The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining NSW Health’s management of health and safety risks to nurses and junior doctors in high demand hospital wards over the past five years, including during the first six months of the 2020 COVID-19 health emergency.

The Auditor-General found that while NSW Health effectively managed most incidents and risks to the physical health and safety of hospital staff during ‘business as usual’ activities, systems and resources are not fully effective to manage staff psychological and wellbeing risks, particularly for nurses.

The Auditor-General found that NSW Health was effective in managing most COVID-19 health and safety risks to hospital staff. Overall effectiveness could have been improved had pandemic preparedness training been delivered across all Local Health Districts. Additionally, state-wide communication systems could have been improved to provide hospital clinicians with access to a ‘single source of truth’ with the latest advice from NSW Health authorities.

NSW Health’s planning and preparation for the supply of Personal Protective Equipment (PPE) was partially effective. At various times, some PPE items could not be sourced from established suppliers. Face masks, goggles and protective gowns were substituted with products that differed in shape, size and fitting from usual items, and in some hospitals, substituted masks were used without being locally fit tested by hospital staff.

The Auditor-General made seven recommendations aimed at enhancing hospital health and safety risk reporting practices, along with a recommendation that NSW Health conduct a post pandemic 'lessons learned' review and make policy and operational recommendations for future pandemic responses.

Over the past decade, there have been increases in the numbers of health and safety incidents affecting nurses and junior doctors in NSW hospitals. These increases have been associated with higher numbers of patients with acute mental health conditions, age-related cognitive impairments, and patients presenting in emergency departments under the influence of drugs and alcohol.  

This audit commenced in August 2019, with a focus on the health, safety and wellbeing of nurses and junior doctors in high demand hospital wards. Our audit focused on emergency departments, mental health wards and aged care wards during 'business as usual’ periods of hospital operations. 

In the early months of 2020, the novel coronavirus (COVID-19) brought new health and safety risks to hospital staff. These risks included the potential for infection amongst health workers, increased staff workloads, and impacts on staff wellbeing.  

In May 2020, we expanded the focus of the audit to assess the effectiveness of NSW Health’s management of the health and safety risks to staff during the COVID-19 health emergency. We assessed the impacts on emergency departments and intensive care units, as these were the wards where staff were most likely to come into contact with COVID-19.  

The Audit Office acknowledges the ongoing health and safety challenges that the pandemic has brought to NSW Health staff – in particular to hospital clinicians and the managers who support them.  

This audit assessed the effectiveness of NSW Health’s:

• systems, forums and workplace cultures to support reporting and generate data about risk
• initiatives to support safe workplaces and effectively respond to health and safety incidents
• actions to continuously improve staff health, safety and wellbeing in hospital environments.

The first three chapters of this report describe the effectiveness of NSW Health’s ‘business as usual’ health and safety risk management. The fourth and fifth chapters describe the effectiveness of NSW Health’s health and safety risk management during the COVID-19 pandemic.  

1. Audit recommendations

By December 2021, NSW Health should:

1. Evaluate the effectiveness of the new incident management system to enable full reporting of health and safety incidents and risks in all hospital wards, including those where incidents and risks are common, and monitor for consistency of reporting over time
2. Expand the categories of hospital incident data reported to Ministry executives in the Work Health and Safety Dashboard reports, including by linking injury data to incident types by hospital ward category, and monitor in conjunction with Local Health Districts for emerging trends and improvement over time
3. Ensure that nurses and junior doctors have regular opportunities to report on risks to their psychological health and wellbeing, and that system managers have access to aggregate data to guide responses to mitigate these risks
4. Develop and implement an evidence-based guiding framework and strategy to support hospital staff in the aftermath of traumatic or unexpected workplace incidents, and monitor implementation
5. At regular intervals, publicly report aggregate Root Cause Analysis data detailing the hospital system factors that contribute to clinical incidents
6. Develop and implement a systemwide platform for sharing research and information about hospital health and safety initiatives across the health system
7. Conduct a post-pandemic 'lessons learned' review focusing on the effectiveness of key strategies deployed in the management of the COVID-19 pandemic and make policy and operational recommendations for future pandemic responses. In particular, ensure:
   • regular scenario-based pandemic training for hospital staff
   • updated policies and protocols for hospital infection controls
   • capability to upscale authoritative communication with frontline health workers at the earliest notification of a health emergency and for the duration of the emergency
   • systems and safeguards to ensure the supply and availability of clinically appropriate personal protective equipment (PPE) during all phases of a pandemic.

Local Health Districts were effective in leading health and safety infection control activity

According the NSW Health Influenza Pandemic Plan (Pandemic Plan), the Chief Executives of Local Health Districts have ultimate responsibility for public health unit preparations during health emergencies. If necessary, they can ‘draw on the support of the State Pandemic Management Team and local emergency management resources’.

During the preparations and early response phases to the COVID-19 pandemic, Local Health Districts were at the forefront of most NSW hospital activity. They took the lead role in developing hospital infection control protocols and guidance about the appropriate uses of Personal Protective Equipment (PPE). Each Local Health District established its own responses to the health emergency, based on the best clinical advice available to them. The localised approach meant that there were some minor differences in infection control practices across the NSW health system.

Throughout February and March 2020, there was limited centralised policy or guidance from the Ministry and its Pillar Health agencies about COVID-19 infection control practices. It was not possible to mandate practices at a time when information about the virus was evolving. Clinical responses were changing as more became known about COVID-19, especially about its patterns of transmission and its impacts on people with the disease.

During February and March 2020, Local Health District executives communicated with hospital staff via a range of methods. Some sent daily e-memos with the latest updates. Some scheduled more regular meetings with hospital clinicians. Some Districts set up extensive staff training sessions and information briefings to keep all personnel updated with the latest advice. Physical distancing made it difficult to bring staff together in large groups, so a range of communications measures were implemented.

