This report analyses the results of our audits of the Customer Service cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Customer Service cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Customer Service cluster agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Customer Service cluster agencies.

The number of monetary misstatements decreased from 48 in 2019–20 to 46 in 2020–21.

Seven out of eight agencies did not complete all mandatory early close procedures.

What the key issues were

Upon the implementation of AASB 1059 'Service Concession Arrangements: Grantors', the Department of Customer Service (the department) recognised a service concession asset, the land titling database, totalling $845 million for the first time at 1 July 2019.

The department reported several retrospective corrections of prior period errors.

The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. The high-risk issues were related to:

• the Department of Customer Service – internal control qualifications and control deviations in GovConnect service providers
• the Department of Customer Service – significant control deficiencies in information technology change management controls
• Rental Bond Board – uncertainties in the accounting treatment of rental bonds.

The percentage of repeat issues we report to management and those charged with governance in management letters increased from 29 per cent in prior year to 42 per cent in 2020–21 while the number of items decreased from 94 to 93.

The magnitude and number of internal control exceptions in GovConnect service providers increased resulting in additional audit procedures to address the risks of fraud and errors in the financial statements.

What we recommended

The department should improve the validation process of key valuation assumptions and inputs provided by the private operator NSW Land Registry Services. It should revisit its accounting treatment of new land titling records.

The department should ensure GovConnect service providers prioritise the remediation of control deficiencies in information technology services.

The department should continue to improve controls in cyber security management.

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

The New South Wales Government Telecommunications Authority should improve its fixed assets management and financial reporting process to accommodate its growing fixed assets profile.

This report provides Parliament and other users of the Customer Service cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service.

Findings reported to management

Forty-two per cent of findings reported to management were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 93 findings raised across the cluster (94 in 2019–20). Forty-two per cent of all issues were repeat issues (29 per cent in 2019–20).

The most common repeat issues related to weaknesses in controls over information technology user access administration.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating. 

2020–21 audits identified three high-risk findings

High-risk findings, including repeat findings, were reported at the following cluster agencies. One of the 2019–20 high-risk findings were not resolved.

The number of moderate risk findings increased from prior year

Fifty-nine moderate risk findings were reported in 2020–21, which was a 11.3 per cent increase from 2019–20. Of these, 26 were repeat findings, and 33 were new issues.

Moderate risk findings include:

• weaknesses in user access management, such as untimely access removal for terminated staff, and a lack of periodic user access review
• accounting for leases such as the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy
• formalising arrangements between agencies including corporate service arrangements, funding arrangements, leases, use of SAP system and computer assets
• use of purchasing cards where our data analytics performed indicated potential gaps and controls and non-compliance with government policies.

The magnitude and number of internal control exceptions in GovConnect service providers have increased

In 2015, the NSW Government selected Unisys Australia Pty Limited’s (Unisys) as an information technology (IT) outsourced service provider and Infosys Limited (Infosys) as a business process outsourced service provider. The outsourced services arrangement was branded GovConnect NSW (GovConnect). The Department of Customer Service (the department) is the contract authority for the NSW Government. In 2019, the NSW Government transitioned a number of Unisys’ IT services progressively to the department and ceased all Unisys's IT services in May 2021. In 2020-21, Infosys, Unisys and the Department were co-providers of business processes and information technology services that constitute the GovConnect environment.

The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. The department is responsible for the remediation of control deficiencies and continuous improvement in GovConnect internal control environment.

The department leads the project management of GovConnect services, including the arrangement to provide internal control assurance reports to customers in 2020–21. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at GovConnect service providers in accordance with Australian Standard on Assurance Engagements 3402 'Assurance Reports on Controls at a Service Organisation' (ASAE 3402). The service auditor reports on the internal controls at a service organisation, which are relevant to a user entity's internal control environment.

The service auditor issued eight ASAE 3402 reports covering business processes controls and information technology general controls (ITGC) provided by the service providers. Four out of eight reports were qualified, a significant increase from previous years.

The table below shows the service auditor's ASAE 3402 opinions issued in various business processes and information technology services provided by service providers for the last five years.

In 2020–21, the information technology services controls reports issued to the department, Infosys and Unisys were qualified. Infosys' accounts receivable business process controls report was also qualified. The audit qualifications were because:

• the service auditor did not get access to the complete set of records processed during the financial year for several ITGC controls. The system that stored these records was hosted at Unisys. From December 2019 to 28 May 2021, the services at Unisys were progressively migrated to the department's IT environment but this system could not be migrated to the department in the required format, resulting in audit scope limitation for service auditors
• of the deviations identified during sample testing of ITGC controls
• the monthly follow up of outstanding receivables was not performed regularly, which was the only key control to address the timely collection of accounts receivable.

Internal control exceptions in GovConnect information and technology services require urgent remediations

The relevant controls over user access, system changes and password controls failed in all three ASAE 3402 GovConnect ITGC reports. These control failures can lead to unauthorised system access, system and configuration changes (workflow approvals, three-way match, etc.) and modifications to key reports. It increases the risk of:

• fraud and error in the financial statements
• ineffective segregation of duties controls
• accuracy and completeness of system generated reports for the agencies using the SAPConnect system.

The table shows the number of ITGC control deviations compared to prior year:

Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

The service auditor identified significant areas for remediation:

• governance arrangement of the IT services
• user access management controls
• SAP database controls
• logical access
• incident management.

In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable. The data analytics identified several terminated employees that were paid long after their termination dates which resulted in salary overpayments during 2020–21. While management had put processes in place to recover these overpayments, the payroll processing controls need to be improved to prevent such overpayments.

The Department of Customer Service advised that it established a ‘Control Reframe Project’ (the project) to address the internal control exceptions at GovConnect service providers. The objective of the project is to ensure the GovConnect assurance model is aligned with clear lines of responsibility and remediation actions are in place to support the delivery of services and achieve an improved outcome for future years.

The NSW Public Sector's cyber security resilience needs urgent attention

The 2020 'Central Agencies' Report to Parliament highlighted the need for Cyber Security NSW, a business unit within the Department of Customer Service, and NSW Government agencies to prioritise improvements to their cyber security resilience as a matter of urgency. A status update of the 2020 recommendation is included in Appendix five of this report.

The Audit Office's Annual Work Program identifies cyber security as a focus area for the Audit Office in 2021–24. It outlines a three-pronged approach to auditing cyber security in this period:

• considering how agencies are responding to the risks associated with cyber security across our financial audits across the NSW public sector
• examining the effectiveness of cyber security planning and governance arrangements for large NSW state government agencies for our Internal Controls and Governance report
• conducting deep-dive performance audits of the effectiveness of specific agency activities in preparing for, and responding to cyber security risks.

A performance audit 'Managing cyber risks' was tabled in Parliament in July 2021. The audit made several recommendations to audited agencies to uplift their cyber security management. It also recommended the Department of Customer Service to:

• clarify the requirement of the NSW Cyber Security Policy (CSP) reporting to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

A compliance audit 'Compliance with the NSW Cyber Security Policy' was tabled in October 2021. The audit examined whether agencies are complying with the NSW Cyber Security Policy to ensure all NSW Government departments and public service agencies are managing cyber security risks to their information and systems.

The report found that key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies. The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

The report noted that the CSP was not achieving the objective of improved cyber governance, controls and culture. The compliance audit made several recommendations to Cyber Security NSW and other NSW Government agencies.

The 2021 maturity self-assessment results against the Australian Cyber Security Centre Essential 8 for the 25 largest NSW State Government agencies are reported in the 2021 'Internal Control and Governance' Report to Parliament.

Management of cyber security risk

Our 2020-21 financial audit assessed whether cyber security risks represent a risk of material misstatement to the department's own financial statements. A request performance audit 'Service NSW's handling of personal information' was tabled on 18 December 2020. The audit followed two cyber security incidents that resulted in data breaches of customer information. As part of our audit procedures, we obtained an understanding of the controls the department has in place to address the risk of cyber security incidents and respond to any incidences which may have occurred during the year, including its impact on the audit.

