Refine search

Reports

18 December 2020

Published

Service NSW's handling of personal information

Premier and Cabinet

Finance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Risk

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

Conclusion

Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.

Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring.

Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies.

The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
to better reflect the full scope and complexity of personal information handled by Service NSW
to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
enable partitioning and role based access restrictions to personal information collected for different programs
provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

are identified as high risk and have not previously had a privacy impact assessment
have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

17 December 2020

Published

Procurement management in Local Government

Local Government

Internal controls and governance

Management and administration

Procurement

Regulation

Service delivery

The Auditor‑General for New South Wales, Margaret Crawford, released a report today examining procurement management in Local Government.

The audit assessed the effectiveness of procurement management practices in six councils. All six councils had procurement management policies that were consistent with legislative requirements, but the audit found compliance gaps in some councils. The audit also identified opportunities for councils to address risks to transparency and accountability, and to ensure value for money is achieved when undertaking procurement.

The Auditor‑General recommended that the Department of Planning, Industry and Environment review the Local Government (General) Regulation 2005 and publish updated and more comprehensive guidance on procurement management for the Local Government sector. The report also generated insights for the Local Government sector on opportunities to strengthen procurement practices.

Effective procurement is important in ensuring councils achieve their objectives, demonstrate value for money and deliver benefits to the community when purchasing goods and services. Procurement also comes with risks and challenges in ensuring the purchased goods and services deliver to expectations. The risks of fraud and conflicts of interest also need to be mitigated.

The legislative requirements related to procurement in the Local Government sector are focused on sourcing and assessing tender offers. These requirements are included in the Local Government Act 1993 (the Act), the Local Government Amendment Act 2019 (the Amendment), the Local Government (General) Regulation 2005 (the Regulation), the Tendering Guidelines for NSW Local Government 2009 (the Tendering Guidelines), the Government Information (Public Access) Act 2009 (the GIPA Act) and the State Records Act 1998.

General requirements and guidance relevant to councils are also available in the Model Code of Conduct for Local Councils in NSW 2018 (the Model Code), the NSW Government Procurement Policy Framework 2019 and in publications by the Independent Commission Against Corruption (ICAC).^₁

Individual councils have developed their own procurement policies and procedures to expand on the legislative requirements. Understandably, these vary to reflect each council’s location, size and procurement needs. Nevertheless, the general principles of effective procurement management (such as transparency and accountability) and risk-mitigating practices (such as segregation of duties and the provision of training) are relevant to all councils.

The Audit Office of New South Wales Report on Local Government 2018 provided a sector-wide summary of aspects of procurement management in Local Government (see Section 2.1 of this report). This audit builds on this state-wide view by examining in detail the effectiveness of procurement management practices in six councils. This report also provides insights on opportunities to strengthen procurement management in the sector.

The selected councils for this audit were Cumberland City Council, Georges River Council, Lockhart Shire Council, Tweed Shire Council, Waverley Council and Wollongong City Council. They were selected to provide a mix of councils of different geographical classifications, sizes, priorities and levels of resourcing.

Conclusion

All six councils had procurement management policies and procedures that were consistent with the legislative requirements for sourcing and assessing tender offers. Their policies and procedures also extended beyond the legislative requirements to cover key aspects of procurement, from planning to completion. In terms of how these policies were applied in practice, the six councils were mostly compliant with legislative requirements and their own policies and procedures, but we found some gaps in compliance in some councils and made specific recommendations on closing these gaps.

There were also opportunities for councils to improve procurement management to mitigate risks to transparency, accountability and value for money. Common gaps in the councils’ procurement management approaches included not requiring procurement needs to be documented at the planning stage, not providing adequate staff training on procurement, not requiring procurement outcomes to be evaluated, and having discrepancies in contract values between contract registers and annual reports. These gaps expose risks to councils’ ability to demonstrate their procurements are justified, well managed, delivering to expectations, and achieving value for money. Chapter three of this report provides insights for the audited councils and the Local Government sector on ways to address these risks

Recommendations

By June 2022, the Department of Planning, Industry and Environment should:
1. publish comprehensive and updated guidance on effective procurement practices – including electronic tender submissions and procurements below the tender threshold
2. review and update the Local Government (General) Regulation 2005 to reflect the increasing use of electronic tender submissions rather than paper copies.
By December 2021, the six audited councils should consider the opportunities to improve procurement management in line with the improvement areas outlined in chapter three of this report.
Cumberland City Council should immediately:
1. ensure contract values are consistent between the contract register and the annual report
2. introduce procedures to ensure supplier performance reviews are conducted as per the council’s policy
Georges River Council should immediately:
1. ensure contract values are consistent between the contract register and the annual report
2. introduce procedures to ensure all the steps up to the awarding of a contract are documented as per the council’s policy
3. introduce procedures to ensure outcome evaluations are conducted as per the council’s policy.
Lockhart Shire Council should immediately:
1. include additional information in the council’s contract register to ensure compliance with Section 29(b), (f), (g), (h) and (i) of the GIPA Act
2. ensure contract values are consistent between the contract register and the annual report.
Waverley Council should immediately ensure contracts are disclosed in the annual report as per Section 217(1)(a2) of the Regulation.

(1) The relevant ICAC publications include: Corruption Risks in NSW Government Procurement – The Management Challenge (2011), Corruption Risks in NSW Government Procurement – Suppliers’ Perception of Corruption (2011) and Corruption Risks in NSW Government Procurement – Recommendations to Government (2011).

While all six councils had procurement policies in place and were generally compliant with legislative requirements, this report has identified common gaps in processes and practices that expose risks to transparency, accountability and value for money.

This section discusses how councils can mitigate risks and ensure the best outcomes are achieved from their procurements.

Documented justification of procurement needs

The ICAC notes that determining what goods and services an agency requires is the first step of procurement, and the scope for corruption in how need is determined is significant. Without documenting how procurement needs have been justified, councils cannot demonstrate that they fulfill business needs, nor how the procurements may link to the councils’ strategic plans to deliver to the community.

This audit found that none of the six councils’ policies required them to document justification of procurement needs, and none did so consistently in practice. Councils can address this gap by building into their procurement planning process a requirement for staff to document the justification of procurement needs. For higher value procurements, this could be extended to include analysis of options, an assessment of risks and defining intended outcomes. Similarly, clearly establishing and documenting how relevant procurements relate to a council’s community strategic plans or operational plans helps ensure transparency.

Although a formal business case may not be required for many procurements (for example, low-value procurements or routine replacements), some form of documented justification for the expenditure should still be kept on record to demonstrate that the procurement relates to business purposes and is needed.

Segregation of duties

Segregation of duties is an effective control for reducing risks of error, fraud and corruption in procurement. It works on the principle that one person should not have end-to-end control of a procurement. Effective segregation of duties also often involves managerial or independent oversight that is built into the process. Four of the audited councils (Cumberland City Council, Georges River Council, Lockhart Shire Council and Wollongong City Council) appropriately addressed segregation of duties in their procurement frameworks. For example:

All procurements in Cumberland City Council required a delegated officer’s approval before commencing, and the requisitioning department is responsible for ensuring the completion of the goods, works or services associated with each contract. For contracts over $50,000, a specific ‘Authority to Procure’ form had to be completed by the requesting staff, signed by an approver and then forwarded to the procurement team.
Reflecting its small size, all procurements in Lockhart Shire Council were managed by one senior staff member. Nevertheless, this staff member had to bring contract management plans to the rest of the Executive Leadership Team for review and discussion, with large contracts such as those above the tender threshold referred to Council for approval.

