Refine search Expand filter

Audit progress

- Any -

Sector

- Any -

Year

- Any -

Report type

- Any -

Topic

- Any -

Reports

Published

Customer Service 2023

Finance
Asset valuation
Compliance
Financial reporting
Information technology
Internal controls and governance
Management and administration
Regulation
Risk
Service delivery
Shared services and collaboration

What this report is about

Result of the Customer Service portfolio agencies' financial statement audits for the year ended 30 June 2023.

What we found

Unmodified audit opinions were issued for all completed 30 June 2023 financial statements audits of Customer Service portfolio agencies. Two audits are ongoing.

What the key issues were

The total number of misstatements in the financial statements and findings reported to management decreased compared to the prior year.

For the first time since its establishment in 2015, GovConnect NSW received unqualified audit opinions for business process internal controls and information technology general controls managed by service providers.

The department controls Finance Co Trust (Fin Co), a special purpose trust created as part of its project to replace flammable cladding for eligible residential apartment buildings. Fin Co did not prepare financial statements which is a breach of the Government Sector Finance Act 2018 (GSF Act).

The department's land titling database was overstated by $42.5 million due to errors in the valuation model.

The New South Wales Government Telecommunications Authority corrected a prior period error of $10.2 million overstatement of property, plant and equipment.

A high-risk finding was reported to Service NSW regarding gaps in policies, systems and processes for administering and financial reporting on grant programs.

Recommendations were made to address these deficiencies.

This report provides Parliament and other users of the Customer Service portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service portfolio of agencies (the portfolio) for 2023.

Section highlights

  • Unqualified audit opinions were issued on all completed 30 June 2023 financial statements audits of the portfolio agencies. Two audits are ongoing.
  • The total number of errors (including corrected and uncorrected) in the financial statements decreased compared to the prior year.
  • Financial statements were not prepared for Finance Co Trust (Fin Co), a special purpose trust created by the department as part of its project to replace flammable cladding for eligible residential apartment buildings. This is a breach of the Government Sector Finance Act 2018 (GSF Act).
  • The department overstated the value of its land titling database, a service concession asset by $42.5 million. This was due to errors in the valuation data and calculation errors in the valuation model.
  • Service NSW’s late resolution of the accounting assessment of grant programs funding resulted in delays to financial reporting and audit.
  • The New South Wales Government Telecommunications Authority (the authority) corrected a prior period error retrospectively to write off assets that could not be physically verified. 

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service portfolio.

Section highlights

  • The 2022–23 audits identified one high risk and 26 moderate risk issues across the portfolio.
  • The high-risk matter was related to Service NSW’s revenue assessment of its grant programs.
  • The total number of findings decreased from 64 to 41, which mainly related to deficiencies in financial reporting, information technology, payroll and purchasing controls.
  • Fifty-one per cent of the issues were repeat issues. Many repeat issues related to weakness in information technology (IT) controls around access to systems and data and disaster recovery testing.
  • For the first time since its establishment in 2015, GovConnect NSW received unqualified audit opinions for business processes internal controls and information technology general controls managed by service providers. 

Appendix one – Misstatements in financial statements submitted for audit 

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Natural disasters

Community Services
Environment
Finance
Local Government
Planning
Transport
Treasury
Whole of Government
Asset valuation
Compliance
Financial reporting
Infrastructure
Regulation
Risk
Service delivery

What this report is about

This report draws together the financial impact of natural disasters on agencies integral to the response and impact of natural disasters during 2021–22.

What we found

Over the 2021–22 financial year $1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters.

Total expenses were less than the budget due to underspend in the following areas:

  • clean-up assistance, including council grants
  • anticipated temporary accommodation support
  • payments relating to the Northern Rivers Business Support scheme for small businesses.

Natural disaster events damaged council assets such as roads, bridges, waste collection centres and other facilities used to provide essential services. Additional staff, contractors and experts were engaged to restore and repair damaged assets and minimise disruption to service delivery.

At 30 June 2022, the estimated damage to council infrastructure assets totalled $349 million.

Over the first half of the 2022–23 financial year, councils experienced further damage to infrastructure assets due to natural disasters. NSW Government spending on natural disasters continued with a further $1.1 billion spent over this period.

Thirty-six councils did not identify climate change or natural disaster as a strategic risk despite 22 of these having at least one natural disaster during 2021–22.

Section highlights

  • $1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters during 2021–22.
  • Budget underspent for temporary housing and small business support as lower than expected need.

Section highlights

  • 83 local council areas were impacted by natural disasters during 2021–22, with 58 being impacted by more than one type of natural disaster.
  • $349 million damage to council infrastructure assets at 30 June 2022.

 

Published

Universities 2022

Universities
Compliance
Cyber security
Financial reporting
Information technology
Internal controls and governance
Service delivery

What this report is about

Results of the financial statement audits of the public universities in NSW for the year ended 31 December 2022.

What we found

Unmodified audit opinions were issued for all ten universities.

Nine universities reported net deficits in 2022, and all showed a decline from their 2021 results.

Results were impacted by a decline in investment income and government grants.

Wage remediation provisions across the universities increased by 116% to $110 million at 31 December 2022.

Expenditure increased as universities transitioned back to face-to-face teaching with the lifting of most COVID-19 restrictions.

Revenue from overseas students decreased by 0.5% overall in 2022, although not all universities were impacted equally.

Nearly 42% of fees and charges revenue came from overseas student revenue from three countries of origin (43% in 2021).

What the key issues were

We reported 88 findings to universities on internal control deficiencies (105 in 2021).

Six high risk findings were identified (four in 2021), relating to:

  • IT control deficiencies in monitoring privileged user access
  • password configuration
  • cyber security process improvements
  • lack of security over access to EFT payment files
  • the status of a university's work in assessing its liability for underpayment of staff
  • inadequate review of contracts leading to incorrect accounting treatments.

Two out of 13 entities reported financial losses from cyber incidents in 2022.

Retention policies on personally identifiable information (PII) vary and universities can further reduce their PII exposure risk from cyber attack.