Our assessment of the department’s own cyber risk management shows that:

• an approved security incident response plan was not in place during the reporting period. There was a lack of testing over incident detection and monitoring process
• a formal process over patch management that includes assessment, determining relevance and priority, timely rollout and escalation and reporting of long outstanding patches to senior management is being established.

The department provides information security services including cyber security management to cluster agencies. We found that there were insufficient communications within the Customer Service cluster over the controls and assurance over cyber security risk management. Some cluster agencies had put in place limited controls over cyber security risk management.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Status of 2020 recommendations

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Health cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Health cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Health cluster (the cluster) agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for the financial statements of all Health cluster agencies.

The COVID-19 pandemic increased the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2020–21 was $250.2 million, of which $226.0 million were pandemic related.

A qualified audit opinion was issued on the Annual Prudential Compliance Statement. The basis of the qualification related to 19 instances (18 in 2018–19) of non-compliance relating to three of the 20 prudential requirements across five aged care facilities.

What the key issues were

The total number of matters we reported to management across the cluster increased from 112 in 2019–20 to 116 in 2020–21. Of the 116 issues raised in 2020–21, three were high risk (one in 2019–20) and 57 were moderate risk (47 in 2019–20). Nearly one half of the issues were repeat issues.

The three new high-risk issues identified were:

Hotel Quarantine (HQ) fees

The absence of a tailored debt recovery strategy, data integrity issues and uncertainties around future HQ arrangements increased risks around the recoverability of HQ fees from travellers.

COVID-19 inventories

Data errors and anomalies in the impairment model and difficulties forecasting key factors impacting the management of Personal Protective Equipment (PPE) increased uncertainty associated with the valuation and impairment of COVID-19 inventories.

COVID-19 vaccines

The Commonwealth did not provide information about the cost of vaccines provided to NSW free of charge, which required the performance of internal valuations to reflect the consumption of vaccines in the financial statements.

What we recommended

Hotel Quarantine (HQ) fees

Develop a tailored assessment methodology to estimate recoverability of HQ fees and work with Revenue NSW to develop a tailored debt recovery strategy.

COVID-19 inventories

Review the current stocktaking and impairment methodology to incorporate validation of data key to the management of COVID-19 related PPE.

COVID-19 vaccines

Work with the Commonwealth to obtain primary price information on COVID-19 vaccines.

This report provides Parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making. This chapter outlines our observations and insights from our financial statement audits of agencies in the Health cluster.

Findings reported to management

The number of findings reported to management has increased, with 47.4 per cent of all issues being repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of cluster agencies. The Audit Office does this through our management letters, which include observations, implications, recommendations and risk ratings.

In 2020–21, there were 116 findings raised across the cluster (112 in 2019–20). 47.4 per cent of all issues were repeat issues (38.4 per cent in 2019–20).

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

Complexities arising from the COVID-19 response

The 2020–21 audit identified three new high-risk findings

COVID-19 has presented the cluster with several new accounting challenges. New and evolving matters arose from changes to operating conditions, which characterised the 2020–21 financial reporting period. Issues with a high degree of estimation uncertainty will require ongoing attention as the strategies employed to deal with the COVID-19 pandemic evolve.

Expected rate of recovery of outstanding Hotel Quarantine invoices

The estimation of the amount likely to be recovered is complicated not only by the uncertainties that exist regarding the assumptions those estimations rely upon, but also the debt collection processes and strategies put into place to manage the accumulated debtors' balance. Debt collection is not administered by the cluster, but rather Revenue NSW. We observed an absence of a methodology to assess the likelihood of recovery. Instead, Sydney Local Health District was relying on Revenue NSW to develop and execute on a collection strategy. Sydney Local Health District was using the same approach to hotel quarantine debts as it did to other Health receivables. As the approach to managing international borders evolves over time, so too will the cluster's need to develop robust estimation models to assess the likely collectability of debtors. 

Procurement, management and impairment of COVID-19 inventories

$656.2 million of COVID-19 inventories were procured in 2020–21, with $220.2 million consumed; $558.7 million impaired and a further $217.1 million written off. Estimates of the degree to which inventories are expired, not fit for purpose or are faulty is often based on management judgement at all stages in the procurement cycle.

With respect to the stocktaking methodology applied, the following issues were identified:

• discrepancies noted in the stock bin listing provided for audit
• discrepancies in the recount sheet generated
• inconsistent application of the stocktake methodology
• inconsistent labelling of quarantined stock
• a lack of an approach for validating stock expiry dates, which is a key input to the impairment calculations.

Although management had developed processes and a methodology to count as well as to assess the level of inventory that was not fit for purpose, ongoing attention to the operating environment that emerges post pandemic will be important in assessing the degree to which existing COVID-19 inventories can be integrated into a ‘business as usual’ model going forward. Further refinement of the key elements of the stocktaking methodology will also be required to ensure that key inputs upon which management relies to calculate the year-end inventory impairment provision can be appropriately validated.

Valuation and recognition of COVID-19 vaccines received from the Commonwealth Government

The 2020–21 financial reporting period saw the Commonwealth acquire COVID-19 vaccines and provide these to state jurisdictions to dispense to their communities. The vaccines, although provided free of charge require recognition. However, Health entities were not responsible for acquiring the vaccines and data on the vaccines' cost was not shared by the Commonwealth. Management undertook a valuation using publicly available data to estimate the value to attribute to the vaccine inventory; developed new systems and leveraged existing pharmacy systems to track physical quantities received from the Commonwealth and ultimately distributed to NSW citizens. As the response to the pandemic evolves, larger quantities, and new lines of vaccine stock will be dealt with, and policy settings will need to adapt when patterns of distribution of those vaccines (e.g., timing of third booster shots) emerge. The Ministry of Health will need to ensure that the valuations applied to the prices of inventory distributed and held in stock are as accurate as possible. This can be done through further refinement of the existing valuation methodology, obtaining price information from the Commonwealth and engaging specialist pharmaceutical valuers.

Emerging trends

Recognition of provisions without sufficient support

Several NSW Health entities raised accruals and provisions in 2020–21, which did not have an appropriate basis for recognition. Liabilities can only be recognised where there is a present obligation to make a payment arising from a past event. A number of these errors remain uncorrected in the financial statements of those entities as they are not material, individually or in aggregate to the financial statements as a whole. Increased training and guidance are required to ensure that treatment within the cluster is consistent and reflects events that have occurred and give rise to obligations.

Treatment of Commonwealth funding

In the 2020–21 and 2019–20 financial reporting periods, we observed prior period errors arising from the treatment of Commonwealth funding. These errors related to recognising revenue under funding agreements entered into with the Commonwealth in the incorrect period. The conditions of these funding arrangements, the transactional information requiring validation and the circumstances when revenue should be recognised are not always clear and can be complex. Early and continuous engagement with the Commonwealth is required to ensure that revenue recognition principles are consistently applied across the cluster.

Key repeat issues

Management of excessive annual leave

NSW Treasury guidelines stipulate annual leave balances exceeding 30 days are considered excess annual leave balances. Managing excess annual leave balances has been reported as an issue for the cluster for more than five years, with the average percentage of employees with excessive leave balances over the last five years being 36.1 per cent (35.5 per cent over five years covering 2015–16 to 2019–20).

The operational demands required to manage the COVID-19 pandemic have presented new challenges for the cluster in trying to manage its excessive leave balances. 39.2 per cent of employees now have excess leave balances at 30 June 2021 (35.4 per cent at 30 June 2020).

The state's leave policy C2020-12 Managing Accrued Recreation Leave Balances requires agencies to manage excessive leave balances to 30 days or less to maintain their workforces physical and mental health.

Accurate time recording

Forced-finalisation of time records by system administrators within HealthRoster remains an issue and we continue to observe time records forced-finalised by system administrators so pay runs can be finalised on a timely basis. During 2020–21, a total of two million (2.2 million in 2019–20) time records were force approved, which represents 5.7 per cent of total time records (6.9 per cent in 2019–20).