The ICAC notes that segregation of duties helps to control discretion, which has particular risk implications for some types of procurement.₂This includes those involving low-value and high-volume transactions, restricted tenders, long-standing procurements and ‘pet projects’ (projects advocated by individual staff members). In cases where corruption risks are low, ICAC notes that monitoring staff’s involvement in procurement may be a cost-effective alternative to total segregation of duties.

Assessment of supplier performance

Councils need to monitor and assess supplier performance to ensure suppliers deliver the goods and services as agreed. The audit found that all six councils consistently monitored progress in capital works and for externally funded projects. Contract monitoring in these cases included ensuring timelines, funding, and legislative requirements were met. This is positive, as capital works made up the bulk of procurements (in terms of volume) in all of the audited councils.

That said, in all six councils, the level of scrutiny was lower for other types of procurements, and there is scope for improvement. For instance, the approach to monitoring capital works or externally funded projects could be replicated across other procurements of a similar nature and value. Conducting assessments and keeping records of supplier performance on all procurements does not need to be onerous, but instead provides useful information to inform future decision-making—including by helping ensure supplier pricing remains competitive, and avoiding re-engaging underperforming suppliers.

The NSW Government Procurement Policy Framework requires that NSW Government agencies establish systems and processes jointly with the suppliers to ensure compliance with contract terms and performance requirements. It also advises that agencies should drive continuous improvement and encourage innovation in coordination with suppliers and key stakeholders.

Centralised contract register

Centrally registering a contract provides improved transparency of procurement activities and facilitates monitoring and compliance checks. While councils are already required to maintain a contract register for all contracts above the reporting threshold (as per the GIPA Act), given the threshold is set at a relatively high benchmark ($150,000), there is merit in councils extending the practice to procurements below the reporting threshold. A central and comprehensive register of contracts helps avoid duplication of procurements and re-contracting of underperforming suppliers.

Three of the audited councils (Georges River Council, Tweed Shire Council and Wollongong City Council) had contract register policies that applied to procurements below the reporting threshold during the audited period. For example, Georges River Council required contracts valued at $10,000 or above to be registered with the procurement team, and Tweed Shire Council had a threshold of $50,000.

Evaluation of community outcomes and value for money

Councils may be progressing procurements to fulfill their strategic and business plans, or using them to fulfill commitments to the community. In these instances, outcomes evaluation is an important way to demonstrate to the community that the intended benefits and value for money have been delivered.

Five of the six audited councils did not require evaluations of community outcomes and value for money. While Georges River Council required contracts valued at $50,000 or more to be monitored, evaluated and reported on at least annually throughout the contract and also at its conclusion, in the procurements we examined the only ‘outcome evaluations’ that the council had conducted were community surveys that did not refer to individual procurements. Councils can miss opportunities to understand the impact of their work on the local community if evaluations of procurement outcomes are not completed. Evaluation findings are also valuable in guiding future resource allocation decisions.

Value for money in the procurement of goods and services is more than just having the specified goods delivered or services carried out. The NSW Government Procurement Policy Framework requires that state government agencies track and report benefits to demonstrate how value for money is being delivered. The framework notes that value for money is not necessarily the lowest price, nor the highest quality good or service, but requires a balanced assessment of a range of financial and non-financial factors, such as: quality, cost, fitness for purpose, capability, capacity, risk, total cost of ownership or other relevant factors.

Procurement training

Effective procurement management relies on the capability of staff involved in various stages of the process. Guidance can be provided through training, which is an important element of any procurement management framework. It ensures that staff members are aware of the councils' policies and procedures. If structured appropriately and provided in a timely manner, training can help to standardise practices, ensure compliance, reduce chances of error, and mitigate risks of fraud or corruption.

The ICAC notes that effective procurement management depends on the competence of staff undertaking procurements and the competence of those who oversee procurement activities. As the public sector is characterised by varying levels of procurement expertise, the ICAC notes that the sector would benefit from a structured approach to training and the application of minimum standards.₃

At the time of this audit, only Wollongong City Council addressed staff training requirements in its procurement management framework. Exhibit 8 details its approach.

Exhibit 8: Wollongong City Council's approach to training
Wollongong City Council has a suite of procurement training available for staff, administered by a dedicated staff member who also monitors attendance and training needs
Staff must complete training before they can take part in a procurement or be a member of a tender assessment panel, and the council keeps a list of all accredited staff members.
Staff cannot access procurement files on the council's electronic records management system until they have received training and have been approved for access by the trainer.
Staff must be trained before they can receive a financial delegation.

Source: Audit Office of New South Wales analysis of Wollongong City Council's procurement policies and procedures 2020.

Two of the audited councils have now also introduced procurement training:

Georges River Council implemented online training, which is mandatory for new staff and serves as refresher training for existing staff. The council also provides in-person training for selected staff (covering contract management, contract specification writing and contractor relationship management) and has developed quick reference cards for all staff to increase awareness of the council's procurement processes.
Tweed Shire Council implemented mandatory online training for all staff members. The training covers the council's procurement policy and protocol as well as relevant legislation. It is linked to relevant council documents such as the Procurement Toolkit on the council's intranet, and includes a quiz for which training participants must score at least 80 per cent to have the training marked as completed.

(2) ICAC (2011) Corruption Risks in NSW Government Procurement – The Management Challenge.

(3) ICAC (2011) Corruption Risks in NSW Government Procurement – Recommendations to Government.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – Councils’ procurement contracts

Appendix three – About the audit

Appendix four – Performance auditing

Parliamentary reference - Report number #345 - released 17 December 2020

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

3 September 2020

Published

Credit card management in Local Government

Local Government

Internal controls and governance

Management and administration

Procurement

Risk

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining credit card management in Local Government.

The audit was in response to a letter from the then Minister for Local Government in November 2018. The audit assessed the effectiveness of credit card management practices in six councils, including in the areas of policies, procedures, compliance and monitoring.

The audit found that all six councils had gaps in their credit card policies and procedures. The Auditor-General recommended that the Department of Planning, Industry and Environment publish guidelines on credit card management for the Local Government sector. The report also generated insights for the Local Government sector with respect to credit card management.

Read full report (PDF)

In 2018–19, all councils responding to an Audit Office survey (representing over 90 per cent of the sector) indicated they issued credit cards to staff members to make work-related purchases. As there are no sector-wide requirements or policies for credit card use and management in Local Government, councils have developed their credit card management frameworks to suit their own needs. The quality of credit card policies and procedures may therefore vary across the sector.