Clinical staff also utilised their clinical training and expertise to prepare their wards and train frontline staff in infection control procedures. Some sourced information from national and international colleagues to add to localised knowledge of the virus.

When the first evidence of COVID-19 community transmission was identified in the Northern Sydney Local Health District, hospital staff followed infection control protocols that were based on local guidance and information. With the support from the District executive team and infectious diseases experts, hospital clinicians set up their own infection control protocols and PPE protections. Within a week the District had produced a matrix to guide staff in the uses of PPE during COVID-19 procedures, and had circulated the guidance to all hospital clinicians.

At the end of March 2020, a version of the Northern Sydney PPE matrix was published on the Clinical Excellence Commission’s website and it has now become NSW Health’s standard guideline for PPE during COVID-19 procedures. Once this guideline was published centrally, infection control practices were standardised across NSW hospitals.

This form of District-led policy making is not ‘business as usual’ practice for NSW Health. Policy making processes were somewhat reversed during the early response phases to COVID-19. This flexible policy approach supports the governance arrangements described in the Pandemic Plan, which assigns responsibility for ‘supporting and maintaining quality care across health services and implementing infection control measures as appropriate’ to Local Health Districts.

In non-health emergency situations, clinical policy and protocols are usually initiated and developed by the Ministry and the Clinical Excellence Commission and are subsequently shared across the health system after a quality control process. The localised approach adopted in the months from February to March 2020, allowed for rapid and flexible responses to changing information – to protect the health and safety of the hospital workforce and the wider community.

Hospital staff across NSW would have been better prepared for COVID-19 if pandemic training had been delivered across all Local Health Districts in the past decade

Local Health Districts are responsible for training hospital staff in preparation for public health emergencies. NSW’s policy describing Public Health Emergency Response Preparedness Minimum Standards requires that clinical staff participate in at least one annual emergency training exercise if they hold a position where they are likely to be called upon in an emergency. Staff must participate in an actual response exercise or a relevant training session. The training must also include re-familiarisation with PPE.

Available evidence about emergency response training in NSW indicates that at least two Local Health Districts have delivered pandemic focussed training in the past decade. Our interviews with managers of emergency departments and intensive care units indicates that most other Districts have focused their emergency training on mass patient trauma incidents such as plane crashes, train crashes and terrorist attacks. While the potential for these types of mass trauma events is real, and warrants training and preparation, significant global outbreaks of diseases have also had potential to threaten NSW communities. In previous decades, global health communities have been at risk of diseases such as the Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).

In the two Districts where pandemic training was provided in NSW, staff participated in community influenza vaccination exercises. These were focused on upskilling staff to follow emergency command structures, manage high volume patient flows, and organise sanitisation logistics during a hospital-based training exercise.

Our interviews with nurse managers in emergency departments and intensive care units indicate that in the majority of other Local Health Districts, key personnel were unaware of the NSW Pandemic Plan. Interviewed staff also reported insufficient scenario-based training in pandemic responses over the last ten years.

The Ministry, the Clinical Excellence Commission and the Health Education and Training Institute (HETI) are responsible for online training and 'state-wide strategies and resources to maintain high levels of compliance with infection control and patient safety recommendations'. The HETI website contains online training modules in infection control and PPE donning and doffing procedures. Other infection control information and research is available on the websites of the Clinical Excellence Commission and the Agency for Clinical Innovation.

Online training modules are effective for upskilling staff in a range of skills, but are not a substitute for real-time, rapid incident response training. Face-to-face training provides opportunities for first responders to test procedures in hospital environments. Incident response training provides opportunities for staff to assess their levels of compliance with protocols and their competence with equipment in scenario situations. It is the responsibility of Local Health Districts to provide this form of training to the health staff in their District.

Two NSW Health policies that govern clinical arrangements during pandemics are outdated

The Ministry had not updated two policies that had the potential to assist emergency departments and intensive care units in aspects of their ward preparation for the COVID-19 pandemic. Both policies were on the NSW Health website, but neither were shared with hospital staff in the planning phases for the pandemic. Both policies are out of date and have not been revised within required timeframes.

The 2010 Influenza Pandemic - Providing Critical Care policy was due for review in May 2015 and was not updated at the time of the COVID-19 health emergency. Similarly, the 2007 policy Hospital Response to Pandemic Influenza Part 1: Emergency Department Response was due for review in June 2012 and has not been updated.

These policies were designed to assist clinical staff to make necessary ward arrangements for infection control. They set out the steps for rapid identification of contingent workforces, isolation procedures, and management of patient flows to separate those with suspected infection from other patient cohorts. They were a potential addendum to the NSW Pandemic Plan which describes the command and control responsibilities of health agencies in health emergencies.

Our interviews with nurse managers from emergency departments and intensive care units indicate that in the absence of pandemic policy, they sought clinical guidance from external sources and Local Health District experts. Interviewees told us that a lack of policy guidance about ward arrangements and infection control practices in a pandemic increased their workloads and hours of overtime in the early response phases to COVID-19. With the support of Local Health Districts, clinical staff made rapid adjustments in order to respond to changing testing requirements and ward arrangements.

The Ministry was slow to establish a centralised communication channel to communicate with frontline staff

NSW Health’s governance and communication arrangements during a pandemic are set out in the Pandemic Plan. The Plan requires that government agencies ‘commence enhanced arrangements, establish communications measures’ and confirm ‘governance arrangements’ when there is evidence of person to person transmission during an influenza outbreak. NSW Health received the first notifications of the novel coronavirus risks in January 2020.