Existence, completeness and accuracy of key agreements

Delivery of major capital projects

Health Infrastructure (a division of the Health Administration Corporation) is responsible for the delivery of major capital projects with a budgeted spend of more than $10.0 million. Health Infrastructure oversee the planning, design, procurement, and construction phases. Capital works in progress are recognised in the financial statements of the health entity that intends to use those assets upon completion. The health entities recognise both the capital work in progress and the revenue associated with the capital funding from the Ministry for the construction of the assets. Capital funding is currently agreed with health entities as part of the annual Service Agreement. The assumption that the health entities control the assets during their construction is consistent with Health Infrastructure's role as an agent for the health entity and the Ministry's policy directive PD2020-033 'Management and control of Health Administration Corporation owned Real Property'.

We continued to observe a lack of clarity regarding agreements between Health Infrastructure, the Ministry and the cluster agency that will eventually receive the completed asset. This can lead to confusion and uncertainty around the rights and obligations of each party to the transaction.

Cross border patient funding arrangements

When patients require medical care in a jurisdiction where they are not generally domiciled, there are arrangements in place to provide funding to support cross border patient treatments. We have previously observed that agreements between NSW and other jurisdictions have not been finalised, and this continues to be the case. In the case of Victoria, no agreement has been finalised for the past seven years.

We continue to note that the cluster has long outstanding receivables and payables with other states. The absence of formal agreements between the states hampers the settlement of the debts relating to the treatment of cross border patients. The following table shows the status of Cross Border Agreements between NSW and other jurisdictions:

Albury Base Hospital

Albury Base hospital is located on the border of NSW and Victoria and services residents of both states. Documentation supporting the extension of the expired Intergovernmental Agreement 2009–2017 between NSW and Victoria in relation to the integration of health services in Wodonga and Albury could not be located.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Premier and Cabinet cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Premier and Cabinet cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Premier and Cabinet cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The number of monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.

The Library Council of New South Wales corrected a prior period error of $325 million. In 2017, the council split its collection assets into six asset classes, but not the related asset revaluation reserves. To correct this error, some revaluation decrements previously recognised in asset revaluation reserves were reclassified to accumulated funds.

Eight agencies did not complete all of the mandatory early close procedures.

What the key issues were

The Premier and Cabinet cluster was impacted by three Machinery of Government (MoG) changes during 2020–21.

The changes resulted in the transfer of activities and functions in and out of the cluster and the creation of a new entity - Investment NSW.

The transferor entities continued to provide services to Investment NSW subsequent to 30 June 2021. There were no formal service level agreements in place for the provision of these services.

The New South Wales Electoral Commission (the Commission) and Sydney Opera House Trust obtained letters of financial support from their relevant Minister and/or NSW Treasury in 2020–21. The postponement of local government elections impacted the Commission's operations due to increased planned expenditure to support a COVID-safe election. Sydney Opera House Trust's ability to generate revenue was impacted due to the closure of the Concert Hall partly due to COVID-19 and planned renovations.

The number of repeated audit issues raised with management and those charged with governance increased from 22 in 2019–20 to 24 in 2020–21.

There were 47 moderate risk and 28 low risk findings identified. Of the total findings there were 24 repeat issues.

What we recommended

Investment NSW should ensure services received from other agencies are governed by service level agreements.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.

Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.

Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines:

• our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
• our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.

Appendix one – Timeliness of financial reporting by agency

Appendix two – List of 2020 recommendations

Appendix three – Status of 2019 recommendations

Appendix four – Agencies most impacted by recent emergency events

Appendix five – Management letter findings by agency

Appendix six – Financial data

This report analyses the results of our audits of financial statements of the Health cluster for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

The impacts of the COVID-19 pandemic on the cluster were significant and included changes to the operations of the health entities and increased revenue, expenditure, assets and liabilities.

As a part of this year's audits of health entities, we have considered:

• financial implications of the COVID-19 emergency at both health entity and cluster levels
• changes to agencies' operating models
• agencies' access to technology and the maturity of systems and controls to prevent unauthorised and fraudulent access to data.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The response to the COVID-19 pandemic primarily impacted the financial reporting of NSW Health through:

• additional revenue from the State government in the form of grants and stimulus payments
• additional revenue from the Commonwealth government under the National Partnership Agreement for COVID-19 to cover part of the cost of responding to the COVID-19 pandemic
• increased expenses, largely due to increased payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists and increased cleaning costs
• increased purchases of personal protective equipment.

Chapter one outlines the impacts of NSW Health’s response to the COVID-19 pandemic. This chapter outlines our other audit observations related to the financial reporting of agencies in the Health cluster for 2020.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

The primary impact of the COVID-19 pandemic on the effectiveness of the internal controls of NSW Health and health entities relates to the effectiveness of controls implemented by HealthShare relating to the stocktake of personal protective equipment inventories. Inventory managed by HealthShare increased by 2,746 per cent during 2019–20. HealthShare’s inventory controls did not maintain pace with the sudden, significant increase.

The impacts of NSW Health’s response to the COVID-19 pandemic are outlined in chapter one. This chapter outlines other observations and insights from our financial statement audits of agencies in the Health cluster.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations 

Appendix three – Financial data

Appendix four – Analysis of financial indicators 

Appendix five – Analysis of performance against budget

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Auditor-General’s Report to Parliament

Health 2020

11 December 2020

This corrigendum has been prepared to amend the following text within the Auditor-General’s Report to Parliament on Health 2020, dated 10 December 2020.

NSW Health emergency department treatment times

On page five the original text was as follows:

NSW Health also measures the percentage of patients whose clinical care in emergency departments is completed within four hours. The measure is used as an indicator of accessibility to public hospital services.

NSW Health aims to complete clinical care in the emergency department for 81 per cent of patients within four hours. In 2019–20 NSW Health reports it completed clinical care within four hours for 72.1 per cent of patients (a 7.3 per cent decrease from 2018–19).

At Western Sydney Local Health District, 59 per cent of patients were treated within the targeted timeframe. NSW Health attribute this to the profile of patients presenting in emergency departments and additional time taken processing COVID-19 patients to ensure staff safety.

The original text has now been changed to:

NSW Health also measures the percentage of patients with total time in the emergency department of four hours or less for each local health district. The measure is used as an indicator of accessibility to public hospital services.

The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining NSW Health’s management of health and safety risks to nurses and junior doctors in high demand hospital wards over the past five years, including during the first six months of the 2020 COVID-19 health emergency.

The Auditor-General found that while NSW Health effectively managed most incidents and risks to the physical health and safety of hospital staff during ‘business as usual’ activities, systems and resources are not fully effective to manage staff psychological and wellbeing risks, particularly for nurses.

The Auditor-General found that NSW Health was effective in managing most COVID-19 health and safety risks to hospital staff. Overall effectiveness could have been improved had pandemic preparedness training been delivered across all Local Health Districts. Additionally, state-wide communication systems could have been improved to provide hospital clinicians with access to a ‘single source of truth’ with the latest advice from NSW Health authorities.

NSW Health’s planning and preparation for the supply of Personal Protective Equipment (PPE) was partially effective. At various times, some PPE items could not be sourced from established suppliers. Face masks, goggles and protective gowns were substituted with products that differed in shape, size and fitting from usual items, and in some hospitals, substituted masks were used without being locally fit tested by hospital staff.

The Auditor-General made seven recommendations aimed at enhancing hospital health and safety risk reporting practices, along with a recommendation that NSW Health conduct a post pandemic 'lessons learned' review and make policy and operational recommendations for future pandemic responses.

Over the past decade, there have been increases in the numbers of health and safety incidents affecting nurses and junior doctors in NSW hospitals. These increases have been associated with higher numbers of patients with acute mental health conditions, age-related cognitive impairments, and patients presenting in emergency departments under the influence of drugs and alcohol.  

This audit commenced in August 2019, with a focus on the health, safety and wellbeing of nurses and junior doctors in high demand hospital wards. Our audit focused on emergency departments, mental health wards and aged care wards during 'business as usual’ periods of hospital operations. 

In the early months of 2020, the novel coronavirus (COVID-19) brought new health and safety risks to hospital staff. These risks included the potential for infection amongst health workers, increased staff workloads, and impacts on staff wellbeing.  