Credit cards are an efficient means of payment, especially for low-value purchases. Compared to the use of petty cash, credit card transactions provide better transparency and accountability for expenditure. By using credit cards, councils only need to make one payment each month, which can reduce the time spent on paying separate vendors, as in the case of purchase orders.

This audit assessed the effectiveness of credit card management practices in six councils: Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council. The councils selected represent a mix of rural, regional and metropolitan councils. They were also among the top ten users of credit cards within their geographical classification, in terms of the number of credit cards issued or the number of transactions per credit card.

This audit referenced the NSW Treasury's Policy and Guidelines Paper TPP17–09 'Use and Management of NSW Government Purchasing Cards', as its principles and recommendations for NSW Government agencies are relevant for councils.

The Audit Office of New South Wales Report on Local Government 2019 provided a high-level overview of credit card management across the sector. While over 90 per cent of councils reported that they had a credit card policy and a credit card acquittal process, the quality of these policies and procedures may vary across the sector as there is no standardised or recommended approach to credit card management for Local Government. This audit complements the Report on Local Government 2019 by providing a detailed discussion of the effectiveness of credit card management practices in councils.

Audit conclusion

All six audited councils had important gaps in their credit card policies and procedures. Their reconciliation of credit card transactions needs to be enhanced to enable detection of potential misuse or fraud.

The audit found important gaps in each of the six audited councils' credit card management practices. Their policies and procedures covered the essential aspects of credit card use and management, but a lack of coverage or clarity in some areas could lead to inconsistent and inappropriate use of credit cards. These areas included: eligibility to hold a credit card, aligning credit card limits with financial delegations, and the reconciliation procedures.

While all six councils conducted reconciliations of credit card transactions, the processes need to be enhanced to enable detection of potential misuse or fraud. Reconciliations had focused solely on verifying receipts, and did not require evidence of business-related purposes, even for transactions such as alcohol purchases or spending at entertainment venues. Five of the six councils also did not include compliance checks in their reconciliation process, such as checking that purchases were not for restricted items.

The level of senior management involvement in monitoring credit card use varied across the six councils. Three of the six councils did not generate regular reports for management oversight. Five of the six councils had no plans for internal audits or targeted reviews of credit card management and use.

Council staff provided with a credit card can purchase from a wide range of businesses, including online transactions with overseas vendors. However, councils may limit the types of purchases that staff can make through their policies and procedures or by setting controls that block certain transaction types such as cash advances. To examine credit card usage, the audit obtained credit card transaction data from 1 July 2016 to 30 June 2019 for the six councils in this review. The data included:

transaction date
amount
merchant category code (MCC)
merchant name.

The audit analysed the number and value of transactions by each council, and the types of purchases made using credit cards.

The existence of a documented approach to managing credit cards ensures transparency and consistency of use within the council. A credit card management framework that contains preventative and detective controls can also minimise risks of fraud, misuse and wastage.

There is no prescribed credit card management framework for Local Government, but typical components of a credit card management framework include:

policies and procedures
guidance for staff
monitoring and reporting.

With no detailed guidance notes similar to those in TPP17–09 for NSW Government, councils have developed their own credit card management framework based on their size, structure, resources and intended credit card usage. For instance, the size of a council has implications for the number of credit cards issued, which in turn influences the arrangements for training and guidance provided to cardholders and approvers.

The intended level of credit card usage may determine whether a council adopts a manual or electronic credit card management system and councils should identify the system that best meets their needs. For instance, a council with few credit cards may not be able to justify investment in an electronic system. On the other hand, a manual system may only be viable for councils with a low number of credit cards and a low number of transactions.

Among the six councils audited, the three councils with fewer cards and a lower number of transactions had a manual credit card management system, while the three councils with more cards and a higher number of transactions used an electronic system.

Exhibit 10 summarises the six councils' policies on use of credit cards.

Exhibit 10: Overview of the six councils' policies on credit card use
Council	Audit Office classification	Number of staff (full-time equivalent)	Number of credit cards issued (current at August 2019)	Policy on credit card use
Dubbo Regional Council	Regional	453	77	Purchase cards are used for official council business up to $5,000 and the policy allows cardholders to delegate the use of their purchase cards to other staff members.
Junee Shire Council	Rural	71	1	Corporate credit cards are for council business activities and minor purchases where a purchase order is not accepted. Items that can be purchased via a purchase order should not be purchased on a corporate credit card.
Lane Cove Council	Metropolitan	192	6	Corporate credit cards are for official council business, but should not be used when there is an alternative form of payment that aligns with the council's purchasing process.
Nambucca Valley Council	Rural	110	37	Purchase cards are used for the payment of goods and services associated with council businesses.
Penrith City Council	Metropolitan	1,031	167	Purchase cards are used for ‘low value and low risk procurement of goods and services’, while corporate cards are held by senior staff for ‘non-routine low value work related purchases’.
Shellharbour City Council	Regional	372	65	Credit cards are for purchases up to $9,999 and the preferred payment method for transactions under $1,000.

Source: Audit Office of New South Wales analysis of council credit card registers, policies and procedures 2020; staff numbers from Office of Local Government's 'Your Council' website, except for Junee Shire Council which comes from their Workforce Plan 2020–24.

While it is important for councils to have an established credit card management framework, it is equally important that they ensure compliance in practice. This chapter examines councils' credit card management practices – how well staff members were complying with policies and procedures, and how effective their credit card controls were. The chapter is structured to cover:

preventative controls (embedded in the issuance, use and cancellation of cards) that prevent fraud and misuse
detective controls (embedded in reconciliation and record keeping) that assist in detecting fraud and misuse.

Where ineffective credit card management practices are identified, councils should reflect on whether they need to more closely monitor compliance, or whether there are fundamental deficiencies in their policies and procedures that need to be refined.

Dubbo Regional Council had gaps in its credit card policy and procedures. It allowed cardholders to share their credit card with other staff members, which complicated credit card management, increased the risk of misuse and fraud, and breached its agreement with the credit card issuer. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Dubbo Regional Council had 77 credit cards at the time of the audit. The council's policy on credit card sharing violated its agreement with the card issuer that each credit card should be for the respective cardholder's use only. Credit card sharing also increases the risk of misuse and fraud.

The council's credit card policy and procedures lacked clarity in several areas. The eligibility criteria were broad and there was a risk of inconsistency in granting approvals, especially since the council gave approval delegations to multiple senior staff members. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of Cabcharge.

The audit identified gaps in the council's credit card management practices. While the council had a clear policy on financial delegations, there was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel, meals and entertainment were not accompanied by evidence of need or exemption. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. The council provided no evidence of the finance team's involvement in the reconciliation of credit card transactions.

Senior management oversight of credit card use was lacking, as the council did not produce reports on credit card use. There was also no evidence that the internal auditor had undertaken monitoring activities as required in the credit card policy.

Recommendations

Dubbo Regional Council should immediately:

1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff.