What we recommended

Universities should:

  • conduct a comprehensive assessment of their employment agreements and historical pay practices to identify potential underpayments
  • prioritise actions to address repeat findings on internal control deficiencies in a timely manner
  • review their PII retention policies to ensure PII stored is limited to the entity's needs, held only for the minimum duration it is legally and operationally required, and access is strictly limited.

This report provides Parliament with the results of our financial audits of universities in New South Wales and their controlled entities in 2022, including our analysis, observations and recommendations in the following areas:

  • financial reporting
  • internal controls and governance
  • teaching and research.

Financial reporting is an important element of good governance. Confidence and transparency in university sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of universities in NSW for 2022.

Section highlights

  • The 2022 financial statements of all ten universities received unmodified audit opinions.
  • Wage remediation provisions across the NSW universities increased by 116% to $110 million at 31 December 2022.
  • Nine universities reported net deficits in 2022, and all showed a decline from 2021 results.
  • Revenue from overseas students decreased by 0.5% in 2022, as overseas student enrolments decreased by 1.2%. Almost 42% of universities' fees and charges revenue in 2022 came from overseas students from three countries (down from 43% in 2021).
  • Revenue from domestic students decreased by 0.7% in 2022, as domestic student enrolments decreased by 5.3%.
  • Combined expenditure for universities increased by 6.6% to $11.2 billion in 2022. Most of this was attributed to employee related expenses, which increased by 4.9%. 

Appropriate financial controls help to ensure the efficient and effective use of resources and administration of policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of NSW universities.

Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These, along with the less significant matters, are reported to universities for management to address.

Section highlights

  • The 2022 audits identified six high risk and 36 moderate risk issues across NSW universities. Sixteen of the moderate risk issues were repeat issues. Many repeat issues related to information technology controls around user access management.
  • The number of repeat deficiencies has decreased with 41 reported in 2022 compared to 45 in 2021.
  • Two out of 13 entities reported financial losses from cyber incidents during 2022.
  • Retention policies on personally identifiable information (PII) vary across entities and opportunities exist for entities to further limit their PII exposure risk from cyber attack.

Universities' primary objectives are teaching and research. They invest most of their resources aiming to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.

This chapter outlines teaching and research outcomes for universities in NSW for 2022.

Section highlights

  • Seven universities were reported as having full-time employment rates of their domestic undergraduates in 2022 that were greater than the national average.
  • Enrolments at NSW universities decreased the most in Science related courses in 2022. The largest increase in enrolments was in Health courses.
  • On average, universities delivered 21% of their courses primarily through online means in 2022, a decrease from 59% in 2021.
  • Five universities in 2021 were reported as meeting the target enrolment rate for students from low socio-economic status (SES) backgrounds.
  • Seven universities reported increased enrolments of Aboriginal and Torres Strait Islander students in 2021.

Appendix one – List of 2022 recommendations

Appendix two – Status of 2021 recommendations

Appendix three – Universities' controlled entities 

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Government advertising 2021–22

Finance
Education
Whole of Government
Compliance
Management and administration
Procurement

What the report is about

The Government Advertising Act 2011 requires the Auditor-General to undertake a performance audit on government advertising activities each financial year.

This audit examined whether TAFE NSW's annual advertising campaign in 2021–22:

  1. was carried out effectively, economically, and efficiently
  2. complied with regulatory requirements and the Government Advertising Guidelines.

What we found

TAFE NSW complied with Section 6 of the Act, prohibiting political content.

It also complied with most other advertising requirements.
 
An important exception was that the Managing Director certified that the campaign complied with regulatory requirements and was an efficient and cost-effective means of achieving its public purpose, before a cost-benefit analysis (CBA) was completed.

We have found issues with agencies complying with CBA requirements in previous government advertising audits. This includes the failure to complete them before signing compliance certificates.

The policy owner, the Department of Customer Service (DCS), does not consider oversight of CBAs to be within the scope of their peer review process.  

TAFE NSW evaluated this advertising campaign by surveying a population significantly broader than the target audience. As such, survey results may not accurately reflect the views of the intended audience.

What we recommended

By 30 June 2023, TAFE NSW should:

  1. implement processes that ensure:
    1. CBAs are completed before the launch of campaigns over $1 million
    2. compliance certificates are completed only after all regulatory requirements are met
  2. consider adding to its current evaluation methods by surveying a population which closely reflects the age profile of its intended target audience.

By June 2023, DCS should:

  1. improve whole‑of‑government reporting and monitoring processes to provide the NSW Government with a central view of compliance, including the completion of CBAs by agencies.

The Government Advertising Act 2011 (the Act) sets out requirements that must be followed by a government agency when it carries out a government advertising campaign. The requirements include an explicit prohibition on political advertising, as well as a need to complete a peer review and cost-benefit analysis before the campaign commences. The accompanying Government Advertising Regulation 2018 (the Regulation) and Government Advertising Guidelines (the Guidelines) address further matters of detail.

The Act also requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit must assess whether a government agency (or agencies) has carried out activities in relation to government advertising campaigns in an effective, economical and efficient manner. It also assesses compliance with the Act, the Regulation, other laws and the Guidelines.

This audit examined TAFE NSW's advertising campaign for the 2021–22 financial year. TAFE NSW is the NSW Government's public provider of vocational education and training. TAFE NSW carries out an advertising campaign every year. In 2021–22, it spent $15.16 million on developing and implementing advertising. TAFE NSW used channels such as television, radio, internet and social media, press, and out of home advertising in public settings such as bus stops. The advertising aimed to increase the percentage of people considering TAFE NSW for training or education, grow the percentage of people who consider TAFE NSW to be the preferred education provider in NSW, and maintain the proportion of people who are aware of TAFE NSW more generally.

There are a range of private service providers helping to deliver vocational education and training in NSW.

Conclusion

TAFE NSW’s advertising campaign for 2021–22 was for an allowed purpose under the Act and did not include political advertising. TAFE NSW complied with most of the requirements set out in the Act, the Regulation, and the Guidelines, but it failed to complete a cost-benefit analysis for the campaign or provide sufficient support for the compliance certificate signed by TAFE NSW's Managing Director.