During the preparation and early response phases to COVID-19, the Ministry and its central agencies were slow in establishing a single, authoritative channel through which to communicate consistent messages to frontline staff. Clinical staff required up-to-date information about COVID-19 testing criteria as requirements were changing rapidly, sometimes daily. While there was no expectation for fixed policy at this time, hospital staff required the latest instructions about treatment requirements, and updates on the numbers of COVID-19 infections in their region.

As information about COVID-19 was evolving, information was communicated across the health system via ‘multiple channels and sources’. While the Ministry and its central agencies communicated extensively with Local Health Districts during March 2020, hospital staff reported to us that they weren’t always sure where they could find the latest advice about testing protocols or infection controls.

Frontline staff told audit office staff that they were checking multiple sources and time-stamping advice to ensure they had the most up to date information on a daily basis. While some Local Health Districts managed clear communication links with frontline staff, nurse managers told us that communication was ‘chaotic’ during the early phases of pandemic preparation. Key personnel were not always available outside business hours and nurse managers advise that they spent hours at the end of shifts, seeking and printing the latest advice for weekend and night shift personnel. By the end of March 2020, the Ministry and the Clinical Excellence Commission websites became better organised to communicate with frontline clinicians.

A recommendation to the Ministry of Health after H1N1 swine flu could be equally applied in the COVID-19 context. The NSW Government’s report: Key Recommendations on Pandemic (H1N1) 2009 Influenza recommended the establishment of ‘clear pathways of communication … so that all employees have confidence in where their information will come from and who they should approach if they need additional information.’

NSW Health acknowledges the challenges and the lessons from the early phases of the COVID-19 pandemic. For example, a strategy released in August 2020, sets out NSW Health’s own recommendation for the future management of PPE including: ‘Aligning a single source of truth for PPE education and evidence-based guidance to ensure clarity of information on appropriate use, supported by an influential network of Infection Prevention and Control (IPC) practitioners at the forefront.

Ministry executives advise that communication with health staff has improved since the early phases of the pandemic. The Ministry now sends weekly COVID-19 updates to over 130,000 health staff via email. In addition, NSW Health now has two COVID-19 tabs on its website with current information, including COVID-19 testing advice. According to Ministry executives, these communication channels could be used or replicated if needed for future health emergencies. The Ministry also provides health information and updates via a phone application called Med App. This App is preferred by doctors and is less likely to be used by nurses. As at October 2020, there are 13,000 users of Med App. Push notifications can be made on Med App through SMS alerts.

Personal protective equipment (PPE) was not always available in required sizes and some hospital masks and gowns were substituted with products that differed from the usual items

Since the emergence of COVID-19 in Australia, all clinicians in NSW hospitals have had access to some form of PPE for their clinical requirements. If staff did not have appropriate equipment for each COVID-19 related procedure, they were guided by the formal advice issued to the NSW Health workforce on 11 March 2020 stating that: ‘The safety of NSW Health staff is a priority at all times, especially during COVID-19. Where safe working practices confirm specific PPE (e.g. face shields/masks or other equipment) are required for the protection of staff due to COVID-19, in all circumstances:

• staff are to wear prescribed PPE as instructed
• staff are not to undertake or be required to undertake tasks requiring PPE if the PPE is not available for use. Any such tasks are not to proceed until required PPE is available
• any staff member who is concerned about their safety must raise their concerns immediately to their manager.’

At periods during March and April 2020, some PPE items were not available in the required sizes or the regular brands to which staff were accustomed. HealthShare NSW was not able to source PPE from usual suppliers. HealthShare NSW sourced PPE including N95 masks from non-traditional suppliers. Some PPE items differed in shape and size from the usual hospital equipment. While senior executives from HealthShare NSW advise that all products were approved by the Therapeutic Goods Administration (TGA), in some hospitals, nurse managers advise that staff were not able to ‘fit test’ substituted masks. Fit testing determines the type and the size of the respirator mask that achieves an adequate seal on an individual’s face.

In March and April 2020, ‘duck bill’ (N95) masks were not available in some hospitals. According to stock managers and clinical managers in Local Health Districts, duck bills are the preferred mask for staff with smaller faces, particularly female staff members. The duck bill mask is a standard PPE product, and as such, is fit tested during mandatory PPE training. During the early response phases to COVID-19, most Local Health Districts were provided with substitute N95 masks. Fit testing of the substituted N95 masks was not able to be conducted in all NSW hospitals during the early phases of COVID-19. During the first wave of COVID-19 in March and April 2020, hospital staff told audit staff that there was no time and a lack of equipment to appropriately fit test substituted N95 masks.

Nurse managers in emergency departments advise that in some instances, staff made adaptations to PPE to improve protections, such as doubling masks, adding elastics or bringing their own equipment. These adaptations were not consistent with guidelines. Nurse managers advise that in some cases, adaptations to PPE or ill-fitting masks created pressure sores and contact dermatitis. Just over half of the stock managers of Local Health Districts advised that PPE stock was procured from outside the HealthShare NSW system. Stock managers in some Districts advise that facial shields and goggles sourced from non-traditional suppliers by HealthShare NSW were of a lesser quality than standard equipment. Stock managers and nurse managers reported that the changes in PPE products caused confusion and stress amongst staff.

Local Health Districts were proactive in assisting hospital staff to mitigate risks of COVID-19 infections. Some Local Health Districts assigned ‘tiger teams’ to assist staff with their PPE practices. Tiger teams provide clinical expertise and advice to staff, answer questions about infection control and provide training on PPE practice in hospital ward environments. They assist and support PPE donning and doffing practices to ensure the appropriate sequencing of applying and removing PPE for effective infection control. They provide mask fit checking guidance to assist staff in correct PPE practices.

