Department of Planning and Environment's data indicates overall attendance increased by 16 per cent in 2015–16, although attendance fluctuated across individual venues and events. This indicates progress towards achieving the overall target by 2019.

Appendix one - List of 2017 recommendations

Appendix two - Status of 2016 recommendations

Appendix three - Agencies selected for this volume

Appendix four - Financial audit reporting

Appendix five - Timeliness of financial reporting

Appendix six - Financial indicators

Published

Family and Community Services 2017

Community Services
Asset valuation
Compliance
Financial reporting
Information technology
Internal controls and governance
Procurement
Project management

The following report focuses on key observations and findings from the most recent audits of agencies in the Family and Community Services cluster.

The report includes a range of findings on service delivery. The Department of Family and Community Services' data indicates that family preservation programs are having a positive impact on children and young people entering statutory care. On the other hand, waiting times for social housing applicants increased in 2016-17.
 

1. Financial reporting and controls

Quality of financial reporting Unqualified audit opinions were issued for all cluster agencies' financial statements.   
Timeliness of financial reporting Agencies completed mandatory early close procedures and all but one agency submitted financial statements by the statutory deadline.
Internal controls The 2016–17 audits reported 29 internal control improvements to cluster agencies’ management. None of these findings were high risk. Eleven related to information technology control weaknesses in key financial business systems.

2. Service Delivery

Commissioning Non-government organisations (NGOs) received $2.6 billion in 2016–17 to deliver services.
Children and young people

The Department of Family and Community Services data indicates that family preservation programs are reducing the number of children and young people entering statutory care.

The Department's data shows 86 per cent of children and young people in statutory care had their placements reviewed in the 12 months to 30 June 2017. Legislation requires all placements are reviewed at least every 12 months.
Social Housing The Department's data shows waiting times for social housing applicants are longer than last year.
People with disability Under the current timetable for implementing the National Disability Insurance Scheme, the Department plans to transfer direct disability services to NGOs by 30 June 2018.

This report provides Parliament and others with the audit results, observations, conclusions and recommendations for Family and Community Services cluster agencies. The report has been structured into two chapters focusing on financial reporting and controls and service delivery.

The Family and Community Services cluster works with children, adults, families and communities to improve lives and help people realise their potential.

This chapter outlines audit observations, conclusions and recommendations related to the financial reporting and controls of agencies in the Family and Community Services cluster for 2016–17.

Financial reporting is an important element of good governance. Confidence in public sector decision making and transparency is enhanced when financial reporting is accurate and timely.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

Observation Conclusion or recommendation
2.1 Quality of financial reporting
Unqualified audit opinions were issued for all cluster agencies' financial statements. The quality of financial reporting remains high across the cluster.
2.2 Timeliness of financial reporting
Agencies completed mandatory early close procedures and all but one submitted financial statements by the deadline. Early close procedures continue to allow issues and financial reporting risk areas to be addressed early in the audit process. There are opportunities to improve effectiveness of early close procedures.
2.3 Internal controls
The 2016–17 audits reported 29 internal control weaknesses. While none were high risk, the Department had five repeat issues.

 		 Management accepted the audit findings and advised they are actioning recommendations. Timely action is important to ensure internal controls operate effectively.
Eleven of these internal control weaknesses were related to IT system user access administration and security over financial systems.

Controls weaknesses may compromise the integrity and security of financial data.

Recommendation

Agencies should:

  • ensure policies for creating, modifying and deactivating user access are documented
  • enhance the current user access review process
  • log and monitor highly privileged user account activity
  • ensure timely removal of access to business systems for terminated and casual employees
  • ensure password parameters comply with internal policies.

Government outcomes can be improved by delivering the right mix of services, whether from the public, private or not for profit sectors. Service delivery reform will be most successful if there is clear accountability for service delivery outcomes, decisions are aligned to strategic direction and performance is monitored and evaluated.

This chapter outlines our audit observations, conclusions and recommendations related to service delivery by agencies in the Family and Community Services cluster for 2016–17.

Observation Conclusion or recommendation

3.1 Commissioning
Non-government organisations (NGOs) received $2.6 billion funding in 2016–17 to deliver services. Commissioning of service delivery can change the profile of risks that need to be managed. The Department has established a Commissioning Division and developed its ‘Commissioning for Better Outcomes Framework’. 

3.2 Children and young people

All the Department's Districts are accredited to provide out-of-home care services.

The Department's data indicates 66 more children and young people were in statutory care at 30 June 2017 compared to 30 June 2016. This contrasts to the previous year where 1,150 more children were in statutory care at 30 June 2016 than at 30 June 2015.

The Department is complying with out-of-home care service standards, but one District has an additional condition attached to its accreditation.

Department’s data indicates that family preservation programs are having a positive impact..

The Department's data shows 86 per cent of children and young people in statutory care had their placement reviewed at 30 June 2017.

The Department’s data shows, at 30 June 2017, 41 per cent of children and young people with closed case plans for the 12 months ended 30 June 2016 were re-reported at risk of significant harm.

The Department did not meet the legislative requirement to review the placement of all children and young people in statutory care annually.

The number of children being re-reported at risk of significant harm is above the Premier’s Priority target of 34 per cent by June 2019.
 

3.3. Social Housing
Waiting time for priority and non-priority social housing applicants increased in 2016–17, by 19 per cent and 3 per cent respectively. Some factors impacting waiting time for social housing applicants are outside the control of the Department.

3.4 People with disability
A Bilateral Agreement between the Australian and NSW Governments sets out how eligible persons access the National Disability Insurance Scheme (NDIS) between 1 July 2016 and 30 June 2018.
 		 Under the timetable for the NDIS, the Department plans to transfer direct disability services to NGOs.
 

Appendix one - Status of 2015 and 2016 recommendations

Appendix two - Summary financial information 

Appendix three - Cluster information

View our audit program
View audit program
EXPLORE
upcoming audits
Have your say
CONTRIBUTE