TAFE NSW complied with the requirement to complete a peer review of its campaign, but it did not meet the requirement to complete a cost-benefit analysis, either before it launched the campaign or during its implementation throughout 2021–22. Some of TAFE NSW's advertising did not meet the requirement for statements to be clearly supported by evidence.

The Act requires the head of an agency to sign a compliance certificate stating that, among other things, the campaign complies with the Act, the Regulation, and the Guidelines, and that the campaign is an efficient and cost-effective means of achieving the public purpose. TAFE NSW's Managing Director signed a compliance certificate in May 2021. However, TAFE NSW had not prepared a cost-benefit analysis as required under the Act and therefore TAFE NSW's Managing Director could not validly sign the compliance certificate. TAFE NSW did not subsequently complete a cost-benefit analysis during the campaign.

The campaign achieved many of its objectives and other performance measures and is likely to have been impactful. It is also likely that TAFE NSW’s advertising campaign in 2021–22 represented economical, efficient, and effective spend. However, the lack of a cost-benefit analysis meant that this could not be confidently demonstrated by TAFE NSW.

TAFE NSW used internal resources to create its advertising content, such as videos, radio scripts and press advertising, and relied upon a specialist partner to arrange and place its media in the appropriate advertising channel. TAFE NSW also adjusted the advertising campaign in response to performance data and in response to changes in the educational and advertising marketplaces.

TAFE NSW evaluated the impact of its advertising and tracked its brand performance using a survey which reflected the New South Wales general population aged between 16 and 60. However, this evaluation did not match TAFE NSW's advertising spend as TAFE NSW directed significantly more of its campaign budget to influencing younger people in this cohort.

This part of the report sets out key aspects of TAFE NSW's compliance with the government advertising regulatory framework. It considers whether TAFE NSW complied with the:

  • Government Advertising Act 2011
  • Government Advertising Regulation 2018
  • NSW Government Advertising Guidelines 2012 and other relevant policy.

This part of the report considers whether TAFE NSW's advertising program for 2021–22 was carried out in an effective, efficient, and economical manner.

Appendix one – Responses from agencies

Appendix two – About the campaign

Appendix three – About the audit

Appendix four – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #377 - released 28 February 2023

Published

Cyber Security NSW: governance, roles, and responsibilities

Local Government
Whole of Government
Finance
Cyber security
Information technology
Internal controls and governance
Management and administration

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

  • Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
  • Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

  1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
  2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
  3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
  4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.

Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).

The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

We assessed this objective through two lines of inquiry:

  1. Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
  2. Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?

The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.

Conclusion

Cyber Security NSW has a clear purpose that is aligned with wider government policy and objectives, but it cannot effectively demonstrate its progress toward improving cyber resilience

Cyber Security NSW's high-level purpose is to support the NSW Government’s delivery of digitised services that are protected, connected, and trusted. This purpose is consistent with broader NSW Government and Australian Government policy and builds on the purpose of the previous NSW Office of the Government Chief Information Security Officer, which was itself informed by external research and previous Audit Office of New South Wales recommendations.

In delivering its purpose, Cyber Security NSW provides a wide range of services to NSW government agencies and the local government sector. The majority of agencies and councils consulted during this audit reported that the services they received contributed to improving their individual cyber security.

However, Cyber Security NSW does not clearly and consistently communicate its key objectives to ensure that its efforts are effectively and efficiently targeted, prioritised, planned, and reported. This is despite it receiving enhanced funding to expand the scope of services it provides. It currently has many sets of objectives across a range of sources, including the Cyber Security Strategy, business plans, corporate material, and public communications. It has too few reliable and meaningful ways of measuring progress toward its objectives, and no overall workplan or roadmap to show how the objectives will be achieved.

Without a clear and consistent program logic, it is difficult to determine whether the functions and services delivered by Cyber Security NSW are helping to achieve the level of cyber resilience required to meet the increasing cyber threats faced by the NSW public sector.

Cyber Security NSW does not provide assurance of the cyber security maturity self-assessments performed by individual NSW Government agencies

The NSW Government has a devolved model for cyber security assurance. Cyber Security NSW administers the whole-of-government policy settings, and agency heads are responsible for ensuring compliance with policy requirements.

Cyber Security NSW has a remit to carry out audits of agencies’ self-assessments, but it has not carried out these audits and does not seek its own assurance of the results of these self-assessments. It is not sufficiently addressing previously identified inconsistencies and inaccuracies in how those self-assessments are performed and reported.

This form of auditing would be an important assurance that self-assessment and reporting is reliable. This is important given that maturity reporting is the main source of knowledge about the cyber security maturity and resilience of NSW Government agencies to cyber threats. If these self-assessments are unreliable, then it creates the risk that knowledge of the potential resilience of the NSW public sector to cyber security incidents is similarly unreliable. There is no other body in NSW with the mandate to routinely provide this form of assurance.

Cyber Security NSW has a remit to assist local government improve cyber resilience, however it cannot mandate action, and does not have a strategic approach guiding its efforts

Consistent with the expectations that accompanied its 2020 funding enhancement, Cyber Security NSW has engaged with the local government sector, albeit with mixed results. While these mixed results are partly a consequence of it not being provided a formal mandate in the sector, it has also been impacted by the fact that Cyber Security NSW has not established an engagement plan or strategy to guide its engagement with the local government sector.

Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.

Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.

The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.

Establishment of Cyber Security NSW

Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.

The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).

The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.

Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.

Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.

NSW Government Cyber Security Strategy

The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:

  • lead
  • prepare
  • prevent
  • detect 
  • respond 
  • recover.

The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:

  • increase NSW Government cyber resiliency
  • help NSW cyber security businesses grow
  • enhance cyber security skills and workforce 
  • support cyber security research and innovation.

Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.

NSW Government Cyber Security Policy

The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.

The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including: 

  • annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements 
  • that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).

The Policy sets out that Cyber Security NSW:

  • may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
  • will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.