Districts ran extensive refresher PPE training sessions for clinical staff. Some hospitals ran regular PPE demonstrations so that staff could observe correct PPE procedures at set times during the day. These activities assisted staff to implement appropriate infection control in the period before the Clinical Excellence Commission’s web-based materials and videos became available in late March and early April 2020. These online resources now provide comprehensive guidance to hospital staff in PPE practices.

HealthShare NSW placed limits or caps on some high-demand PPE items that were too low to meet requirements in some Local Health Districts and had to be adjusted to meet actual demand

The NSW Pandemic Plan describes the responsibilities of the Ministry and its central agencies to manage and maintain the State Medical Stockpile of essential PPE supplies and antiviral medications. During a pandemic, HealthShare NSW has responsibility for warehousing, monitoring and distributing health supplies to the health workforce.

Due to a reported global shortage of PPE and limits to the NSW stockpile, HealthShare NSW placed limits on the provision of approximately 100 high-demand items to NSW hospitals. HealthShare NSW advise that the PPE order capping ceilings were implemented ‘to ensure local stockpiling does not occur’. A centralised ordering process was established with Local Health Districts so that PPE product ordering occurred through single hospital locations (214 across the State), rather than at the ward level. Escalation processes were established to allow Districts to request one-off increases to supply, and a process was set up to permanently increase the order cap limit for any PPE item by facility.

According to HealthShare NSW, ‘as incoming central supply has improved, order caps have subsequently increased in line with strong engagement and governance with the Local Health Districts to ensure the appropriate levels of supply are provided’. The original capped levels were determined by assessing PPE usage in wards during the flu season of 2019. As the flu season case numbers of 2019 were relatively low, some Local Health District managers advised that the levels of PPE during 2019 were not comparable to the level of PPE required for the COVID-19 pandemic.

After advocacy from hospital stock managers and clinicians, HealthShare NSW increased capped PPE levels in many Local Health Districts.

Executive members of the State Health Emergency Operations Centre (SHEOC) advise that its PPE supply strategy needs to be carefully developed as there are vast differences in PPE usage rates during 'business as usual' periods and pandemic periods. If NSW Health kept the level of PPE required in planning for a worst-case scenario, this would equate to an extensive surplus of PPE that could not be utilised during business as usual periods. The SHEOC Executive advise that it is not feasible or economical to store this level of PPE. They advise that given the costs of PPE, and the fact that the products have a shelf life, a diversified supply line is a more reliable method for ensuring PPE during surge and non-surge periods.

Early data modelling showed ICU patient numbers at levels not manageable with levels of ventilators and equipment

Early projections of patient numbers requiring acute care for COVID-19, were at levels that would not have been manageable with the equipment and resources of NSW hospitals. Throughout March through to May 2020, government data modelling indicated significant surges of community infections and surges in intensive care patients.

Early estimates were based on overseas trends, and if actual cases had matched projections, NSW hospitals would not have had sufficient ventilators to meet demand. The knowledge of this shortfall caused high levels of anxiety among nursing and medical staff.

While the data was based on the best available information, it had negative implications for the health and safety of the nurse and junior doctor workforce. Managers of intensive care wards and emergency departments reported stress amongst the workforce. Staff concerns were primarily about being faced with ‘the unmanageable’, along with heightened fears about contracting the virus with the knowledge that there was insufficient equipment to treat acute patients.

As it transpired, overall numbers of COVID-19 infections were lower than projected during the early months of the pandemic. The lower infection rates in the general population have meant fewer instances of patients requiring intensive care in NSW hospitals. In addition, HealthShare NSW has been able to increase the numbers of ventilators in NSW hospitals to prepare for future surges in patients requiring acute respiratory care.

SHEOC Executive advise that NSW Health undertook an accelerated procurement strategy in early 2020 to increase its stock of ventilators, and that ventilator capacity has always far-exceeded actual requirements.

NSW Health has developed a strategy to improve the management of PPE for the NSW health workforce

In August 2020, NSW Health released a strategy that sets out its future management and planning approaches to the provision of PPE for the NSW Health workforce. NSW Health’s Personal Protective Equipment (PPE) Strategy describes the learnings and challenges during the COVID-19 pandemic in sourcing and distributing PPE. It sets out the systems and methods for distributing PPE to staff and patients and focuses on how staff are kept informed on the appropriate use of PPE at all times. A supporting communications strategy has been developed to support its implementation.

The strategy contains enhanced transparency measures to regularly inform staff about PPE stock levels and to provide data about PPE usage rates by item types in wards in NSW hospitals. The NSW Health PPE strategy describes a changed approach to ordering, storing and allocating PPE. This includes diversifying the supply lines for PPE products to increase supply options in circumstances where supply lines become disrupted. It includes a centralised system for coordinating the supply of hospital PPE through Local Heath District coordination points and centralised distribution points in large hospitals.

Our interviews with hospital PPE stock managers and nurse managers indicate that staff find the new ordering system to be an improvement upon the previous stock ordering method.

According to the Personal Protective Equipment (PPE) Strategy, NSW health is upgrading its models for monitoring and benchmarking PPE usage across the health system. Systems are being improved for forecasting demand volumes during business as usual periods and during health emergency surges.

Appendix one – Response from agency

Appendix two – Audit methodology

Appendix three – About the audit 

Appendix four – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #344 - released 9 December 2020

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

• financial and information technology controls
• business continuity and disaster recovery planning arrangements
• procurement, including emergency procurement
• delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

I am pleased to present my third report to the Parliament on the 2019 audits of local government councils in New South Wales.

This report notes that unqualified audit opinions were issued on the 2018–19 financial statements of 134 councils and 11 joint organisations. The opinion for one council was disclaimed and three audits are yet to complete.