In May 2020, we expanded the focus of the audit to assess the effectiveness of NSW Health’s management of the health and safety risks to staff during the COVID-19 health emergency. We assessed the impacts on emergency departments and intensive care units, as these were the wards where staff were most likely to come into contact with COVID-19.  

The Audit Office acknowledges the ongoing health and safety challenges that the pandemic has brought to NSW Health staff – in particular to hospital clinicians and the managers who support them.  

This audit assessed the effectiveness of NSW Health’s:

• systems, forums and workplace cultures to support reporting and generate data about risk
• initiatives to support safe workplaces and effectively respond to health and safety incidents
• actions to continuously improve staff health, safety and wellbeing in hospital environments.

The first three chapters of this report describe the effectiveness of NSW Health’s ‘business as usual’ health and safety risk management. The fourth and fifth chapters describe the effectiveness of NSW Health’s health and safety risk management during the COVID-19 pandemic.  

1. Audit recommendations

By December 2021, NSW Health should:

1. Evaluate the effectiveness of the new incident management system to enable full reporting of health and safety incidents and risks in all hospital wards, including those where incidents and risks are common, and monitor for consistency of reporting over time
2. Expand the categories of hospital incident data reported to Ministry executives in the Work Health and Safety Dashboard reports, including by linking injury data to incident types by hospital ward category, and monitor in conjunction with Local Health Districts for emerging trends and improvement over time
3. Ensure that nurses and junior doctors have regular opportunities to report on risks to their psychological health and wellbeing, and that system managers have access to aggregate data to guide responses to mitigate these risks
4. Develop and implement an evidence-based guiding framework and strategy to support hospital staff in the aftermath of traumatic or unexpected workplace incidents, and monitor implementation
5. At regular intervals, publicly report aggregate Root Cause Analysis data detailing the hospital system factors that contribute to clinical incidents
6. Develop and implement a systemwide platform for sharing research and information about hospital health and safety initiatives across the health system
7. Conduct a post-pandemic 'lessons learned' review focusing on the effectiveness of key strategies deployed in the management of the COVID-19 pandemic and make policy and operational recommendations for future pandemic responses. In particular, ensure:
   • regular scenario-based pandemic training for hospital staff
   • updated policies and protocols for hospital infection controls
   • capability to upscale authoritative communication with frontline health workers at the earliest notification of a health emergency and for the duration of the emergency
   • systems and safeguards to ensure the supply and availability of clinically appropriate personal protective equipment (PPE) during all phases of a pandemic.

Local Health Districts were effective in leading health and safety infection control activity

According the NSW Health Influenza Pandemic Plan (Pandemic Plan), the Chief Executives of Local Health Districts have ultimate responsibility for public health unit preparations during health emergencies. If necessary, they can ‘draw on the support of the State Pandemic Management Team and local emergency management resources’.

During the preparations and early response phases to the COVID-19 pandemic, Local Health Districts were at the forefront of most NSW hospital activity. They took the lead role in developing hospital infection control protocols and guidance about the appropriate uses of Personal Protective Equipment (PPE). Each Local Health District established its own responses to the health emergency, based on the best clinical advice available to them. The localised approach meant that there were some minor differences in infection control practices across the NSW health system.

Throughout February and March 2020, there was limited centralised policy or guidance from the Ministry and its Pillar Health agencies about COVID-19 infection control practices. It was not possible to mandate practices at a time when information about the virus was evolving. Clinical responses were changing as more became known about COVID-19, especially about its patterns of transmission and its impacts on people with the disease.

During February and March 2020, Local Health District executives communicated with hospital staff via a range of methods. Some sent daily e-memos with the latest updates. Some scheduled more regular meetings with hospital clinicians. Some Districts set up extensive staff training sessions and information briefings to keep all personnel updated with the latest advice. Physical distancing made it difficult to bring staff together in large groups, so a range of communications measures were implemented.

Clinical staff also utilised their clinical training and expertise to prepare their wards and train frontline staff in infection control procedures. Some sourced information from national and international colleagues to add to localised knowledge of the virus.

When the first evidence of COVID-19 community transmission was identified in the Northern Sydney Local Health District, hospital staff followed infection control protocols that were based on local guidance and information. With the support from the District executive team and infectious diseases experts, hospital clinicians set up their own infection control protocols and PPE protections. Within a week the District had produced a matrix to guide staff in the uses of PPE during COVID-19 procedures, and had circulated the guidance to all hospital clinicians.

At the end of March 2020, a version of the Northern Sydney PPE matrix was published on the Clinical Excellence Commission’s website and it has now become NSW Health’s standard guideline for PPE during COVID-19 procedures. Once this guideline was published centrally, infection control practices were standardised across NSW hospitals.

This form of District-led policy making is not ‘business as usual’ practice for NSW Health. Policy making processes were somewhat reversed during the early response phases to COVID-19. This flexible policy approach supports the governance arrangements described in the Pandemic Plan, which assigns responsibility for ‘supporting and maintaining quality care across health services and implementing infection control measures as appropriate’ to Local Health Districts.

In non-health emergency situations, clinical policy and protocols are usually initiated and developed by the Ministry and the Clinical Excellence Commission and are subsequently shared across the health system after a quality control process. The localised approach adopted in the months from February to March 2020, allowed for rapid and flexible responses to changing information – to protect the health and safety of the hospital workforce and the wider community.

Hospital staff across NSW would have been better prepared for COVID-19 if pandemic training had been delivered across all Local Health Districts in the past decade

Local Health Districts are responsible for training hospital staff in preparation for public health emergencies. NSW’s policy describing Public Health Emergency Response Preparedness Minimum Standards requires that clinical staff participate in at least one annual emergency training exercise if they hold a position where they are likely to be called upon in an emergency. Staff must participate in an actual response exercise or a relevant training session. The training must also include re-familiarisation with PPE.

Available evidence about emergency response training in NSW indicates that at least two Local Health Districts have delivered pandemic focussed training in the past decade. Our interviews with managers of emergency departments and intensive care units indicates that most other Districts have focused their emergency training on mass patient trauma incidents such as plane crashes, train crashes and terrorist attacks. While the potential for these types of mass trauma events is real, and warrants training and preparation, significant global outbreaks of diseases have also had potential to threaten NSW communities. In previous decades, global health communities have been at risk of diseases such as the Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).

In the two Districts where pandemic training was provided in NSW, staff participated in community influenza vaccination exercises. These were focused on upskilling staff to follow emergency command structures, manage high volume patient flows, and organise sanitisation logistics during a hospital-based training exercise.

Our interviews with nurse managers in emergency departments and intensive care units indicate that in the majority of other Local Health Districts, key personnel were unaware of the NSW Pandemic Plan. Interviewed staff also reported insufficient scenario-based training in pandemic responses over the last ten years.

The Ministry, the Clinical Excellence Commission and the Health Education and Training Institute (HETI) are responsible for online training and 'state-wide strategies and resources to maintain high levels of compliance with infection control and patient safety recommendations'. The HETI website contains online training modules in infection control and PPE donning and doffing procedures. Other infection control information and research is available on the websites of the Clinical Excellence Commission and the Agency for Clinical Innovation.

Online training modules are effective for upskilling staff in a range of skills, but are not a substitute for real-time, rapid incident response training. Face-to-face training provides opportunities for first responders to test procedures in hospital environments. Incident response training provides opportunities for staff to assess their levels of compliance with protocols and their competence with equipment in scenario situations. It is the responsibility of Local Health Districts to provide this form of training to the health staff in their District.

Two NSW Health policies that govern clinical arrangements during pandemics are outdated

The Ministry had not updated two policies that had the potential to assist emergency departments and intensive care units in aspects of their ward preparation for the COVID-19 pandemic. Both policies were on the NSW Health website, but neither were shared with hospital staff in the planning phases for the pandemic. Both policies are out of date and have not been revised within required timeframes.

The 2010 Influenza Pandemic - Providing Critical Care policy was due for review in May 2015 and was not updated at the time of the COVID-19 health emergency. Similarly, the 2007 policy Hospital Response to Pandemic Influenza Part 1: Emergency Department Response was due for review in June 2012 and has not been updated.