As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.

This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:

  • there was a sound, evidence-based rationale for why Cyber Security NSW was established
  • the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
  •  there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.

This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #374 - released 8 February 2023

Published

Design and implementation of the Transport Asset Holding Entity

Transport
Treasury
Asset valuation
Financial reporting
Infrastructure
Procurement
Risk
Service delivery

What the report is about

The Transport Asset Holding Entity (TAHE) is the State's custodian of rail assets. It is a state owned corporation and commenced operating on 1 July 2020.

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. We audited TAHE, Transport for NSW (TfNSW) and NSW Treasury.

Separate and related audits on TAHE are reported in 'State Finances 2022', 'State Finances 2021' and 'Transport and Infrastructure 2022' reports.

What we found

The design and implementation of TAHE, which spanned seven years, was not effective.

The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.

The benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose.

Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed.

Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.

What we recommended

We recommended that the audited agencies should:

  • improve accountability and transparency for major new fiscal transformation initiatives
  • ensure entities do not reflect the financial impact of significant initiatives in the Budget when there is uncertainty, or it creates perverse incentives
  • review record keeping practices, systems and policies to ensure compliance with the State Records Act 1998, and the NSW Government Information Classification, Labelling and Handling Guidelines
  • review procurement policies to ensure that consultant use complies with all NSW Government policy requirements.

The NSW Government established the Transport Asset Holding Entity (TAHE), a statutory State Owned Corporation (SOC), on 1 July 2020 to replace the former rail infrastructure owner – RailCorp. It is the State's custodian of rail network assets, including rail tracks and other infrastructure, rolling stock, land, train stations and facilities, retail space, and signal and power systems, within metropolitan and regional New South Wales. It is responsible for $2.8 billion of major capital projects in 2022–23.

TAHE was established under Part 2 of the Transport Administration Act 1988 and is governed by a decision-making board. The Treasurer and the Minister for Finance and Employee Relations are the Shareholding Ministers of TAHE, and they annually agree performance expectations articulated in a Statement of Corporate Intent.

Whereas TAHE is the custodian of rail assets, Sydney Trains and NSW Trains operate public rail services. TAHE does not have responsibility for the operation of the heavy rail network or train services, nor does it have network control functions. TAHE, Sydney Trains and NSW Trains are in the Transport and Infrastructure cluster in the public sector (formerly the Transport cluster and renamed in April 2022), which also includes Sydney Metro and Transport for NSW (TfNSW).

TfNSW leads the Transport and Infrastructure cluster. Its role is to set the strategic direction for transport across the State. This involves the shaping of planning, policy, strategy, regulation, resource allocation and other service and non-service delivery functions for all modes of transport.

TAHE's Operating Licence is granted by the Portfolio Minister and authorises the entity to perform the functions required to acquire, develop, finance, divest and hold assets, pursuant to the Transport Administration Act 1988. The Portfolio Minister also issues a Statement of Expectations which outlines the government’s expectation for the business for the next three to five years.

TAHE's original Portfolio Minister was the Minister for Transport who approved, on 30 June 2020, the issuing of an interim 12-month Operating Licence to enable TAHE to commence operating on 1 July 2020. The Portfolio Minister then granted TAHE's current Operating Licence in 2021. After TAHE requested a 12-month extension to its current Operating Licence, its next Operating Licence is due on 1 July 2024. The current Portfolio Minister is the Minister for Infrastructure, Cities and Active Transport.

About this audit

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. In making this assessment, we considered whether: 

  • the process of designing and implementing TAHE was cohesive and transparent, and delivered an effective outcome
  • agencies' roles and responsibilities were clear in the planning of TAHE
  • agencies effectively identified and managed certain risks.

Conclusion

The design and implementation of TAHE was not effective. The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments to sustain TAHE through continuing investment, and funding of the state owned rail operators. The ineffective process to design TAHE delivered a model that entails significant uncertainty as to whether the anticipated longer-term financial improvements to the Budget position can be achieved or sustained.

NSW Treasury and TfNSW had different objectives for TAHE

Up to June 2013, RailCorp had been the owner and operator of rail services and maintainer of the metropolitan rail network for almost a decade. It had been operating as a not-for-profit Public Non-Financial Corporation (PNFC).

In 2012, NSW Treasury (hereafter Treasury) decided there was a risk that the Australian Bureau of Statistics (ABS) would reclassify RailCorp to the General Government Sector (GGS), meaning depreciation expenses of approximately $870 million would be reflected in the GGS Budget. Treasury wanted to avoid this impact on the GGS Budget, and considered the establishment of a transport asset holding entity as a means to do so. Capital grants to RailCorp were being treated as an expense to the GGS Budget.

TfNSW also wanted an asset holding entity – but one that would be a non-trading ‘shell’ company with no staff that would hold and manage all public transport assets. TfNSW's concept envisaged the entity would have a structure that would enable future public transport reforms and strategic directions while ensuring vertical integration of operations between asset owners and the rail operators to maintain rail safety.

However, Treasury pursued its objective to improve the GGS Budget result, and sought to expand on TfNSW's 'shell' asset holding entity concept. Treasury wanted an entity that could generate a return on investment, as this meant that government investment in transport assets could be treated as equity investments, rather than a Budget expense, and in turn improve the GGS Budget position. As an example of the potential impact of creating this new entity, capital grants of $2.3 billion were paid to RailCorp in 2013–14. If Treasury's objective was met, grants of this significance would then be treated as an equity investment, rather than an expense in the GGS Budget.

In 2017, Treasury's preferred option was progressed through legislation, but both agencies' central objectives for the proposed asset holding entity would continue to prove difficult to reconcile. To achieve Treasury's objective to improve the Budget result, the entity would need to generate a return on investment (this is further discussed below). However, TfNSW expressed concerns that the prioritisation of rail safety, and the effective management of governance, regulation and operations would be more complex in an entity with commercial imperatives.