The report also highlights improvements I have seen in financial reporting and governance arrangements across councils. Fewer errors were identified. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices, including fraud control systems, have also improved.

These are very pleasing indicators of the gradual strengthening of governance and financial oversight of the sector. I want to acknowledge the investment councils have made in working with the Audit Office to improve consistency of practice and accountability generally.

Of course there is more work to do, particularly to prepare for new accounting standards and to strengthen controls over information technology and cyber security management. Asset management practices can also be improved. This report provides some guidance to council on these matters and we will continue to partner with the Office of Local Government in the Department of Planning, Industry and Environment to support good practice.

Auditor-General
5 March 2020

This report focuses on key observations and findings from the 2018–19 financial audits of councils and joint organisations.

Unqualified audit opinions were issued on the financial statements for 134 councils and 11 joint organisations. The audit opinion for Bayside’s 2017–18 and 2018–19 financial statements were disclaimed. Three audits are still in progress and will be included in next year’s report.

The report highlights a number of areas where there has been improvement. There was a reduction in errors identified in council financial statements and high risk issues reported in audit management letters. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices and fraud control systems have also improved.

The report also found that councils could do more to be better prepared for the new accounting standards, asset management practices could be strengthened, and information technology controls and cyber security management could be improved.

The Auditor-General recommended that the Office of Local Government within the Department of Planning, Industry and Environment develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils.

Read the PDF Report

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision making is enhanced when financial reporting is accurate and timely. Strong financial performance provides the platform for councils to deliver services and respond to community needs.

This chapter outlines our audit observations on the financial reporting and performance of councils and joint organisations.

Strong governance systems and internal controls help councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations and support ethical government.

This chapter outlines the overall trends related to governance and internal control issues across councils and joint organisations for 2018–19.

Councils rely on information technology (IT) to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that council needs to address.

In prior years, we reported that councils need to improve IT governance and controls to manage key financial systems. This chapter outlines the progress made by councils in the management of key IT risks and controls, with an added focus on cyber security.

Councils are responsible for managing a significant range of assets to deliver services on behalf of the community.

This chapter outlines our asset management observations across councils and joint organisations.

Appendix one – Response from the Office of Local Government within the Department of Planning, Industry and Environment

Appendix two – Status of 2018 recommendations

Appendix three – Status of audits 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Agencies need to do more to address risks posed by information technology (IT).

Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
 

1. Overall trends

2. Information Technology

3. Asset Management

4. Governance

5. Ethics and Conduct

6. Risk Management 

This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.

This new report offers strategic insight on the public sector as a whole

In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.

This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.

Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.

These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.

Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:

1. Overall trends
2. Information technology
3. Asset management
4. Governance
5. Ethics and conduct
6. Risk management.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.

Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.

Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:

• manage their major capital projects
• dispose of existing assets.

Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.

This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.

All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.

This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.

We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.

Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.

This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.

Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.

NSW Ambulance has introduced several initiatives over the past decade to better manage the number of unnecessary ambulance responses and transports to hospital emergency departments. However, there is no overall strategy to guide the development of these initiatives nor do NSW Ambulance's data systems properly monitor their impact. As a result, the Audit Office was unable to assess whether NSW Ambulance's approach to managing demand is improving the efficiency of ambulance services.

Parliamentary reference - Report number #295 - released 13 December 2017

The following report highlights results of the financial audits of entities in the NSW health cluster. The report focuses on key observations and findings from the most recent audits of these entities.

The report also includes a range of findings on service delivery. Overall, NSW Health is achieving most of their targets. Some local health districts are continuing to experience increased demand for their services and are finding it more difficult to meet their targets. For example, three local health districts had not achieved some emergency department response time targets for three consecutive years.

1. Financial reporting and controls

2. Service Delivery

This report sets out the results of the 30 June 2017 financial statement audits of Health cluster entities.

The report has been structured into two chapters focusing on:

• Financial reporting and controls
• Service delivery.

This chapter outlines audit observations, conclusions and recommendations related to financial reporting and internal controls of entities for 2016-17.

This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17.

Appendix one - List of 2017 recommendations

Appendix two - Status of 2016 recommendations

Appendix three - Timeliness of financial and audit reporting

Appendix four - Financial indicators

Appendix five - Agencies selected for this report

Appendix six - Financial information

Appendix seven - Performance information

This report highlights the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters.

The report includes a range of findings in respect to service delivery. One repeat finding is that while the Government regularly reports on the 12 Premier's priorities, there is no comprehensive reporting on the 18 State priorities. 

1. Financial reporting and controls

2. Service delivery

3. Government financial services

This report sets out the results of the 30 June 2017 financial statement audits of NSW Government's central agencies and their cluster agencies.

Central agencies play a key role in ensuring policy coordination, good administrative and people management practices and prudent fiscal management. The central agencies and their key responsibilities are set out below.

Confidence in public sector decision‑making and transparency is enhanced when financial reporting is accurate and timely. Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. This chapter outlines our audit observations, conclusions or recommendations related to financial reporting and controls of agencies for 2016–17.

This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17. 

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Appendix one - List of 2017 recommendations

Appendix two - Status of 2016 recommendations

Appendix three - Agencies selected for this volume

Appendix four - Timeliness of financial reporting and audit reporting

Appendix five - Financial audit reporting

Appendix six - Financial analysis

Total State Sector Accounts received an unqualified audit opinion for the fifth consecutive year.

There was a $5.7 billion State budget surplus and continued investment in new infrastructure, in part funded by the long-term leases of Ausgrid and Endeavour Energy assets. This report also comments on key accounting matters, including the correction of some previously reported balances and the first time reporting of combined Cabinet members’ compensation in the Total State Sector Accounts.

Pursuant to the Public Finance and Audit Act 1983, I present my Report on State Finances 2017.