These policies were designed to assist clinical staff to make necessary ward arrangements for infection control. They set out the steps for rapid identification of contingent workforces, isolation procedures, and management of patient flows to separate those with suspected infection from other patient cohorts. They were a potential addendum to the NSW Pandemic Plan which describes the command and control responsibilities of health agencies in health emergencies.

Our interviews with nurse managers from emergency departments and intensive care units indicate that in the absence of pandemic policy, they sought clinical guidance from external sources and Local Health District experts. Interviewees told us that a lack of policy guidance about ward arrangements and infection control practices in a pandemic increased their workloads and hours of overtime in the early response phases to COVID-19. With the support of Local Health Districts, clinical staff made rapid adjustments in order to respond to changing testing requirements and ward arrangements.

The Ministry was slow to establish a centralised communication channel to communicate with frontline staff

NSW Health’s governance and communication arrangements during a pandemic are set out in the Pandemic Plan. The Plan requires that government agencies ‘commence enhanced arrangements, establish communications measures’ and confirm ‘governance arrangements’ when there is evidence of person to person transmission during an influenza outbreak. NSW Health received the first notifications of the novel coronavirus risks in January 2020.

During the preparation and early response phases to COVID-19, the Ministry and its central agencies were slow in establishing a single, authoritative channel through which to communicate consistent messages to frontline staff. Clinical staff required up-to-date information about COVID-19 testing criteria as requirements were changing rapidly, sometimes daily. While there was no expectation for fixed policy at this time, hospital staff required the latest instructions about treatment requirements, and updates on the numbers of COVID-19 infections in their region.

As information about COVID-19 was evolving, information was communicated across the health system via ‘multiple channels and sources’. While the Ministry and its central agencies communicated extensively with Local Health Districts during March 2020, hospital staff reported to us that they weren’t always sure where they could find the latest advice about testing protocols or infection controls.

Frontline staff told audit office staff that they were checking multiple sources and time-stamping advice to ensure they had the most up to date information on a daily basis. While some Local Health Districts managed clear communication links with frontline staff, nurse managers told us that communication was ‘chaotic’ during the early phases of pandemic preparation. Key personnel were not always available outside business hours and nurse managers advise that they spent hours at the end of shifts, seeking and printing the latest advice for weekend and night shift personnel. By the end of March 2020, the Ministry and the Clinical Excellence Commission websites became better organised to communicate with frontline clinicians.

A recommendation to the Ministry of Health after H1N1 swine flu could be equally applied in the COVID-19 context. The NSW Government’s report: Key Recommendations on Pandemic (H1N1) 2009 Influenza recommended the establishment of ‘clear pathways of communication … so that all employees have confidence in where their information will come from and who they should approach if they need additional information.’

NSW Health acknowledges the challenges and the lessons from the early phases of the COVID-19 pandemic. For example, a strategy released in August 2020, sets out NSW Health’s own recommendation for the future management of PPE including: ‘Aligning a single source of truth for PPE education and evidence-based guidance to ensure clarity of information on appropriate use, supported by an influential network of Infection Prevention and Control (IPC) practitioners at the forefront.

Ministry executives advise that communication with health staff has improved since the early phases of the pandemic. The Ministry now sends weekly COVID-19 updates to over 130,000 health staff via email. In addition, NSW Health now has two COVID-19 tabs on its website with current information, including COVID-19 testing advice. According to Ministry executives, these communication channels could be used or replicated if needed for future health emergencies. The Ministry also provides health information and updates via a phone application called Med App. This App is preferred by doctors and is less likely to be used by nurses. As at October 2020, there are 13,000 users of Med App. Push notifications can be made on Med App through SMS alerts.

Personal protective equipment (PPE) was not always available in required sizes and some hospital masks and gowns were substituted with products that differed from the usual items

Since the emergence of COVID-19 in Australia, all clinicians in NSW hospitals have had access to some form of PPE for their clinical requirements. If staff did not have appropriate equipment for each COVID-19 related procedure, they were guided by the formal advice issued to the NSW Health workforce on 11 March 2020 stating that: ‘The safety of NSW Health staff is a priority at all times, especially during COVID-19. Where safe working practices confirm specific PPE (e.g. face shields/masks or other equipment) are required for the protection of staff due to COVID-19, in all circumstances:

• staff are to wear prescribed PPE as instructed
• staff are not to undertake or be required to undertake tasks requiring PPE if the PPE is not available for use. Any such tasks are not to proceed until required PPE is available
• any staff member who is concerned about their safety must raise their concerns immediately to their manager.’

At periods during March and April 2020, some PPE items were not available in the required sizes or the regular brands to which staff were accustomed. HealthShare NSW was not able to source PPE from usual suppliers. HealthShare NSW sourced PPE including N95 masks from non-traditional suppliers. Some PPE items differed in shape and size from the usual hospital equipment. While senior executives from HealthShare NSW advise that all products were approved by the Therapeutic Goods Administration (TGA), in some hospitals, nurse managers advise that staff were not able to ‘fit test’ substituted masks. Fit testing determines the type and the size of the respirator mask that achieves an adequate seal on an individual’s face.

In March and April 2020, ‘duck bill’ (N95) masks were not available in some hospitals. According to stock managers and clinical managers in Local Health Districts, duck bills are the preferred mask for staff with smaller faces, particularly female staff members. The duck bill mask is a standard PPE product, and as such, is fit tested during mandatory PPE training. During the early response phases to COVID-19, most Local Health Districts were provided with substitute N95 masks. Fit testing of the substituted N95 masks was not able to be conducted in all NSW hospitals during the early phases of COVID-19. During the first wave of COVID-19 in March and April 2020, hospital staff told audit staff that there was no time and a lack of equipment to appropriately fit test substituted N95 masks.

Nurse managers in emergency departments advise that in some instances, staff made adaptations to PPE to improve protections, such as doubling masks, adding elastics or bringing their own equipment. These adaptations were not consistent with guidelines. Nurse managers advise that in some cases, adaptations to PPE or ill-fitting masks created pressure sores and contact dermatitis. Just over half of the stock managers of Local Health Districts advised that PPE stock was procured from outside the HealthShare NSW system. Stock managers in some Districts advise that facial shields and goggles sourced from non-traditional suppliers by HealthShare NSW were of a lesser quality than standard equipment. Stock managers and nurse managers reported that the changes in PPE products caused confusion and stress amongst staff.

Local Health Districts were proactive in assisting hospital staff to mitigate risks of COVID-19 infections. Some Local Health Districts assigned ‘tiger teams’ to assist staff with their PPE practices. Tiger teams provide clinical expertise and advice to staff, answer questions about infection control and provide training on PPE practice in hospital ward environments. They assist and support PPE donning and doffing practices to ensure the appropriate sequencing of applying and removing PPE for effective infection control. They provide mask fit checking guidance to assist staff in correct PPE practices.

Districts ran extensive refresher PPE training sessions for clinical staff. Some hospitals ran regular PPE demonstrations so that staff could observe correct PPE procedures at set times during the day. These activities assisted staff to implement appropriate infection control in the period before the Clinical Excellence Commission’s web-based materials and videos became available in late March and early April 2020. These online resources now provide comprehensive guidance to hospital staff in PPE practices.

HealthShare NSW placed limits or caps on some high-demand PPE items that were too low to meet requirements in some Local Health Districts and had to be adjusted to meet actual demand

The NSW Pandemic Plan describes the responsibilities of the Ministry and its central agencies to manage and maintain the State Medical Stockpile of essential PPE supplies and antiviral medications. During a pandemic, HealthShare NSW has responsibility for warehousing, monitoring and distributing health supplies to the health workforce.

Due to a reported global shortage of PPE and limits to the NSW stockpile, HealthShare NSW placed limits on the provision of approximately 100 high-demand items to NSW hospitals. HealthShare NSW advise that the PPE order capping ceilings were implemented ‘to ensure local stockpiling does not occur’. A centralised ordering process was established with Local Health Districts so that PPE product ordering occurred through single hospital locations (214 across the State), rather than at the ward level. Escalation processes were established to allow Districts to request one-off increases to supply, and a process was set up to permanently increase the order cap limit for any PPE item by facility.