Asset holding entities are a common approach to the management of transport assets in Australia and internationally, and there are a range of approaches to how they are structured and used. Such structures should be driven by the goal of improved asset management. Ultimately, TfNSW's objectives could have been delivered through a simpler entity structure. However, reconciling TfNSW's objectives with Treasury's imperative to deliver and justify a Budget improvement in the short-term resulted in an overly lengthy process and an unnecessarily complex outcome that places an obligation on future governments to sustain. There is still significant uncertainty as to whether the short-term improvements to the Budget can continue to be realised in the longer-term.

The Budget benefits of TAHE were claimed before the entity was legislated, committing the agencies to deliver, regardless of the complexities that subsequently arose

The 2015–16 GGS Budget treated the government's investment in TAHE (still known at this time as RailCorp) as an equity contribution. This had the immediate impact of improving the Budget result by $1.8 billion per annum. However, the legislation to enable the establishment of TAHE had not yet been passed by Parliament, key elements of the operating model were still under development, and imminent changes in accounting standards had the potential to impact TAHE's financial model. The decision to book the benefits in the Budget early committed the involved agencies to implement a solution that justified the 2015–16 Budget impacts, irrespective of the challenges that arose. 

TAHE's financial structure requires circular government investment to work

For the NSW Government to continue to treat its investment in TAHE as an equity contribution, rather than an expense to the Budget, there must be a reasonable expectation that TAHE will generate a sufficient rate of return as required by the Government Finance Statistics (GFS) framework. In doing so, it needs to recover a revaluation loss created by a $20.3 billion reduction in the value of its assets which was incurred in its first full year of operation. This loss occurred as a result of a revaluation of TAHE's assets when RailCorp (a not-for profit entity) became TAHE (a for-profit commercial entity) – and is discussed further in the 'Key findings' below.

TAHE generates a small portion of its income from transactions with the private sector but, as noted in our report 'State Finances 2021', TAHE receives the majority of its revenue (more than 80%) from access and licence fee agreements with Sydney Trains and NSW Trains. Both of these entities are funded by grants (a Budget expense) to TfNSW from the GGS Budget.

Based on Treasury’s correspondence with the ABS in 2015, TAHE was initially expected to pay a return on equity of 7% in 2016–17. The assumption of a 7% return persisted through to 2018, after the legislation enabling the establishment of TAHE was passed by Parliament. However, when the initial access and licence fees were agreed on 1 July 2020, this figure had been revised to an expected rate of return of 1.5% excluding the revaluation loss. This was below the long-term inflation target and did not include the recovery of the revaluation loss – risking the government's ability to treat its investment in TAHE as an equity contribution. Importantly, as TAHE is primarily reliant on fees paid by the state owned rail operators that, in turn, are funded by the GGS Budget (as an expense), the decision to change the returns model from 7% to 1.5% would in its own right have had a positive impact on the GGS Budget. However, the decision to use a 1.5% return would ultimately be problematic as it made it difficult to treat the government's contributions to TAHE as an equity investment, as discussed below.

On 14 December 2021, to avoid a qualified audit opinion, the NSW Government made the decision to increase TAHE's expected rate of return to 2.5%, equal to the Reserve Bank’s long-term inflation target.

In 2021-22, TAHE needed to start charging rail operators higher access and licence fees in order to generate a return of 2.5%, so as to support the government's treatment of its investment in TAHE as an equity contribution in the GGS Budget. This meant the government needed to provide additional grant (expense) funding to the state owned rail operators so they could pay the increased access and licence fees to TAHE. Based on current projections, TAHE is not expected to recover the revaluation loss until 2046.

There remains a risk that TAHE will not be able to generate a sufficient return on the NSW Government's investment without relying on increased funding to state owned rail operators so that they can in turn pay the higher access and licence fees. TAHE's ability to generate returns on government investment from other sources are uncertain and may not be achievable or sustainable. Current modelling highlights that TAHE remains largely reliant, through to 2046, on increasing fees (which are assumed to increase at 2.5% per annum from 2031 onwards when the current 10 year contracts with rail operators expire) paid by the state owned rail operators that remain principally reliant on GGS Budget grants.

The process of designing and implementing TAHE was not transparent to independent scrutiny

Our report 'State Finances 2021' commented that Treasury did not always provide this Office with information relating to TAHE on a timely basis. Similarly, during this performance audit, there were also multiple instances where auditees were unable to provide documentation regarding key activities in the process to deliver TAHE. Agencies also applied higher sensitivity classifications to large tranches of documents than was justified or required by policy. Of particular concern is the incorrect classification of documents as Cabinet sensitive information. The incorrect or over-classification of documentation as Cabinet sensitive delayed this Office's ability to provide scrutiny or independent assurance.

There was a lack of clarity around the roles and responsibilities of governance structures set up to oversee the design and implementation of TAHE

From 2014, multiple workstreams and advisory committees were established to progress the design and implementation of TAHE. For some of these committees and workstreams, there is limited information on what they were tasked to do and what they achieved. Most had ceased meeting by 2018, before significant work needed to deliver TAHE was completed.

The lack of clarity around the roles and responsibilities of these governance structures reduced opportunities for TfNSW and Treasury to reconcile their differing objectives for TAHE, and resolve key questions earlier in the process.

There was a heavy reliance on consulting firms throughout the process to establish TAHE, and the management of consultant engagements failed to ensure that agencies received independent advice to support objective decision-making

In 2020, Treasury and TfNSW failed to prevent, identify, or adequately manage a conflict of interest when they engaged the same 'Big 4' consulting firm to work on separate TAHE-related projects. Both agencies used the firm's work to further their respective views with regard to the financial implications of TAHE's operating model. At this time those views were still unreconciled.

Treasury engaged the firm to provide a fiscal risk management strategy and advice on the impact of changes to accounting standards. TfNSW engaged the same firm to develop operating and financial models for TAHE, which raised concerns regarding the viability of TAHE. Disputes arose around the findings of these reports. Treasury disagreed with some of the outcomes of the work commissioned by TfNSW, relating to accounting treatment and fiscal advice.