You will note that the format of this report has changed from previous years.

The intent of this change is to draw attention to the key matters that have been the focus of our audit and highlight significant factors that have contributed to the outcome.

First, it is pleasing to report once again that I issued a clear audit opinion on the State’s consolidated financial statements. This outcome demonstrates the Government’s continued focus on the quality of financial reporting across the NSW public sector.

High quality financial management and reporting are crucial to properly inform the public and build community confidence in our system of government.

The Treasury’s Financial Management Transformation program also aims to improve financial governance, budgeting and reporting arrangements across the sector. My Office is working collaboratively with The Treasury on reforms to reduce the burden of reporting, without weakening established safeguards.

The reforms should include measures to provide independent assurance of the budget process, of outcome reporting by agencies, and the power to “follow the dollar” given the increasing use of non-government organisations to deliver Government programs.

This Report also highlights another year of strong financial performance. The State’s budget result was a $5.7 billion surplus, and investment in new infrastructure has continued, in part funded by the long-term leases of Ausgrid and Endeavour Energy assets.

Finally, could I take this opportunity to thank the staff of The Treasury for the way they approached this audit. Our partnership is critical to ensuring NSW is an exemplar of quality financial management and reporting.

Margaret Crawford 
24 October 2017

A clear audit opinion on the State’s consolidated financial statements was issued.

Timely and accurate financial reporting is essential for informed decision making, effective management of public funds and enhancing public accountability.

This year’s clear audit opinion reflects the Government’s continued efforts to improve the quality of financial reporting across the NSW public sector.

Since the introduction of ‘early close procedures’ in 2011-12, the number of significant errors in financial statements of agencies has generally fallen largely due to identifying and resolving complex accounting issues early. Agencies’ 2016-17 financial statements submitted for audit contained nine errors exceeding $20 million. All errors were subsequently corrected in the individual agencies financial statements.

Agencies should continue to respond to key accounting issues as soon as they are identified. Where issues are identified, accounting position papers should be prepared for consideration by the Audit Office, their Audit and Risk Committee members, and when relevant, The Treasury.

The State addressed the following key accounting matters during 2016-17. 

The State recognised rail tunnels and earthworks valued at $8.5 billion.

Some rail tunnels and earthworks have never been valued by the State. These include the City Circle, the country rail network and other tunnels and earthworks built before the year 2000. Some of these tunnels and earthworks date back to the early 1900s.

For many years, the State did not account for these assets as they believed that their value could not be reliably measured. This year an independent valuer was engaged to perform a comprehensive valuation. The methodology used demonstrated
that the assets could have been reflected in the financial statements earlier.

The State recorded an additional $8.5 billion to correct the value of infrastructure assets at 1 July 2016.

Cabinet member’s compensation and related party transactions were reviewed.

Due to changes in Accounting Standards, the State had to consider 'related party information' in the financial statements. Previously this only applied to for-profit entities.

This year, requirements to report related party information extended to members of Cabinet, considered to be “key management personnel” of the State, as defined by Accounting Standards.

The Treasury implemented a process to assess and report Cabinet member’s compensation, and transactions between Cabinet members and/or their close family members, and government agencies.

Collectively, Cabinet members’ remuneration was $8.8 million, which was mainly salaries and allowances, and $3.5 million of non-monetary benefits such as security and drivers. The Treasury determined there were no other specific “related party” transactions or balances that required disclosure in the State’s financial statements.

Information system limitations continue at TAFE NSW.

TAFE NSW has experienced ongoing issues with its student administration system.

TAFE NSW has again implemented additional processes to verify the accuracy and completeness of revenue from sales of goods and services.

TAFE NSW expects to spend up to $89 million on a new information system to address these issues. Modules of the new student enrolment system are expected to be in place for the 2018 enrolment period.

Restatements relating to the General Government Sector's investment in the commercial sector.

The State corrected two previously reported balances relating to the General Government Sector’s investment in the commercial sector.

Accounting Standards require the General Government Sector to effectively store gains or losses related to its investment in the commercial sector in reserves until the investment is derecognised.

When these investments are disposed of, the cumulative gains and losses must be cleared and recognised in the operating result. However, the Government had previously cleared the cumulative gains and losses directly to Accumulated Funds within equity.

To comply with Accounting Standards, a total of $6 billion previously reported as a movement in equity  at 30 June 2016, has now been corrected to the operating result.

In addition, Accounting Standards only allow gains or losses on its investments to be stored in reserves. In past years, the State recognised all changes in the value of its investment in Available for Sale Reserves, including the capital contributed to establish the State’s investment. In 2016-17, a total of $23.4 billion of contributed capital was corrected to accumulated funds at 1 July 2015.

The State’s budget result was a $5.7 billion surplus, $2.0 billion higher than the budget estimate.

The Total State Sector comprises 310 entities controlled by the NSW Government.

Of the total, the General Government Sector comprises 215 entities that provide goods and services not directly paid for by consumers.

The non-General Government Sector comprises 95 Government businesses that provide goods and services such as water and electricity, or financial services.

A principal measure of a Government’s overall performance is its Net Operating Balance, or Budget Result. The Net Operating Balance reports the difference between the cost of General Government service delivery and the revenue earned to fund these sectors.

The State has recorded budget surpluses and exceeded the original budget result in nine of the last ten years.

The State maintained its AAA credit rating.

The object of the Act is to maintain the AAA credit rating.

NSW’s finances are managed in alignment with the Fiscal Responsibility Act 2012 (the Act).

The Act established the framework for fiscal responsibility and strategy needed to protect the State’s AAA credit rating and service delivery to the people of NSW.

The purpose of maintaining the AAA credit rating is to reduce the cost of, and ensure the broadest access to, borrowings.