By December 2020, Dubbo Regional Council should:

2. clarify in the credit card policy and procedures:

eligibility criteria for a credit card
reconciliation arrangements for the general manager’s credit card
Cabcharge management policy and procedures

3. ensure that credit card management practices include:

monitoring credit card limits in line with financial delegations
considering the use of credit card blocks
keeping the credit card register are up-to-date, accurate and complete
maintaining complete and accurate records

4. ensure reconciliation involves:

scrutinising business-related purposes and incident details of transactions
keeping a record of the finance team's review of transactions
reviewing transactions against travel pre-approval forms (where applicable)
recording vehicle details and mileage when credit cards are used in place of fuel cards
checking that there are no split transactions

5. ensure there is ongoing senior management oversight of credit card use

6. ensure the internal auditor undertakes monitoring activities as specified in the credit card policy.

Junee Shire Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Junee Shire Council had only one credit card, held by the general manager, at the time of the audit. Staff members could seek approval from the general manager to purchase using the credit card. This raises concerns of credit card sharing, which would be a violation of the council's agreement with its credit card issuer. Credit card sharing also increases the risk of misuse and fraud.

The council had fuel cards and store cards for use by staff members. However, its credit card policy and procedures did not cover the management of these types of cards. The lack of documented rules and guidance increases the risk of misuse and fraud.

The audit identified other gaps in the council's credit card management practices:

the credit card limit was not monitored in line with financial delegation
there was a lack of targeted guidance for the approver (the mayor) in reconciliation
the council was unable to provide records of certain transactions requested for review by the audit
the council did not review its credit card policy according to schedule.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include reviewing the business-related purpose of transactions. The council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions.

As the cardholder, the general manager reviewed all transactions every month. As the approver, the mayor (or deputy mayor) had to sign off on these transactions. Hence, there was sufficient management oversight of the council's credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

Recommendations

Junee Shire Council should immediately:

1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff.

By December 2020, Junee Shire Council should:

2. clarify in the credit card policy and procedures:

fuel card management policy and procedures
store card management policy and procedures

3. ensure that credit card management practices include:

monitoring credit card limits in line with financial delegations
considering the use of credit card blocks
providing approvers with targeted guidance
maintaining complete and accurate records

4. ensure reconciliation involves:

scrutinising business-related purposes and incident details of transactions
keeping a record of the finance team's review of transactions
checking travel pre-approval forms (where applicable)
recording vehicle details and mileage when credit cards are used in place of fuel cards
checking that there are no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management

6. ensure its credit card policy and procedures are reviewed according to schedule.

Lane Cove Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Lane Cove Council had six credit cards, held by the most senior staff members, at the time of the audit. During our interviews, cardholders advised that they had shared their credit card with reporting staff. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of fuel cards and store cards.

The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and fine payments were not accompanied by adequate justification. There was a lack of targeted guidance for approvers in reconciliation, and the council only evidenced the finance team's involvement in an administrative capacity (i.e. entering data into the journals).

Senior management oversight of credit card use was lacking. Although the credit card policy referred to management reporting, the council had not been producing such reports at the time of the audit. Management reporting was implemented in December 2019 following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

The council has adopted a new Management Directive in January 2020, which has clarified the eligibility criteria for credit cards.

Recommendations

Lane Cove Council should immediately:

1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff.

By December 2020, Lane Cove Council should:

2. clarify in the credit card policy and procedures:

reconciliation arrangements for the general manager’s credit card
fuel card management policy and procedures
store card management policy and procedures

3. ensure that credit card management practices include:

monitoring credit card limits in line with financial delegations
considering the use of credit card blocks
providing approvers with targeted guidance
keeping the credit card register up-to-date, accurate and complete
maintaining complete and accurate records

4. ensure reconciliation involves:

scrutinising business-related purposes and incident details of transactions
keeping a record of the finance team's review of transactions
checking travel pre-approval forms (where applicable)
recording vehicle details and mileage when credit cards are used in place of fuel cards

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management.

Nambucca Valley Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Nambucca Valley Council had 37 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures lacked guidance on the management of fuel cards, store cards and Cabcharge. The policy also lacked coverage of the reconciliation arrangements for the general manager's credit card as the general manager did not hold a credit card. While the policy did not preclude the mayor and the general manager from holding a credit card, both opted not to do so.

The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and there was insufficient control in handling staff departures, as the audit identified one incident where a credit card was returned after the staff member's last day.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include adequate compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and the use of third-party travel websites were not accompanied by adequate justification. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions.

Senior management oversight of credit card use was insufficient, as the council had been producing reports for only one manager for his department at the time of the audit. Management reporting for the Chief Finance Officer was implemented following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

The audit acknowledges that the council had revised its credit card procedures following our discussions to address our preliminary findings. The council has also set additional credit card blocks in response to this audit. The recommendations below contain only the outstanding items.

Recommendations

Nambucca Valley Council should immediately:

1. ensure cardholders stop sharing their credit card with other staff.

By December 2020, Nambucca Valley Council should:

2. clarify in the credit card policy and procedures:

reconciliation arrangements for the general manager’s credit card (should the policy continue to allow the general manager to have one)
fuel card management policy and procedures

3. ensure that credit card management practices include:

monitoring credit card limits in line with financial delegations
keeping the credit card register up-to-date, accurate and complete

4. ensure reconciliation involves:

scrutinising business-related purposes and incident details of transactions
checking travel pre-approval forms (where applicable)
recording vehicle details and mileage when credit cards are used in place of fuel cards
checking that there are no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management.

Penrith City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Penrith City Council had 167 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The audit identified gaps in the council's credit card policy and procedures. There was no documented arrangement for the reconciliation of the general manager's credit card. There was also no guidance on the management of Cabcharge. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include adequate compliance checks or reviewing the business-related purpose of transactions. The council's policy required prior approval for conferences, accommodation or meal expenses. However, there was no evidence that such approvals were checked during credit card reconciliation. The audit also identified instances of split transactions.

The council implemented monthly reporting for managers in July 2019.

There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

Recommendations

Penrith City Council should immediately:

1. ensure cardholders stop sharing their credit card with other staff.

By December 2020, Penrith City Council should:

2. clarify in the credit card policy and procedures

reconciliation arrangements for the general manager’s credit card
Cabcharge management policy and procedures

3. ensure that credit card management practices include:

considering the use of credit card blocks
keeping the credit card register up-to-date, accurate and complete
maintaining complete and accurate records

4. ensure reconciliation involves:

scrutinising business-related purposes and incident details of transactions
keeping a record of the finance team's review of transactions
checking travel pre-approval forms (where applicable)
recording vehicle details and mileage when credit cards are used in place of fuel cards
checking that there are no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management.

Shellharbour City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Shellharbour City Council had 65 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The council did not align credit card limits with financial delegations, and while blocking codes were used, there was no explanation in the policy or procedures. Although the mayor and general manager's credit card transactions were reviewed during the council's monthly Executive Leadership Team meetings, the policy and procedures lacked guidance on the reconciliation of their credit cards. The council also did not have sufficiently detailed documentation for the management of fuel cards.

The audit identified gaps in the council's credit card management practices:

The council's training material had not been updated following the review of its credit card policy and procedures.
The credit card register contained inaccurate information.
The council was unable to provide records of certain transactions requested for review by the audit.
The council did not review its credit card policy according to schedule.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items, such as fuel and fine payments, were not accompanied by adequate justification. The audit identified instances of split transactions, and travel or conference approval forms were also not checked during reconciliation. There was a lack of targeted guidance for approvers in reconciliation, and the council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions.