The management of this conflict (real or perceived) was left to the 'Big 4' consulting firm when it was more appropriate for it to be managed by Treasury and TfNSW. If these agencies had communicated more effectively, used available governance structures consistently, and shared information openly about their use of the firm and the nature of their respective engagements, these disputes might have been avoided. This issue, coupled with deficiencies in procurement by both agencies, reflected and further perpetuated the lack of cohesion in the design and implementation of TAHE.

More broadly, over the period 2014 – 2021, 16 separate consulting firms were employed to work on 36 contracts, valued at over $22.56 million, relating to TAHE ranging from accounting and legal advice, project management, and the provision of administrative support and secretariat services.

Consultants are legitimately used by agencies to provide advice on how to achieve the outcomes determined by government, including advising agencies on the risks and challenges in achieving those outcomes. Similarly, consultants can provide expert knowledge in the service of achieving those outcomes and managing the risks. However, the heavy reliance on consulting firms during the design and implementation of TAHE heightened the risk that agencies were not receiving value for money, were outsourcing tasks that should be performed by the public service, and did not mitigate the risk that the advice received was not objective and impartial. The risk that the role of consultants could have been blurred between providing independent advice to government on options and facilitating a pre-determined outcome was not effectively treated or mitigated. This risk was amplified because a small number of firms were used repeatedly to provide advice on one topic. The effective procurement and management of consultants is an obligation of government agencies.

Appendix one – Responses from audited agencies, and Audit Office clarification of matters raised in the TAHE formal response 

Appendix two – Classification of government entities 

Appendix three – About the audit 

Appendix four – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #372 - released 24 January 2023

 

Published

Transport and Infrastructure 2022

Transport
Asset valuation
Financial reporting
Information technology
Infrastructure
Management and administration
Procurement

What the report is about

Result of the Transport and Infrastructure cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for all Transport and Infrastructure cluster agencies' financial statements.

An 'other matter' paragraph was included in TAHE's Independent Auditor's Report for its 30 June 2022 financial statements which draws attention to Transport and Asset Holding Entity's (TAHE) reliance on government-funded customers.

We included an ‘emphasis of matter’ paragraph in the Independent Auditor’s Report for State Transit Authority of New South Wales’ (the authority) 30 June 2022 financial statements, which draws attention to the financial statements being prepared on a liquidation basis as the authority’s principal activities ceased operations on 3 April 2022.

What the key issues were

The 2021–22 audits identified five high-risk findings:

  • detailed business modelling to support returns from TAHE
  • valuation of assets at TAHE
  • control of assets at TAHE
  • accounting and valuation of tree assets at Centennial Park and Moore Park Trust and Parramatta Park Trust.

Access and licence fees - TAHE

Revised commercial agreements were signed between TAHE, the operators and Transport for NSW on 23 June 2022 to reflect increased access and licence fees detailed in the 18 December 2021 Heads of Agreement.

TAHE’s ability to generate the expected return of 2.5% based on the current modelling is heavily reliant on the government funding the public rail operators (TAHE's customers).

There are risks that:

  • TAHE will not be able to recontract for access and licence fees at a level that is consistent with current projections
  • future governments' funding to TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections
  • TAHE will be unable to grow its non-government revenues.

Valuation of assets - TAHE

Although TAHE's selected valuation of assets falls within an acceptable range, there remains a significant gap between what has been assessed as an acceptable range and TAHE's range.

What we recommended

Control of assets - TAHE

While we accepted TAHE’s position on control for the current year, NSW Treasury and TAHE should continue to monitor the risk that control of TAHE assets could change in future reporting periods. TAHE must continue to demonstrate control of its assets or the current accounting presentation would need to be reconsidered.

This report provides Parliament and other users of the Transport and Infrastructure cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport and Infrastructure cluster (the cluster) for 2022.

Section highlights

  • Unqualified audit opinions were issued on all Transport and Infrastructure cluster agencies' financial statements.
  • An 'Other Matter' paragraph was included in the Transport Asset Holding Entity of New South Wales' (TAHE) Independent Auditor's Report to draw attention to TAHE's reliance on government-funded customers.
  •  An 'Emphasis of Matter' paragraph was included in the State Transit Authority of New South Wales' (the authority) Independent Auditor's Report to draw attention to management’s disclosures that State Transit Authority of New South Wales' financial statements for the year ended 30 June 2022 were prepared on a liquidation basis as the authority’s principal activities ceased operations on 3 April 2022.
  • While TAHE's valuation of assets at 30 June 2022 was within an acceptable range of valuation outcomes, there remained significant differences in assumptions used when compared with relevant market benchmarks.
  • Sydney Metro corrected two prior period errors of $1.5 billion and $51 million in accounting and valuation of assets, and double counting of assets capitalised in infrastructure as well as assets under construction respectively.

 

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Section highlights

  • The number of findings reported to management decreased from 87 in 2020–21 to 59 in 2021–22.
  • Repeat findings accounted for 54.2% of management letter points. Many repeat findings related to controls over payroll, including management of annual leave and processing of timesheets, management of conflicts of interests, weaknesses in controls over information technology user access administration and password management.
  • One new high-risk issue was identified in 2020–21, and four high-risk repeat issues remained.
  • The five high-risk issues arose from the audit in the cluster, with respect to:
    • control over TAHE assets and operations (repeat)
    • TAHE detailed business modelling to support returns (repeat)
    • valuation of trees (repeat for Parramatta Park Trust and Centennial Park and Moore Park Trust)
    • TAHE asset valuations.

 

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Enterprise, Investment and Trade 2022

Finance
Asset valuation
Compliance
Cyber security
Financial reporting
Information technology
Internal controls and governance
Management and administration
Procurement
Regulation
Risk

What the report is about

Result of the Enterprise, Investment and Trade cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

The Machinery of Government changes within the Enterprise, Investment and Trade cluster resulted in the creation of the Department of Enterprise, Investment and Trade and the transfer of $1.0 billion of net assets into the new department.

Unmodified audit opinions were issued for all completed cluster agencies' 2021–22 financial statements audits. Two audits are ongoing.