A triple-A credit rating also helps maintain business and consumer confidence so economic activity and employment are sustained. The legislation sets out targets and principles for financial management to achieve this.

New South Wales has credit ratings of AAA/Negative from Standard & Poor’s and Aaa/Stable from Moody’s Investors Service.

The fiscal targets for achieving this objective are:

General Government expenditure growth is lower than long term revenue growth.

General Government expenditure growth was 4.2 per cent in 2016-17, below the long-term revenue growth of 5.6 per cent.

Eliminating unfunded superannuation liabilities by 2030.

The Act sets a target of eliminating unfunded defined benefit superannuation liabilities by 2030. The State’s net superannuation liability was $58.6 billion at 30 June 2017 ($71.2 billion at 30 June 2016).

The Government predicts the 2030 target will be achieved. The State’s funding plan is to contribute amounts escalated by five per cent each year so the schemes will be fully funded by 2030. In 2016-17, the State made employer contributions of $1.5 billion, which is largely consistent with contributions over the past five years.

The liability values in the graph below do not reflect the values recorded in the Total State Sector Accounts. For financial reporting purposes, Accounting Standards (AASB 119 Employee Benefits) require the State to discount its superannuation liability using the government bond rate (refer to page 10 of this report). 

The relevant government bond rate in the current economic climate is 2.62 per cent.

The State’s target for the unfunded superannuation liability is measured using AASB 1056 Superannuation Entities. This is because it adopts a measurement basis that reflects expected earnings on fund assets, which are currently between 5.9 and 7.4 per cent. Using these rates, the liability is $15.0 billion at 30 June 2017 ($16.1 billion at 30 June 2016). The unfunded liability is $2.4 billion less than when the Act was introduced.

The State’s assets grew by $31.6 billion during 2016-17 to $409 billion.

Valuing the State’s physical assets.

When we audit the financial statements, we focus on areas we consider as higher risk. These areas are often complex, and require the use of estimates and judgements.

The State has $307.2 billion of physical assets measured at fair value in accordance with Australian Accounting Standards. Fair value calculations are inherently complex and sensitive to assumptions and estimates, increasing the risk these assets are incorrectly valued.

In our audits, we assess the reasonableness and appropriateness of assumptions used in valuing physical assets. This includes obtaining an understanding of the valuation methodologies applied and judgements made. We also review the completeness of asset registers, and the mathematical accuracy of valuation models.

Net movements between years includes additions, disposals, depreciation and valuations. This year, valuations of physical assets added $16.2 billion to the State’s assets, comprising: 

• Transport for NSW and Railcorp $8.5 billion

• New South Wales Land and Housing Corporation $4.8 billion

• Roads and Maritime Services $930 million

• Crown Entity $400 million.    

The State’s financial assets increased $27.5 billion in 2016-17

The State’s financial assets have increased by 88 per cent over the past four years. In 2016-17, financial assets increased primarily due to proceeds from the sale of government assets and businesses.

The Government implemented reforms to better use the State’s financial assets. A key element was the creation of an Asset and Liability Committee (ALCO) to provide advice on ways to improve balance sheet management.

Since the creation of the ALCO, reforms include:

• Establishment of the New South Wales Infrastructure Future Fund (NIFF). The net proceeds from the State’s asset recycling program are invested into the NIFF, which is managed by TCorp, with a balance of $14.6 billion by 30 June 2017. Funds raised are invested through the NIFF until the Government requires them for critical infrastructure projects that are part of the Restart NSW and Rebuilding NSW program of works. ALCO and TCorp provide advice on the NIFF’s performance and management

• Establishment of the Social and Affordable Housing Fund ($1.1 billion at 30 June 2017). ALCO oversees the Fund to ensure an appropriate investment approach that will maintain funding certainty for new social and affordable housing stock

• Cash and liquidity management reforms to centralise cash previously held by agencies in the Treasury Banking System. This reform is designed to ensure agencies have adequate levels of liquidity but with surplus funds invested centrally for better returns.

The State’s liabilities decreased by $13.1 billion during 2016-17 to $182 billion.

Valuing the State’s liabilities relies on an actuarial assessment.

Nearly half of the State’s liabilities relate to its employees. This includes unfunded superannuation, and employee benefits, such as long service and recreation leave.

Valuation of these obligations is subject to complex estimation techniques and significant judgements. Small changes in assumptions can materially impact the financial statements.

We address the risk associated with auditing these balances:

• using actuarial specialists

• testing controls around underlying employee data used in data models, and testing the accuracy of the calculations

• evaluating assumptions applied in calculating employee entitlements such as the discount rate and the probability of long service leave vesting conditions being met.

The State’s superannuation obligations reduced by $12.6 billion in 2016-17.

The State’s $58.6 billion superannuation liability represents obligations for past and present employees, less the value of assets set aside to meet those obligations. The superannuation liability decreased from $71.2 billion to $58.6 billion, largely due to an increase in the discount rate from 1.99 per cent to 2.62 per cent. This alone reduced the liability by $9.2 billion

The State’s borrowings totalled $70.6 billion at 30 June 2017.

The State’s borrowings totalled $70.6 billion at 30 June 2017, $9.5 billion less than the previous year. This was largely due to the repayment of borrowings when the assets of Ausgrid and Endeavour Energy were leased to the private sector.

TCorp issues bonds to raise funds for NSW Government agencies. The bonds are actively traded in financial markets providing price transparency and liquidity to public sector borrowers and institutional investors. All TCorp bonds are guaranteed by the NSW Government.

The Government manages its debt liabilities through its balance sheet management strategy. The strategy extends to TCorp, which applies an active risk management strategy to the Government’s debt portfolio.