According to HealthShare NSW, ‘as incoming central supply has improved, order caps have subsequently increased in line with strong engagement and governance with the Local Health Districts to ensure the appropriate levels of supply are provided’. The original capped levels were determined by assessing PPE usage in wards during the flu season of 2019. As the flu season case numbers of 2019 were relatively low, some Local Health District managers advised that the levels of PPE during 2019 were not comparable to the level of PPE required for the COVID-19 pandemic.

After advocacy from hospital stock managers and clinicians, HealthShare NSW increased capped PPE levels in many Local Health Districts.

Executive members of the State Health Emergency Operations Centre (SHEOC) advise that its PPE supply strategy needs to be carefully developed as there are vast differences in PPE usage rates during 'business as usual' periods and pandemic periods. If NSW Health kept the level of PPE required in planning for a worst-case scenario, this would equate to an extensive surplus of PPE that could not be utilised during business as usual periods. The SHEOC Executive advise that it is not feasible or economical to store this level of PPE. They advise that given the costs of PPE, and the fact that the products have a shelf life, a diversified supply line is a more reliable method for ensuring PPE during surge and non-surge periods.

Early data modelling showed ICU patient numbers at levels not manageable with levels of ventilators and equipment

Early projections of patient numbers requiring acute care for COVID-19, were at levels that would not have been manageable with the equipment and resources of NSW hospitals. Throughout March through to May 2020, government data modelling indicated significant surges of community infections and surges in intensive care patients.

Early estimates were based on overseas trends, and if actual cases had matched projections, NSW hospitals would not have had sufficient ventilators to meet demand. The knowledge of this shortfall caused high levels of anxiety among nursing and medical staff.

While the data was based on the best available information, it had negative implications for the health and safety of the nurse and junior doctor workforce. Managers of intensive care wards and emergency departments reported stress amongst the workforce. Staff concerns were primarily about being faced with ‘the unmanageable’, along with heightened fears about contracting the virus with the knowledge that there was insufficient equipment to treat acute patients.

As it transpired, overall numbers of COVID-19 infections were lower than projected during the early months of the pandemic. The lower infection rates in the general population have meant fewer instances of patients requiring intensive care in NSW hospitals. In addition, HealthShare NSW has been able to increase the numbers of ventilators in NSW hospitals to prepare for future surges in patients requiring acute respiratory care.

SHEOC Executive advise that NSW Health undertook an accelerated procurement strategy in early 2020 to increase its stock of ventilators, and that ventilator capacity has always far-exceeded actual requirements.

NSW Health has developed a strategy to improve the management of PPE for the NSW health workforce

In August 2020, NSW Health released a strategy that sets out its future management and planning approaches to the provision of PPE for the NSW Health workforce. NSW Health’s Personal Protective Equipment (PPE) Strategy describes the learnings and challenges during the COVID-19 pandemic in sourcing and distributing PPE. It sets out the systems and methods for distributing PPE to staff and patients and focuses on how staff are kept informed on the appropriate use of PPE at all times. A supporting communications strategy has been developed to support its implementation.

The strategy contains enhanced transparency measures to regularly inform staff about PPE stock levels and to provide data about PPE usage rates by item types in wards in NSW hospitals. The NSW Health PPE strategy describes a changed approach to ordering, storing and allocating PPE. This includes diversifying the supply lines for PPE products to increase supply options in circumstances where supply lines become disrupted. It includes a centralised system for coordinating the supply of hospital PPE through Local Heath District coordination points and centralised distribution points in large hospitals.

Our interviews with hospital PPE stock managers and nurse managers indicate that staff find the new ordering system to be an improvement upon the previous stock ordering method.

According to the Personal Protective Equipment (PPE) Strategy, NSW health is upgrading its models for monitoring and benchmarking PPE usage across the health system. Systems are being improved for forecasting demand volumes during business as usual periods and during health emergency surges.

Appendix one – Response from agency

Appendix two – Audit methodology

Appendix three – About the audit 

Appendix four – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #344 - released 9 December 2020

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

• financial and information technology controls
• business continuity and disaster recovery planning arrangements
• procurement, including emergency procurement
• delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released her report today on State Finances for the year ended 30 June 2020.

‘I am pleased to once again report that I issued an unmodified audit opinion on the State’s consolidated financial statements,’ the Auditor-General said.

The report acknowledges this has been a challenging year, with New South Wales impacted by natural disasters and the COVID-19 pandemic.

The State’s Budget Result, reported in the financial statements, was a deficit of $6.9 billion. This is different to the 2019-20 budget forecast surplus of $1.0 billion and is an outcome of the government’s significant response to bushfires and COVID-19.

The report summarises a number of audit and accounting matters arising from the audit of the Total State Sector Accounts, a sector that comprises 291 entities controlled by the NSW Government with total assets of $495 billion and total liabilities of $256 billion.

Read full report (PDF)

Our audit opinion on the State’s 2019–20 financial statements was unmodified

An unmodified audit opinion was issued on the State’s 2019–20 consolidated financial statements.

The State extended signing its financial statements by six weeks.

Natural disasters, the COVID-19 pandemic and other factors impacted the State’s 2019–20 reporting timetable. The State extended signing its financial statements by six weeks, compared with 2018–19.

All agencies were also given a two-week extension to prepare their financial statements compared with 2018–19. Further extensions beyond two weeks were subsequently approved for the following 11 agencies (7 in 2018–19) to submit completed financial statements for audit:

• Department of Communities and Justice
• Department of Customer Service
• Department of Planning, Industry and Environment
• Department of Regional NSW
• Department of Transport
• Environment Protection Authority
• Infrastructure NSW
• Lord Howe Island Board
• NSW Crown Holiday Parks Land Manager
• Service NSW
• Water Administration Ministerial Corporation.

The extensions reflected that the COVID-19 pandemic impacted agencies’ work environments during the first six months of 2020. This was at a time when many were still implementing machinery of government changes and preparing to implement three significant new accounting standards:

• AASB 15 Revenue from Contracts with Customers (issued December 2014, effective 1 July 2019)
• AASB 16 Leases (issued February 2016, effective 1 July 2019)
• AASB 1058 Income of Not-for-profit entities (issued December 2016, effective 1 July 2019).

These new accounting standards were issued some years before they became effective, to allow reporting entities sufficient time to prepare for implementation. Notwithstanding this, some agencies had not fully implemented the new accounting standards in time for early close procedures, and the unforeseen impact of COVID-19 further complicated the year-end financial reporting processes for the State and its agencies.

The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.

In 2019–20, agency financial statements presented for audit contained 19 errors exceeding $20 million (six in 2018–19). The total value of these errors increased to $1.4 billion ($927 million in 2018–19).

The errors resulted from:

• incorrectly applying Australian Accounting Standards and Treasury Policies
• incorrect judgements and assumptions when valuing noncurrent physical assets and liabilities
• incorrectly interpreting the accounting treatment for unspent stimulus funding.

Errors in agency financial statements exceeding $20m (2016–2020)

$4.1 billion in stimulus funding was allocated in 2019–20

The government implemented an economic stimulus package primarily to mitigate the impacts of the COVID-19 pandemic on New South Wales.

The COVID-19 pandemic and bushfires had a significant impact on the State’s finances, reducing its revenue and increasing its expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health.

The government announced a $4.1 billion health and economic stimulus package in 2019–20. This primarily included:

• $2.2 billion in health measures including purchases of essential medical equipment and increasing clinical health capacity (like intensive care spaces)
• $1.0 billion in small business and land tax relief
• $355 million in extra cleaning services and quarantine costs.

Cluster agencies had spent $3.0 billion (just under 75 per cent) of the COVID-19 stimulus package by 30 June 2020.

The Health cluster incurred most of this expenditure.

Total spend relating to bushfires was $1.3 billion in 2019–20.

The graph below shows the total allocation and spend by cluster to 30 June 2020.

Economic stimulus allocation and spend by cluster to 30 June 2020

Deficit of $6.9 billion compared with a budgeted surplus of $1.0 billion

An outcome of the government’s overall activity and policies is its net operating balance (Budget Result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.