An 'Other Matter' paragraph was included in the audit opinion for the Jobs for NSW Fund's 30 June 2021 financial report to reflect the non-compliance with the Jobs for NSW Act 2015 (the Act) and Government Sector Finance Act 2018. The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Department of Premier and Cabinet, and five ministerial appointments. The board has consisted of two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.

Three cluster agencies accepted changes to their office leasing arrangements managed by Property NSW. This has resulted in the collective derecognition of $24.8 million of right-of-use assets and $26.7 million in lease liabilities, and recognition of $1.9 million of other gains.

What the key issues were

The number of issues we reported to management decreased from 108 in 2020–21 to 103 in 2021–22. Thirty per cent of issues were repeated from the prior year.

Six high-risk issues were identified across the cluster related to the quality and timeliness of financial reporting, governance processes and internal controls.

Recommendations were made to address these deficiencies.

This report provides Parliament and other users of the Enterprise, Investment and Trade cluster's financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Enterprise, Investment and Trade cluster (the cluster) for 2022.

Section highlights

  • Unqualified audit opinions were issued for all completed cluster agencies 2021–22 financial statements audits. The Jobs for NSW Fund and Responsible Gambling Fund audits are ongoing.
  • An 'Emphasis of Matter' paragraph was included in the Australian Institute of Asian Culture and Visual Arts Limited's 30 June 2022 financial statements to draw attention to management’s disclosures that the entity's financial statements for the year ended 30 June 2022 were prepared on a non-going concern basis following cessation of its operations and resolution by the directors in October 2021 to deregister the entity.
  • An 'Other Matter' paragraph was included in the Jobs for NSW Fund's 30 June 2021 financial report to reflect the non-compliance with the Jobs for NSW Act 2015 and Government Sector Finance Act 2018.
    The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Department of Premier and Cabinet (or their nominees) and five ministerial appointments, one of whom is to be appointed as Chair of the board. The board has consisted of the two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.
  • An 'Emphasis of Matter' paragraph was included in the Jobs for NSW Fund's 30 June 2021 financial report to draw attention to the financial report being prepared for the purpose of fulfilling the Jobs for NSW Fund's financial reporting responsibilities as requested by the Treasurer's delegate.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Enterprise, Investment and Trade cluster.

Section highlights

  • In 2021–22, there were 103 findings raised across the cluster, a decrease from 2020–21.
  • In total, six high-risk findings were identified during 2021–22. Two related to 2021–22 whilst four were related to the audit of Jobs for NSW Fund's 30 June 2021 financial report.
  • Thirty per cent of all findings during 2021–22 were repeat issues. The most common repeat issues related to information technology controls and accounting for property plant and equipment notably fair value assessment and valuation.

Appendix one – Misstatements in financial statements submitted for audit 

Appendix two – Early close procedures 

Appendix three – Timeliness of financial reporting 

Appendix four – Financial data 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Health 2022

Health
Whole of Government
Asset valuation
Compliance
Cyber security
Financial reporting
Information technology
Infrastructure
Internal controls and governance
Management and administration
Procurement
Risk
Service delivery
Shared services and collaboration
Workforce and capability

What the report is about

Result of Health cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for the financial statements for all Health cluster agencies.

The COVID-19 pandemic continued to increase the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2021–22 was $353.3 million, of which $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests (RATs).

A qualified audit opinion was issued on the Annual Prudential Compliance Statement related to five residential aged care facilities. There were 20 instances (19 in 2020–21) of non-compliance with the prudential responsibilities within the Aged Care Act 1997.

What the key issues were

The total number of matters we reported to management across the cluster decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised, four were high risk (three in 2020-21) and 37 were moderate risk (57 in 2020–21). Nearly half of all control deficiencies reported in 2021–22 were repeat issues.

Three unresolved high-risk issues were:

  • COVID-19 inventories impairment – we continued to identify issues relating to management’s impairment model which relies on anticipated future consumption patterns. RATs had not been assessed for impairment.

  • Asset capitalisation threshold – management has not reviewed the appropriateness of the asset capitalisation threshold since 2006.

  • Forced-finalisation of HealthRoster time records – we continued to observe unapproved rosters being finalised by system administrators so payroll can be processed on time. 2.6 million time records were processed in this way in 2021–22.

What we recommended

  • COVID-19 inventories impairment – ensure consumption patterns are supported by relevant data and plans.

  • Assets capitalisation threshold – undertake further review of the appropriateness of applying a $10,000 threshold before capitalising expenditure on property, plant and equipment.

  • Forced-finalisation of HealthRoster time records – develop a methodology to quantify the potential monetary value of unapproved rosters being finalised.

This report provides Parliament and other users of Health cluster (the cluster) agencies' financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

  • financial reporting

  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2022.

Section highlights

  • Unqualified audit opinions were issued for all cluster agencies required to prepare general purpose financial statements.

  • The total gross value of corrected monetary misstatements for 2021–22 was $353.3 million, of which, $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests.

  • A qualified audit opinion was issued on the ministry's Annual Prudential Compliance Statements.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Section highlights

  • The total number of internal control deficiencies has decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised in 2021–22, four were high (2020–21: 3) and 37 were moderate (2020–21: 57); with nearly half of all control deficiencies reported in 2021–22 being repeat issues.

  • The following four issues were reported in 2021–22 as high risk:

    • impairment of COVID-19 inventories

    • inadequate review over the appropriateness of asset capitalisation threshold

    • forced-finalisation of HealthRoster time records

    • COVID-19 vaccination inventories – data quality issue at 31 March 2022.

  • Management of excessive leave balances and poor quality or lack of documentation supporting key agreements continued to be the key repeat issues observed in the 2021–22 financial reporting period.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

New South Wales COVID-19 vaccine rollout

Health
Internal controls and governance
Management and administration
Project management
Risk
Service delivery

What the report is about

The Australian Government led and implemented the Australian COVID-19 vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

This audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine roll out in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over.