The council's Executive Leadership Team was involved in the monthly review of credit card transactions, hence there was management oversight of credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

Recommendations

Shellharbour City Council should immediately:

1. ensure cardholders stop sharing their credit card with other staff.

By December 2020, Shellharbour City Council should:

2. clarify in the credit card policy and procedures:

eligibility criteria for a credit card
the use of blocking codes
reconciliation arrangements for the general manager’s credit card
fuel card management policy and procedures (with more details)

3. ensure that credit card management practices include:

monitoring credit card limits in line with financial delegations
providing approvers with targeted guidance
keeping the credit card register up-to-date, accurate and complete
maintaining complete and accurate records
updating the training material to reflect the latest policy and procedures

4. ensure reconciliation involves:

scrutinising business-related purposes and incident details of transactions
keeping a record of the finance team's review of transactions
checking travel pre-approval forms (where applicable)
recording vehicle details and mileage when credit cards are used in place of fuel cards
ensuring no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management

6. ensure its credit card policy and procedures are reviewed according to schedule.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #340 - released 3 September 2020

17 August 2020

Published

Governance and internal controls over local infrastructure contributions

Local Government

Planning

Environment

Compliance

Financial reporting

Infrastructure

Internal controls and governance

Management and administration

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today on how well four councils managed their local infrastructure contributions during the 2017-18 and 2018-19 financial years.

Local infrastructure contributions, also known as developer contributions, are collected from developers to pay for local infrastructure such as drainage, local roads, open space and community facilities. Controls over local infrastructure contributions help to ensure that all contributions owed are collected, funds are spent as intended, and any contributions paid in the form of works-in-kind or dedicated land are correctly valued.

The audit found that Blacktown City Council and City of Sydney Council provided effective governance over their local infrastructure contributions whereas Central Coast and Liverpool City Councils’ governance arrangements require improvement.

The audit found that three councils had spent local infrastructure contributions in accordance with approved contributions plans. Central Coast Council and the former Gosford City Council had spent $13.2 million on administration costs in breach of the Environmental Planning and Assessment Act 1979. These funds were repaid into the council’s local infrastructure fund during the course of the audit.

The Auditor-General made a number of recommendations for each council relating to improving controls over contributions and increasing transparency.

Read full report (PDF)

This audit examined the effectiveness of governance and internal controls over local infrastructure contributions, also known as developer contributions, held by four councils during the 2017–18 and 2018–19 financial years.

This performance audit was conducted with reference to the legislative and regulatory planning framework that was in place during that period.

Our work for this performance audit was completed at the end of March 2020 when we issued the final report to the four audited councils and the Department of Planning, Industry and Environment. We received their respective formal responses to the report’s recommendations during April and May 2020.

Concurrently to this audit, we sought Crown Solicitor’s advice (the ‘Advice’) regarding the use of local infrastructure contributions collected by local councils under the Environmental Planning and Assessment Act 1979 (‘the EPA Act’) for our financial audit work. The Advice clarified the applicable legislative requirements with reference to the application, investment and pooling of local infrastructure contributions. The Advice is included in Appendix 2 of this report. The Advice has not impacted on the findings and recommendations of this report.

Councils collect Local Infrastructure Contributions (LICs) from developers under the Environmental Planning and Assessment Act (1979), the Local Government Act (1993) and the City of Sydney Act (2000) (EP&A Act, LG Act and City of Sydney Act) to fund infrastructure required to service and support new development. At 30 June 2018, councils across NSW collectively held more than $3.0 billion in LICs collected from developers. Just over $1.37 billion in total was held by ten councils. Councils collecting LICs must prepare a contributions plan, which outlines how LICs will be calculated and apportioned across different types of infrastructure. Councils that deliver water and sewer services prepare a development servicing plan (DSP) which allows them to collect contributions for water and sewer infrastructure.

Development timeframes are such that there is often several years between when LICs are collected and the infrastructure is required. Good governance and internal controls are needed over these funds to ensure they are available when needed and spent appropriately.

This audit assessed the effectiveness of governance and internal controls over LICs collected by four councils during the 2017–18 and 2018–19 financial years: Blacktown City Council, Central Coast Council, City of Sydney Council and Liverpool City Council. As at June 2018 these councils held the four highest LIC balances, each in excess of $140 million.

Audit Conclusion

Three of the four councils audited were currently compliant with legislation, regulations and Ministerial Directions regarding LICs. All had gaps in governance and controls over LICs which limited effective oversight.

Three of the councils included in the audit complied with legislation, regulations and Ministerial Directions relating to LICs. Central Coast Council breached the EP&A Act between 2001 and 2019 when it used LICs for administration costs. These funds were repaid in late 2019.

While controls over the receipt and expenditure of contributions funds were largely in place at all councils, there were some exceptions relating to valuing work and land delivered in lieu of cash. Three councils do not provide probity guidance in policies relating to LICs delivered through works-in-kind. Three of the councils had contributions plans that were more than five years old.

Staff at all four councils are knowledgeable about LICs but not all councils keep procedures up to date. Three councils' governance frameworks operate effectively with senior officers from across the council involved in decisions about spending LICs, entering into voluntary planning agreements (VPAs) and reviewing contributions plans.

Transparency over key information relating to LICs is important for senior management so they can make informed decisions, and for the community who pay LICs and expect infrastructure to be provided. During the period of the audit, none of the councils included in the audit provided sufficient information to senior management or their councillors about the projected financial status of contributions plans. This information would be valuable when making broader strategic and financial decisions. Information about LIC levies and intended infrastructure is available to the community but not always easy to find.

A strong governance framework is important at each council to ensure that the funds are managed well, available when needed and spent as intended. The audit examined the following features of each council's governance framework as they apply to LICs:

decision-making by councillors and council officers relating to LICs
monitoring delivery of contributions plans and DSPs including:
- reviewing assumptions underlying the plans
- monitoring projected status of plans.

Internal controls over LICs are important to promote accountability, prevent fraud and deliver infrastructure to the required standard at the best possible price. If financial controls are weak or are not implemented well, there is a risk that LICs are misspent or that councils pay too much for infrastructure.

Not all councils' internal controls adequately addressed risks associated with the administration of LICs

The audit examined a number of internal controls that manage risks related to LICs. These included:

financial controls over receipt and expenditure of LIC funds
management of conflicts-of-interest when dealing with developers
independent valuations of works-in-kind and dedicated land
ensuring delivery and quality of works-in-kind, and obtaining security from developers in the event of non-delivery or poor quality work
management of variations to VPAs and works-in-kind agreements.

We reviewed controls included in policies and procedures and then checked samples of work to ensure that controls were implemented. We found variation in the controls that councils implemented, and some weaknesses in controls. It is a matter for each council to assess their financial risk and develop internal controls that support the collection, management, and expenditure of LICs. However, councils must be able to assure their communities and developers that they are doing everything possible to collect all LICs owing and that work conducted by developers in lieu of cash payments is properly valued and carried out to the required standard.