The General Government Sector, which comprises 199 entities, generally provides goods and services funded centrally by the State.

The Non-General Government Sector, which comprises 92 government businesses, generally provides goods and services, such as water, electricity and financial services that consumers pay for directly.

The Budget Result for the 2019–20 financial year was a deficit of $6.9 billion. The original budget forecast, set before the COVID-19 pandemic and bushfires, was a $1.0 billion surplus. The main driver of the change in result was:

• $1.3 billion of higher employee costs, mainly due to:
  • increased workers compensation claims
  • additional personnel required (mainly in the Health sector) to respond to the COVID-19 pandemic
• $2.3 billion of higher operating expenses, mainly due to:
  • $828 million from first time recognition of a child abuse claim liability
  • $507 million from additional insurance claims from the NSW bushfires
  • $343 million from COVID-19 claims by agencies for loss of revenue.
• $1.8 billion in higher grants and subsidy expenses, mainly due to:
  • small business grants
  • COVID-19 quarantine compliance measures
  • costs incurred in response to the 2019–20 bushfires, drought and disaster relief payments
  • third party-controlled assets that were subsequently transferred to councils and utility providers, mainly arising from construction of the CBD and South East Light Rail.

The deficit was further driven by:

• $1.9 billion less taxation revenue, mainly resulting from:
  • $1.3 billion less in payroll tax due to relief measures introduced by the government as part of its COVID-19 economic stimulus
  • $424 million less in gambling and betting taxes, due to venue closures required by COVID-19 public health orders
• $523 million less in dividends and income tax revenue from the Non-General Government Sector, due to lower dividends received from NSW Treasury Corporation and from the State’s other commercial government businesses
• lower fines, regulatory fees and other revenue, due to a $305 million decrease in mining royalties, largely driven by lower coal prices.

Main drivers of the 2019–20 actual vs. budget variance

Revenues increased $209 million to $86.3 billion

In 2019–20, the State’s total revenues increased by $209 million to $86.3 billion, 0.2 per cent higher than in 2018–19. COVID-19 impacted taxation revenue, which fell by $1.1 billion and revenue from the sale of goods and services, which fell by $1.1 billion. These falls were offset by a $2.5 billion (7.7 per cent) increase in grants and subsidies from the Australian Government, mainly in the form of additional stimulus funding.

Taxation revenue fell 3.5 per cent

Taxation revenue fell by $1.1 billion, mainly due to a:

• $861 million fall in payroll tax as a result of COVID-19 relief (reduced payroll tax payments for eligible small businesses)
• $430 million fall in stamp duty collections, driven by lower than expected growth in the property market
• $427 million decline in gambling and betting taxes, mainly due to venue closures driven by COVID-19 public health orders.

Stamp duties of $8.8 billion were the largest source of taxation revenue, $473 million higher than payroll tax, the second-largest source of taxation revenue.

Australian Government grants and subsidies

The State received $34.2 billion in grants and subsides which are mainly from the Australian Government, $2.4 billion more than in 2018–19.

The increase was driven by a $1.1 billion increase in Commonwealth Specific Purpose Payments to support the Health cluster respond to the COVID-19 pandemic. Commonwealth National Partnership Payments increased by a similar amount to provide the State with Natural Disaster relief.

Sales of goods and services

In 2019–20, sales of goods and services fell $1.1 billion. This was due to the COVID-19 pandemic reducing:

• patronage and related transport passenger revenue
• health billing activities with elective surgery being put on hold

Fines, regulatory fees and other revenues

Fines, regulatory fees and other revenues fell $505 million. This was mainly due to a $409 million decrease in mining royalties attributed to a drop in thermal coal prices during 2019–20.

Other dividends and distributions

Other dividends and distributions rose by $616 million due to higher distributions received from the State’s investments. This was due to an additional $1.3 billion held in the State’s investment portfolio compared with last year.

Expenses increased $8.2 billion to $96.0 billion

The State’s expenses increased 9.3 per cent compared with 2018–19. Most of the increase was due to higher employee expenses, other operating costs and grants and subsidies.

Employee expenses, including superannuation, increased 5.7 per cent to $42.6 billion.

Salaries and wages increased to $42.6 billion from $40.3 billion in 2018–19. This was mainly due to increases in staff numbers and a 2.5 per cent increase in pay rates across the sector. Salaries and wages for the Education and Health sectors increased by $659 million and $732 million in each sector respectively.

The Health sector employed an additional 2,763 full time staff in 2019–20. It also incurred more overtime in response to COVID-19. Education increased staff numbers by 4,866 full time equivalents and paid a one off 11 per cent pay rise to school administration staff in 2019–20. Historically, the government wages policy aims to limit growth in employee remuneration and other employee related costs to no more than 2.5 per cent per annum.

Operating expenses increased 8.7 per cent to $27.0 billion.

Operating expenses increased to $27.0 billion in 2019–20 ($24.8 billion in 2018–19) due to higher operating activities in Health. The higher level of activities and related costs is attributed to a full year of operations at the Northern Beaches Hospital (opened November 2018), and responding to COVID-19. The response to COVID-19 involved the State providing viability payments to private hospitals, higher visiting medical officer costs due to additional overtime hours and spending more on equipment to set up COVID-19 testing clinics.

Insurance claims increased by $2.0 billion. This was mainly due to NSW Self Insurance Corporation (SiCorp) recognising a liability for child abuse claims incurred but not reported for the first time, and claims for the 2019–20 bushfires, floods and COVID-19.

Health costs remain the State’s highest expense.

Total expenses of the State were $96 billion ($87.8 billion in 2018–19). Traditionally, the following clusters have the highest expenses as a percentage of total government expenses:

• Health – 24.3 per cent (25.8 per cent in 2018–19)
• Education – 17.6 per cent (19.3 per cent in 2018–19)
• Transport - 12.8 per cent (12.6 per cent in 2018–19).

General public service expenses as a percentage of total State expenses is higher due to a $2.0 billion increase in SiCorp’s accrued claim expenses.

Other expenses increased due to additional grant funding by the State for drought relief and COVID-19 stimulus spend.

Health expenses increased by $632 million compared with 2018–19 but fell as a proportion of total State expenses.

Education expenses remained stable compared with last year due to savings in student transportation costs primarily driven by COVID-19. This led to a decrease in the proportion of the State’s costs relating to education activities.

Grants and subsidies increased $2.5 billion to $14.1 billion.

The increase in grants and subsidies was due to payments the State made to support businesses and local communities in the face of COVID-19 and bushfires. In addition, the State transferred CBD and South East Light Rail assets to councils and utility providers during 2019–20 as it no longer controlled these.

Depreciation expense increased $1.0 billion to $9.2 billion.

Depreciation increased to $9.2 billion from $8.0 billion in 2018–19. At 1 July 2019, the State implemented the new leases standard recognising a right of use (ROU) asset and related lease liability in its financial statements. The value of ROU assets are amortised over the term of the lease. This contributed to $980 million of the increase in 2019–20 depreciation expense. Last year, these costs were previously reported within other operating expenses.

Assets grew by $28.0 billion to $495 billion

The State’s assets primarily include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $28.0 billion to $495 billion. This was a six per cent increase compared with 2018–19, mostly due to changes in asset carrying values.

Of the State’s $28.0 billion increase in asset values, $9.3 billion was due to a new accounting standard requirement for operating leases to be valued and recorded on balance sheet for the first time.

AASB 16 Leases requires entities recognise values for right-ofuse assets (ROU) for the first time. An ROU asset is a lessee’s right to use an asset, the value of which is amortised over the term of the lease. This standard came into effect from 1 July 2019.

Valuing the State’s physical assets

The value of the State’s physical assets increased by $14.1 billion to $365 billion in 2019–20. The assets include land and buildings ($168 billion), infrastructure ($180 billion) and plant and equipment ($16.7 billion). A prior period error relating to the valuation of RMS infrastructure assets reduced the reported values by $1.0 billion from $352 billion to $351 billion at 30 June 2019.

The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include reclassification of physical assets leased under finance leases to right of use assets upon adoption of AASB 16 Leases on 1 July 2019.