What we found

On 16 October 2021, NSW Health, in partnership with the Australian Government's vaccination program, achieved its first objective to fully vaccinate 80% of people in NSW aged 16 and over. Demand for the vaccine reduced in December 2021, and NSW Health did not reach its target of 95% fully vaccinated for people aged 16 and over until June 2022.

Despite challenges such as uncertain supply and changes to clinical advice affecting vaccine eligibility, NSW Health's overall delivery of vaccination services was effective and efficient.

During the audit period, NSW Health implemented effective strategies to allocate vaccines and reduce wastage to optimise the number of vaccines available.

NSW Health implemented its own booking system after it identified that the Australian Government's system would not manage bookings. There were problems with NSW Health's interim vaccine booking system, and NSW Health fully resolved these issues by September 2021.

As at 19 October 2022, vaccination rates for Aboriginal peoples and culturally and linguistically diverse people remained below the 95% target.

What we recommended

By June 2023, NSW Health should conduct a comprehensive review of the COVID-19 vaccine rollout and incorporate lessons learned into pandemic response plans.

The first three cases of COVID-19 in New South Wales were diagnosed in January 2020. By 30 June 2021, 128 people were being treated in hospital and one person was in intensive care. By the end of December 2021, 187,504 total cases and 663 deaths were reported in New South Wales. As at 27 October 2022, NSW Health reported more than three million total cases and 5,430 deaths.

The COVID-19 pandemic continues to have a significant impact on the people and the health sector of New South Wales. The Australian, state, territory, and local governments have directed significant resources towards health responses and economic recovery.

On 13 November 2020, National Cabinet (comprised of the Australian, state, and territory governments) endorsed the Australian COVID-19 Vaccination Policy. Australia's vaccination program was launched on 21 February 2021 with the goal of providing safe and effective vaccines to the people who most needed them as quickly as possible, to support the physical, mental and economic wellbeing of the nation.

The Australian Government led and implemented the Australian vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

The overall objective of this audit was to assess the effectiveness and efficiency of NSW Health’s contribution to the Australian COVID-19 vaccine rollout. It is important to note that in New South Wales, primary care providers (GPs and pharmacies) and aged care providers administered the majority of vaccines. Primary care providers and aged care providers are the responsibility of the Australian Government.

The audit had a particular focus on whether NSW Health:

  • set clear vaccination targets underpinned and/or guided by evidence
  • managed the rollout of the vaccination program effectively and efficiently
  • managed demand of vaccines effectively and efficiently.

The audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine rollout in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over. We did not audit the subsequent rollout for ages five to 15, or the booster rollout (third and fourth doses) as these activities mostly occurred outside the date of our review.

This audit also did not assess the Australian Government’s allocation of vaccine supplies to New South Wales because we do not audit the Australian Government's activities. On 17 August 2022, the Australian National Audit Office completed a performance audit which assessed the Australian Department of Health and Aged Care's effectiveness in the planning and implementation of Australia's COVID-19 vaccine rollout.

This audit is one of a series of audits that have been completed or are in progress regarding the New South Wales COVID-19 emergency response. This includes the planned performance audit ‘Coordination of the response to COVID-19 (June to November 2021)’, and financial audit assurance activities focusing on Local Health District processes and controls to manage the receipt, distribution and inventory management of vaccine stock. The Audit Office New South Wales '2022–25 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

Conclusion

By 12 December 2021, NSW Health had administered two doses of vaccines to one third of eligible people in New South Wales aged 16 and over – contributing significantly to the achievement of the NSW Government vaccination target of 80% fully vaccinated before 31 December 2021. Despite challenges such as uncertain supply and changes to clinical advice affecting vaccine eligibility, NSW Health's overall delivery of vaccination services was effective and efficient.

NSW Health implemented its own booking system after it identified that the Australian Government's system would not manage bookings. There were problems with NSW Health's interim vaccine booking system, and NSW Health fully resolved these issues by September 2021.

Vaccination levels in some vulnerable populations remain below the 95% double dose target currently in place. Access to quality data to regularly measure vaccination rates in some vulnerable populations remains an ongoing challenge for the NSW and Australian Governments. As a result, NSW Health is unable to fully ensure it has delivered on its shared responsibility with the Australian Government to vaccinate vulnerable people.

NSW Health managed challenges regarding the uncertain supply of vaccines from the Australian Government and filled gaps beyond its agreed responsibilities in the National Partnership on COVID-19 Response. During the Delta outbreak of the pandemic, NSW Health sought to achieve the best possible public health outcome from limited vaccine supply by opening up additional vaccination clinics in highly affected areas and redistributing vaccine supplies from areas with fewer cases to highly affected local government areas in south west Sydney.

During the audit period, NSW Health implemented effective strategies to allocate vaccines and reduce wastage to optimise the number of vaccines available. Our financial audit report, 'Health 2022', includes additional information on vaccine supply stock held by NSW Health.

NSW Health demonstrated agility by using a range of strategies to promote vaccination, including direct engagement with communities to develop culturally appropriate services such as pop-up clinics. NSW Heath recruited prominent community members, such as faith leaders, elders and sportspeople, to promote vaccination within their communities. However, at the date of this report, there are still vulnerable populations with vaccination rates lower than the current 95% double dose vaccination target. There is also a lack of regularly updated data for some cohorts which prevents NSW Health from accurately monitoring vaccination rates in some populations it has identified as vulnerable.

In March 2021, NSW Health identified that the booking system provided by the Australian Government was an online directory of vaccine clinics and would not manage bookings. To overcome this, NSW Health amended an internal-use system to be publicly facing. This solution was not user-friendly for staff or those seeking to make an appointment. Between June to September 2021, NSW Health progressively resolved booking system related issues, by developing and rolling out a new purpose-built booking solution for NSW Health vaccination clinics.

Appendix one – Response from agency

Appendix two – Australian audits on the vaccine rollouts

Appendix three – Committee members 

Appendix four – About the audit 

Appendix five – Performance auditing 

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #369 - released 7 December 2022

View our audit program
View audit program
EXPLORE
upcoming audits
Have your say
CONTRIBUTE