General Government Sector debt is being restructured by replacing shorter-term debt with longer-term debt. This lengthens the portfolio to better match liabilities with the funding requirements of infrastructure assets and reduces refinancing risks. It also allows the Government to take advantage of the low interest rate environment.

The State recorded revenue of $83.5 billion in  2016-17, an increase of $5.3 billion from 2015-16.

The State’s results are underpinned by revenue growth in taxation, fees and fines.

Taxation, fees, fines and other revenue comprises $30.5 billion of taxation ($28.7 billion in 2015-16) and $5.3 billion of fees, fines and other revenue ($4.6 billion).

Tax revenue for the Total State Sector increased by $1.8 billion, or 6.4 per cent compared to 2015-16, primarily due to:

• one-off business asset sales and lease transactions, including $718 million in transfer duty from the Ausgrid and Endeavour Energy lease transactions

• $385 million increase in payroll tax from growth in NSW employment and average employee compensation

• a $426 million increase in land taxes.

Growth in stamp duty is expected to slow over the next 4 years.

General Government Sector stamp duties have increased from $6.2 billion in 2012-13 to $11.5 billion in 2016-17, an annual average growth rate of 16.5 per cent. The Government’s budget forecasts the growth in stamp duties to decline, to an average annual growth rate of 2.6 per cent between 2016-17 and 2020-21.

The State received Commonwealth grants and subsidies of $30.8 billion in 2016-17.

The State received $30.8 billion from the Commonwealth Government in 2016-17, $1.6 billion more than in 2015-16. This was primarily due to transaction based asset recycling grants of $1.0 billion and a $720 million increase in national land transport grants. This increase was offset by a $435 million decrease in General Purpose Grants, which mainly comprises New South Wales’ share of the Goods and Services Tax (GST). 

The State spent $79.4 billion in 2016-17 to deliver services to the community, an increase of $3.9 billion from 2015-16.

Overall expenses increased 5.2 per cent from last year. Most of the increase was due to higher employee costs and operating costs.

Total salaries and wages increased by 4.2 per cent from 2015-16.

Total salaries and wages increased to $30 billion from $28.8 billion in 2015-16. The Government wages policy aims to limit the growth in remuneration and other employee costs to no more than 2.5 per cent per annum.

Operating expenses increased by 12.4 per cent from 2015-16.

Within operating expenses, payments for supplies, services and other expenses increased, in part, due to the State:

• reacquiring mining licenses worth $482 million and additional land remediation costs of $101 million

• spending more on health including additional drug supplies relating to Hepatitis C.

State spend on transport and communications increased by 68.1 per cent since 2012-13.

While spending on health and education remain the largest functional areas provided by Government, expenditure on transport and communication increased, on average, by 13.9 per cent annually between 2012-13 and 2016-17. This increase reflects the Government’s investment in transport infrastructure such as the Sydney Metro and Westconnex. Over the same period, spending on health increased by $3.9 billion.

Expenditure on fuel and energy has decreased by an average of 44.7 per cent since 2012-13, reflecting the State’s leases of electricity network assets.

In 2011, the Government established Restart NSW to fund high priority infrastructure projects.

Restart NSW projects are primarily funded from the proceeds from the asset recycling program enabling Government to deliver new infrastructure investment.

Restart NSW provides funding for the delivery of Rebuilding NSW, which is the Government’s 10-year plan to invest $20 billion in new infrastructure.

The State finalised long-term leases of Ausgrid and Endeavour Energy assets.

In June 2017, the Government finalised its long-term lease of 50.4 per cent of Endeavour Energy. This transaction follows on from the long-term leases of TransGrid in December 2015 and 50.4 per cent of Ausgrid in December 2016. Net proceeds of $15.0 billion were paid into Restart NSW relating to these transactions.

The Government also finalised an arrangement for the private sector to provide land titling and registry services to the public for 35 years. The State, through Restart NSW, received an upfront payment of $2.6 billion from the new operator.

Restart NSW is funding $29.8 billion of new infrastructure.

The Government has detailed its plan to invest $20 billion into the Rebuilding NSW plan from Restart NSW.

At 30 June 2017, around $2.9 billion has already been spent on Rebuilding NSW projects from Restart NSW, with a further $9 billion included in the budget aggregates. The Government has also earmarked a further $8.1 billion in Restart NSW for future projects.

The most significant project is the Sydney Metro. The Government has committed $7.0 billion from Restart NSW to build a 30-kilometre metro line, linking Sydney Metro Northwest at Chatswood, through new stations in the lower North Shore, the Sydney CBD and southwest to Bankstown. At 30 June 2017, $2.4 billion has been spent on this project from Restart NSW.

Other significant projects funded by Restart NSW include a $1.8 billion contribution to WestConnex and reserved funding of $1 billion towards the State’s Major Stadia Network program.

The Treasury initiated the Financial Management Transformation (FMT) program with the aim of changing and improving financial governance, budgeting and reporting arrangements of the New South Wales public sector.

FMT aims to deliver better outcomes for the people of New South Wales and focuses on transparency and accountability for expenditure, and better value for money.

New Financial Management System

PRIME is the Information Technology (IT) solution component of the FMT program, replacing several historical systems. PRIME will provide both financial and performance information within one IT platform for all agencies in the NSW public sector.

It is expected to give Government more timely information to plan and deliver its policy priorities and the budget.

Independent assurance over the budget process would improve confidence in the reliability of the State’s financial information.

Appendix one - Prescribed entities

Appendix two - Legal opinions

NSW Health’s approach to planning and evaluating palliative care is not effectively coordinated. There is no overall policy framework for palliative and end-of-life care, nor is there comprehensive monitoring and reporting on services and outcomes.

Parliamentary reference - Report number #291 - released 17 August 2017