Further information about audit findings in relation to internal controls for each council are included in chapters five to eight. The exhibit below demonstrates variation in several controls implemented in the audited councils.

In a 2018 report, the Independent Commission Against Corruption noted that 'the appetite for transparency is expanding in both the public and private sectors'.

The Practice Note and S64 Guidance refer to transparency, including the importance of transparency over:

calculation and apportionment of LICs
funding of infrastructure, including where and when infrastructure is delivered
arrangements made with developers through VPAs.

The LIC system is largely transparent for community members who know where to look

Contributions plans and DSPs are public documents, exhibited to the public before being adopted by council. Councils included in the audit publish their contributions plans and DSPs on their websites and meet statutory requirements with regard to reporting and accessibility of information.

However, other public information relating to the LIC system is fragmented across different websites and reports and varies in detail across councils.

Exhibit 10: Published information about LICs at the four audited councils
	Blacktown City Council	Central Coast Council	City of Sydney Council	Liverpool City Council
Financial details about contributions collected and spent	Financial statements	Financial statements	Financial statements	Financial statements
Implementation plans for spending LICs	Contribution plans	S64 implementation plans in DSPs. S7.11 & S7.12 implementation plans developed annually within capital works plan	Contribution plans	Developed annually within capital works plan
Capital works underway or completed, funded by LICs	Capital works plan and annual report	Not published	Not published	Capital works plan

Source: Audit Office analysis.

The Practice Note states that councils are accountable for providing the infrastructure for which contributions are collected. Demonstrating that infrastructure has been provided is difficult with fragmented information. As an example of transparent reporting, Blacktown City Council's 2018–19 annual report includes information about infrastructure that has been delivered for every contributions plan, providing transparency over how LICs have been spent.

Use of LICs collected under VPAs is not always transparent

Contributions collected under VPAs are not required to demonstrate the same relationship to a development as LICs collected under section 7.11 of the EP&A Act. VPAs are often negotiated because a developer requests a change to a planning instrument, and it is important that these arrangements, and their outcomes, are transparent to the community.

The EP&A Regulation includes mechanisms to ensure that VPAs are partially transparent. VPAs are exhibited to the public and approved by the elected council. Councils must maintain a VPA Register and make the VPA Deeds of Agreement available on request. However, there is no obligation on council to report on the outcomes or delivery of developers' obligations under VPAs. The four audited councils vary in transparency and accessibility of information available about VPAs.

Exhibit 11: Published information about VPAs at the four audited councils
	Blacktown City Council	Central Coast Council	City of Sydney Council	Liverpool City Council
VPA Register	Council website and annual report	Annual report	Annual report	Council website and annual report
VPA Deeds of Agreement	Council website	Available on request	Available on request	Council website
Intended use of LICs collected under VPAs	In Deeds of Agreement	In Deeds of Agreement	In VPA Register and most Deeds of Agreement	In VPA Register and most Deeds of Agreement
Completion of work funded by cash collected under VPAs	Not published	Not published	Not published	Not published
Delivery of works-in-kind or land negotiated under VPAs	Not published	Not published	In VPA Register	Not published

Source: Audit Office analysis.

The Practice Note suggests that councils incorporate the intended use of LICs collected under VPAs in the Deed of Agreement, but there is no guidance relating to transparency over where and when funds have actually been spent. There is merit in councils providing greater transparency over public benefits delivered through VPAs to give communities confidence in VPAs as a planning tool.

Credit arrangements with developers are not always well documented or monitored

When levying LICs, section 7.11(6) of the EP&A Act requires councils to take into account land, money, or works-in-kind that the developer has contributed on other development sites over and above their LIC obligations. This section of the EP&A Act allows a developer to offset a LIC owed on one site against land or works contributed on another. This leads to some developers carrying 'credits' for work delivered to councils, to be paid back by reduced LICs on a future development. Blacktown City Council and Central Coast Council allow developers to carry credits. Liverpool City Council and City of Sydney Council do not permit credits and instead pay the developers for any additional work undertaken.

Councils should formally document credit arrangements and have a robust process to validate and keep track of credit balances and report on them. Central Coast Council does not keep good track of credit arrangements and neither Blacktown City Council or Central Coast Council aggregate or report on outstanding credit balances.

Blacktown City Council manages the largest LIC fund in NSW and negotiates more VPAs than any other council. Overall, Blacktown City Council demonstrates effective governance over the LIC funds but there is scope for improved oversight of the projected financial status of contributions plans and credit arrangements with developers. Blacktown City Council also needs to update its operating procedures relating to LICs and improve security over key information.

Blacktown City Council is managing areas with high growth. There is a risk that Blacktown City Council will be unable to collect sufficient LICs to fund the infrastructure required to support that growth. However, Blacktown City Council does not assess and report to senior management or its Audit, Risk and Improvement Committee about the projected financial status of contributions plans.

Blacktown City Council has policies in place to guide the management of LICs although management of credit arrangements with developers requires greater oversight. Policies relating to works-in-kind agreements provide no guidance about probity in negotiations with developers and valuations of works-in-kind are not independent as they are paid for by the developer. Blacktown City Council's S7.11 committee structure could act as a model for other councils. Blacktown City Council is spending LICs according to its contributions plans. Staff managing LICs demonstrate good knowledge of the regulatory environment. However, a number of administrative processes need attention such as outdated procedures, lack of security over key spreadsheets, and inappropriate retention of sensitive personal data.

Recommendations

By December 2020, Blacktown City Council should:

regularly report to senior management on the projected financial status of contributions plans
update council's works-in-kind policy to address probity risks during negotiations with developers
mitigate risks associated with lack of independence in valuations of works-in-kind
improve public reporting about expenditure of cash collected under VPAs
improve management oversight of credit arrangements with developers
update procedures for managing LICs
implement security measures over critical or personal information and spreadsheets.

Central Coast Council's governance and internal controls over LICs were not fully effective. Between 2001 and 2019, more than $13.0 million in LICs was misspent on administration costs in breach of the EP&A Act. There is scope for improved oversight of the projected financial status of contributions plans and credit arrangements with developers. Policies and procedures from the two former councils are not aligned.

In May 2016, the newly amalgamated Central Coast Council inherited 53 contributions plans from the former Gosford City and Wyong Shire Councils. Managing this number of contributions plans fragments the available funds and increases complexity. Central Coast Council is currently working on consolidating these plans. Between June 2016 and June 2019, its LIC balance doubled from $90.0 million to $196 million. Central Coast Council does not assess and report to senior management or its Audit, Risk and Improvement Committee about the projected financial status of contributions plans. Central Coast Council has a LIC committee but it has no formal charter and senior officers do not regularly attend meetings. This limits the committee's effectiveness as a decision-making body. A draft policy relating to works-in-kind agreements provide no guidance about probity in negotiations with developers. Valuations of works-in-kind and land dedications are not independent as they are paid for by the developer.

Central Coast Council has adjusted its accounts in 2018–19 by $13.2 million to repay the LIC fund for administration expenses that were not provided for in 40 contributions plans.