Movements in physical asset values

Liabilities increased $38.4 billion to $256 billion

The State borrowed additional funds in response to natural disasters and COVID-19.

The State’s borrowings rose by $33.9 billion to $113.8 billion at 30 June 2020. This accounted for most of the increase in the State’s total liabilities.

The value of TCorp bonds on issue increased by $25.2 billion to $97.0 billion to largely fund capital expenditure and costs associated with the bushfires, drought and COVID-19.

TCorp bonds are actively traded in financial markets and are guaranteed by the NSW Government.

Over 2019–20, TCorp continued to take advantage of lower interest rates, buying back short-term bonds and replacing them with longer dated debt. This lengthens the portfolio matching liabilities with the funding requirements for infrastructure assets.

With effect from 1 July 2019, AASB 16 Leases required the State to recognise liabilities for operating leases for the first time. This increased total lease liabilities from $5.3 billion at 30 June 2019 to $11.8 billion at 30 June 2020.

More than a third of the State’s liabilities relate to its employees. They include unfunded superannuation and employee benefits, such as long service and recreation leave.

Valuing these obligations involves complex estimation techniques and significant judgements. Small changes in assumptions and other variables, such as a lower discount rate, can materially impact the valuation of liability balances in the financial statements.

The State’s unfunded superannuation liability rose $300 million from $70.7 billion to $71.0 billion at 30 June 2020. This was mainly due to a lower discount rate of 0.87 per cent (1.32 per cent in 2018–19). The State’s unfunded superannuation liability represents the value of its obligations to past and present employees less the value of assets set aside to fund those obligations.

The State maintained its AAA credit rating

The object of the Fiscal Responsibility Act 2012 is to maintain the State’s AAA credit rating.

The government manages New South Wales’ finances in accordance with the Fiscal Responsibility Act 2012 (the Act).

The Act establishes the framework for fiscal responsibility and the strategy to maintain the State’s AAA credit rating and service delivery to the people of New South Wales.

The legislation sets out targets and principles for financial management to achieve this.

This year, the State’s credit rating from Standard & Poor’s changed from AAA/Stable to AAA/Negative. Moody’s Investors Service credit rating of Aaa/Stable did not change from the previous year.

The fiscal target for achieving this objective is that General Government annual expenditure growth should be lower than long term average revenue growth.

The State did not achieve its fiscal target of maintaining annual expenditure growth below the long-term revenue growth rate target of 5.6 per cent.

In 2019–20, General Government expenditure grew by 9.7 per cent (5.5 per cent in 2018–19).

Expenditure items that contributed most to the growth rate include:

• recurrent grants and subsidies (20.4 per cent)
• other operating expenses (9.5 per cent)
• employee costs (including superannuation) (5.6 per cent)

Recurrent grant and subsidy expenses increased by $2.8 billion in 2019–20 mainly due to the COVID-19 and natural disaster payments. Other operating expenses increased mainly due to a $2.0 billion increase in SiCorp insurance claims. This included the $828 million provision for child abuse claims incurred but not reported. The bushfires and COVID-19 pandemic also increased the number and cost of claims in 2019–20.

Superannuation funding position since inception of the Act - AASB 1056 Valuation

Appendix one - Prescribed entities

Appendix two - Legal opinions

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Communities and Justice had effective governance and partnership arrangements in place to deliver ‘Their Futures Matter’.

Their Futures Matter was intended to place vulnerable children and families at the heart of services, and direct investment to where funding and programs deliver the greatest social and economic benefits. It was a four-year whole-of-government reform in response to the 2015 Tune Review of out-of-home care.

The Auditor-General found that while important foundations were put in place, and new programs trialled, the key objective to establish an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW was not achieved.

Governance and cross-agency partnership arrangements to deliver Their Futures Matter were found to be ineffective. 'Their Futures Matter lacked mechanisms to secure cross portfolio buy‑in and did not have authority to drive reprioritisation of government investment', the Auditor-General said.

At the reform’s close, the majority of around $380 million in investment funding remains tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives. The reform concluded on 30 June 2020 without a strategy or plan in place to achieve its intent.

The Auditor-General made four recommendations to the Department of Communities and Justice, aimed at improving implementation of outstanding objectives, revising governance arrangements, and utilising the new human services data set to address the intent of the reform. However, these recommendations respond only in part to the findings of the audit.

According to the Auditor-General, ‘Cross-portfolio leadership and action is required to ensure a whole-of-government response to delivering the objectives of Their Futures Matter to improve outcomes for vulnerable children, young people and their families in New South Wales.’

Read full report (PDF)

In 2016, the NSW Government launched 'Their Futures Matter' (TFM) - a whole-of-government reform aimed at delivering improved outcomes for vulnerable children, young people and their families. TFM was the government's key response to the 2015 Independent Review of Out of Home Care in New South Wales (known as 'the Tune Review').

The Tune Review found that, despite previous child protection reforms, the out of home care system was ineffective and unsustainable. It highlighted that the system was not client-centred and was failing to improve the long-term outcomes for vulnerable children and families. The review found that the greatest proportion of relevant expenditure was made in out of home care service delivery rather than in evidence-based early intervention strategies to support children and families when vulnerabilities first become evident to government services (such as missed school days or presentations to health services).

The then Department of Family and Community Services (FACS) designed the TFM reform initiatives, in consultation with central and human services agencies. A cross-agency board, senior officers group, and a new unit in the FACS cluster were established to drive the implementation of TFM. In the 2016–17 Budget, the government allocated $190 million over four years (2016–17 to 2019–20) to the reform. This resourced the design and commissioning of evidence-based pilots, data analytics work, staffing for the implementation unit and secretariat support for the board and cross-agency collaboration.

As part of the TFM reform, the Department of Premier and Cabinet, NSW Treasury and partnering agencies (NSW Health, Department of Education and Department of Justice) identified various existing programs that targeted vulnerable children and families (such as the preceding whole-of-government ‘Keep Them Safe’ reform coming to an end in June 2020). Funding for these programs, totalling $381 million in 2019–20, was combined to form a nominal ‘investment pool’. The government intended that the TFM Implementation Board would use this pool to direct and prioritise resource allocation to evidence-based interventions for vulnerable children and families in NSW.

This audit assessed whether TFM had effective governance and partnership arrangements in place to enable an evidence-based early intervention investment approach for vulnerable children and families in NSW. We addressed the audit objective with the following audit questions:

• Was the TFM reform driven by effective governance arrangements?
• Was the TFM reform supported by effective cross-agency collaboration?
• Has the TFM reform generated an evidence base to inform a cross-agency investment approach in the future?

The audit did not seek to assess the outcomes for children, young people and families achieved by TFM programs and projects.

Their Futures Matter (TFM) is a whole-of-government reform to deliver improved outcomes for vulnerable children, young people and their families.

Supported by a cross-agency TFM Board, and the TFM Unit in the then Department of Family and Community Services (FACS), the reform aimed to develop whole-of-government evidence-based early intervention investment approaches for vulnerable children and families in NSW.

Governance refers to the structures, systems and practices that an organisation has in place to:

• assign decision-making authorities and establish the organisation's strategic direction
• oversee the delivery of its services, the implementation of its policies, and the monitoring and mitigation of its key risks
• report on its performance in achieving intended results, and drive ongoing improvements.

We examined whether the TFM reform was driven by effective governance arrangements and cross-agency collaboration.

The reform agenda and timeframe set down for Their Futures Matter (TFM) were ambitious. This chapter assesses whether the TFM Board and TFM Unit had the capability, capacity and clout within government to deliver the reform agenda.

Creating a robust evidence base was important for Their Futures Matter, in order to:

• identify effective intervention strategies to improve supports and outcomes for vulnerable children and families
• make efficient use of taxpayer money to assist the maximum number of vulnerable children and families
• inform the investment-based approach for future funding allocation.

This chapter assesses whether the TFM reform has developed an evidence base to inform cross-agency investment decisions.

Appendix one – Response from agency

Appendix two – TFM governance entities

Appendix three – TFM Human Services Data Set

Appendix four – TFM pilot programs

Appendix five – About the audit

Appendix six – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #337 - released 24 July 2020