Recommendations

By June 2020, Central Coast Council should:

1. obtain independent validation of the adjustment made to the restricted asset accounts and general fund to repay LICs spent on administration, and adjustments made to each infrastructure category within the contributions plans

2. publish current contributions plans from the former Gosford City Council on the Central Coast Council website.

By December 2020, Central Coast Council should:

3. regularly report to senior management on the projected financial status of contributions plans

4. increase transparency of information available to the public about LIC works planned and underway, including intended use of contributions collected under VPAs

5. consolidate existing plans, ensuring the new contributions plans includes a regular review cycle

6. develop a formal charter for the developer contributions committee and increase the seniority of membership

7. complete and adopt council's works-in-kind policy currently under development, ensuring it addresses probity risks during negotiations with developers

8. mitigate risks associated with lack of independence in valuations of works-in-kind and dedicated land

9. improve public reporting about expenditure of cash collected under VPAs

10. improve management oversight of credit arrangements with developers

11. implement security measures to ensure the integrity of key spreadsheets used to manage LICs

12. align policies and procedures relating to LICs across the amalgamated council including developing policies and procedures for the management of S64 LICs

13. update council's VPA policy to address increased or indexed bank guarantees to accommodate cost increases.

City of Sydney Council manages a complex development environment across the Sydney CBD and inner suburbs. Overall, governance and internal controls over LICs are effective although there is scope for improved oversight of the projected financial status of contributions plans.

City of Sydney Council maintains a large balance of LICs, although not excessive relative to the annual level of LIC expenditure. Unspent contributions are largely associated with open space infrastructure that cannot be delivered until suitable land is available. Thirty per cent of cash contributions are collected under VPAs and there is limited transparency over how these funds are spent. City of Sydney Council does not assess and report to management or its Audit, Risk and Compliance Committee about the projected financial status of contributions plans.

In 2017–18 and 2018–19, LICs were spent in accordance with the corresponding contributions plans. City of Sydney Council staff are knowledgeable about the regulatory environment and are supported by up-to-date policies and procedures.

Recommendations

By December 2020, City of Sydney Council should:

regularly report to senior management on the projected financial status of contributions plans
improve public reporting about expenditure of cash collected under VPAs
periodically review the risk of unpaid LICs associated with complying development certificates and assess whether additional controls are required
implement security measures to ensure the integrity of key spreadsheets used to manage LICs.

During the audit period 2017–18 and 2018–19, Liverpool City Council did not have effective governance and internal controls over LICs. Liverpool City Council is addressing deficiencies and risks identified through an internal audit published in December 2018 although further work is required. There is scope for improved oversight of the projected financial status of contributions plans.

In the two years to 30 June 2019, the balance of unspent LICs increased by more than 60 per cent against a relatively low pattern of expenditure. Prior to an internal audit completed in late 2018, there was no regular reporting on the status of LICs and a lack of transparency when prioritising the expenditure of LIC funds. During 2019, and following the internal audit, Liverpool City Council engaged additional skilled resources to improve focus and accountability for LICs. A LIC committee has been established to manage contributions plans and support business units to initiate relevant infrastructure projects, although it is too early to assess whether this committee is operating effectively. From February 2019, Liverpool City Council commenced monthly reporting to its Chief Executive Officer (CEO) about the point-in-time status of LIC funds, and to its Audit, Risk and Improvement Committee about risks associated with LICs and the implementation of internal audit recommendations. There is limited reporting to senior management about the projected financial status of some contributions plans. Our audit found no evidence of misuse of funds during the audited period. Methods for valuing work and land are not aligned with policies and procedures and are implemented inconsistently. In addition, valuations of works-in-kind and land dedications are not independent as they are paid for by the developer. The policy relating to works-in-kind provides no guidance about managing probity risks when negotiating with developers.

Recommendations

By December 2020, Liverpool City Council should:

regularly report to senior management on the projected financial status of contributions plans
update council's policies and procedures to provide consistent guidance about how works and land offered by developers should be valued
update council's Works-in-Kind and Land Acquisition Policy to address probity risks during negotiations with developers
improve public reporting about expenditure of cash collected under VPAs
mitigate risks associated with lack of independence in valuations of works-in-kind and dedicated land
implement security measures over critical or private information.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – Advice from the Crown Solicitor

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #339 - released 17 August 2020

5 March 2020

Published

Report on Local Government 2019

Local Government

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Service delivery

Shared services and collaboration

Workforce and capability

I am pleased to present my third report to the Parliament on the 2019 audits of local government councils in New South Wales.

This report notes that unqualified audit opinions were issued on the 2018–19 financial statements of 134 councils and 11 joint organisations. The opinion for one council was disclaimed and three audits are yet to complete.

The report also highlights improvements I have seen in financial reporting and governance arrangements across councils. Fewer errors were identified. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices, including fraud control systems, have also improved.

These are very pleasing indicators of the gradual strengthening of governance and financial oversight of the sector. I want to acknowledge the investment councils have made in working with the Audit Office to improve consistency of practice and accountability generally.

Of course there is more work to do, particularly to prepare for new accounting standards and to strengthen controls over information technology and cyber security management. Asset management practices can also be improved. This report provides some guidance to council on these matters and we will continue to partner with the Office of Local Government in the Department of Planning, Industry and Environment to support good practice.

Margaret Crawford

Auditor-General
5 March 2020

This report focuses on key observations and findings from the 2018–19 financial audits of councils and joint organisations.

Unqualified audit opinions were issued on the financial statements for 134 councils and 11 joint organisations. The audit opinion for Bayside’s 2017–18 and 2018–19 financial statements were disclaimed. Three audits are still in progress and will be included in next year’s report.

The report highlights a number of areas where there has been improvement. There was a reduction in errors identified in council financial statements and high risk issues reported in audit management letters. More councils have audit, risk and improvement committees and internal audit functions. Risk management practices and fraud control systems have also improved.

The report also found that councils could do more to be better prepared for the new accounting standards, asset management practices could be strengthened, and information technology controls and cyber security management could be improved.

The Auditor-General recommended that the Office of Local Government within the Department of Planning, Industry and Environment develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils.

Read the PDF Report

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision making is enhanced when financial reporting is accurate and timely. Strong financial performance provides the platform for councils to deliver services and respond to community needs.

This chapter outlines our audit observations on the financial reporting and performance of councils and joint organisations.

Section highlights

There was a reduction in the number and dollar value of errors identified in councils' financial statements.
We continue to identify prior period errors, which are predominantly asset-related.
Unqualified audit opinions were issued for 99 per cent of completed audits for councils and joint organisations.
Three audits remain outstanding, with the outcomes to be reported in next year's Report to Parliament.
Seventy-nine per cent of councils and joint organisations lodged their financial reports by 31 October 2019.
Councils that performed some early reporting procedures achieved better outcomes in terms of the quality and timeliness of financial reporting.
Councils are at various levels of preparedness to implement the new accounting standards for the 2019–20 financial year. Some have made the necessary modifications to systems and processes, but others are still assessing impacts.
Most councils met the prescribed benchmarks for the liquidity and working capital performance measures over the past three years.
More councils reported negative operating performance compared with the prior year, meaning their operating expenditure exceeded their operating revenue.

Strong governance systems and internal controls help councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations and support ethical government.

This chapter outlines the overall trends related to governance and internal control issues across councils and joint organisations for 2018–19.

Section highlights

While the total number of issues reported in our management letters increased compared with the prior year, the total number of high risk issues have decreased. Of the high-risk issues, 41 per cent were deficiencies in information technology controls.
More councils have established audit, risk and improvement committees and internal audit functions.
Councils have improved risk management practices, with over 75 per cent of councils now having a risk management policy and register.
While most councils have policies and processes to manage gifts and benefits, we identified some instances of non-compliance with the Model Code of Conduct.
Most councils have policies and processes to manage the use of credit cards.
Councils can strengthen policies and practices for managing fraud controls and legislative compliance.
There are further opportunities for councils to improve internal controls over revenue, purchasing, payroll, cash, financial accounting and governance processes.

Councils rely on information technology (IT) to deliver services and manage information. While IT delivers considerable benefits, it also presents risks that council needs to address.

In prior years, we reported that councils need to improve IT governance and controls to manage key financial systems. This chapter outlines the progress made by councils in the management of key IT risks and controls, with an added focus on cyber security.

Section highlights

We continue to report deficiencies in information technology controls, particularly around user access management. These controls are key to ensuring IT systems are protected from inappropriate access and misuse.
Many councils do not have IT policies and procedures and others do not identify, monitor or report on IT risks.
Cyber security management requires improvement, with some basic elements of governance not yet in place for many councils.

Councils are responsible for managing a significant range of assets to deliver services on behalf of the community.

This chapter outlines our asset management observations across councils and joint organisations.

Section highlights

There was an increase in the total number of issues reported in our management letters for asset management processes.
There were less high-risk issues reported compared to the previous year.
We continue to identify discrepancies between the council's Crown land asset records and the Crown Land Information Database (CLID) managed by the former Department of Industry (DOI).
Inconsistent practices remain across the Local Government sector in accounting for landfill sites.

Appendix one – Response from the Office of Local Government within the Department of Planning, Industry and Environment

Appendix two – Status of 2018 recommendations

Appendix three – Status of audits

Copyright notice

29 November 2018

Published

Central Agencies 2018

Treasury

Premier and Cabinet

Finance

Financial reporting

Internal controls and governance

Management and administration

Risk

The Auditor-General for New South Wales, Margaret Crawford, released her report today on the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters. While clear audit opinions were issued on all agency financial statements, the report notes that some complex accounting requirements caused significant errors in agency financial statements submitted for audit, which were corrected before the financial statements were approved.

This report analyses the results of our audits of the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster agencies for the year ended 30 June 2018. The table below summarises our key observations.

This report provides parliament and other users of the NSW Government's central agencies and their cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
liquidity risk management
government financial services.

The central agencies and their key responsibilities are set out below.

Central agencies	Key central agency responsibilities	Cluster responsibilities
The Treasury	Financial and economic advisor to NSW Government Manages the NSW Government’s financial resources.	The cluster: provides investment and debt management services though TCorp manages residual business arising from privatisation of government businesses provides insurance and compensation cover, including workers compensation insurance includes NSW Government superannuation funds.
Department of Premier and Cabinet	Drives NSW Government’s objectives and sets targets Works with clusters to coordinate policy and achieve NSW Government priorities.	The cluster: includes integrity agencies, such as the Independent Commission Against Corruption, Audit Office of NSW and Ombudsman’s Office other agencies, such as Barangaroo Delivery Authority and Infrastructure NSW.
Department of Finance, Services and Innovation	Supports agency service delivery in relation to the key enabling functions of NSW Government, including procurement, property and asset management, ICT and digital innovation.	The cluster: is responsible for state revenue and rental bond administration regulates statutory insurance schemes, workplace safety and consumer protection provides access to a range of NSW Government services via Service NSW manages the NSW Government communications network.
Public Service Commission	Works to promote and maintain a strong ethical culture across the government sector and improve the capabilities, performance and configuration of the sector’s workforce to deliver better services to the public.	The Public Service Commission is an independent agency within the Premier and Cabinet cluster.

Note: The Audit Office of NSW is an independent agency included in the Premier and Cabinet cluster for administrative purposes, but not commented on in this report.

A full list of agencies that this report covers by relevant cluster is included in Appendix three.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation clusters for 2018.

Observation	Conclusions and recommendations
2.1 Quality of financial reporting
Unqualified opinions were issued for all agencies' financial statements submitted to the Audit Office. Complex accounting requirements caused significant errors in some agency financial statements, which were corrected before the financial statements were approved.	Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement. Recommendation: Agencies should respond to key accounting issues when they are identified by preparing accounting papers and engaging with Treasury, the Audit Office and their Audit and Risk Committee when these matters are identified.
2.2 Timeliness of financial reporting
Most agencies complied with the statutory timeframe for completion of early close procedures, 48 agencies in the Treasury cluster did not comply with the statutory requirement to prepare financial statements, and the audits of nine agencies in the Treasury cluster were not completed within the statutory timeframe. All financial statement information of the 48 agencies that did not prepare financial statements has been captured in the consolidated financial statements of their parent entity, which was subject to audit.	Early close procedures allow financial reporting issues and risks to be addressed early in the audit process. The timeliness of financial reporting can be improved by performing more robust early close procedures.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

our financial statement audits of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster for 2018
the areas of focus identified in the Audit Office work program.

The Audit Office work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.

Observation	Conclusions and recommendations
3.1 Internal controls
The 2017–18 audits found one high risk issue and 83 moderate risk issues across the agencies. Nineteen per cent of all issues were repeat issues.	Agencies should focus on rectifying repeat issues.
The high risk issue at Service NSW related to several deficiencies in procurement and contract management processes.	Service NSW may not be achieving value-for-money from their procurement and contract management activities. The high risk issue should be rectified as a matter of priority. This includes updating and implementing its procurement, vendor and contract management frameworks and delivering training to key staff involved in procurement and contract management activities.
Property NSW has implemented several controls during the year to rectify the high risk issue identified last year related to its transition to a new property and facility management service provider. However, the service providers performance remains below expectations and there are further opportunities to improve oversight and lift performance.	Property NSW can better define roles and accountabilities with the service provider and formalise policies and processes associated with its monitoring and oversight of the service provider. Implementing relevant KPIs, receiving timely reports and providing timely review and feedback to the service provider may help to lift performance.
GovConnect received unqualified opinions from their service auditor on all business process controls, except for information technology controls provided by Unisys, where a qualified opinion was received from the service auditor. A qualified opinion was received because of several deficiencies in user access controls.	These internal control deficiencies increase the risk of unauthorised access to key business systems, and increase audit effort and costs associated with addressing the risks arising from the deficiencies.
3.2 Audit Office annual work program
Remediation of the Barangaroo site is now estimated to cost the Barangaroo Delivery Authority in excess of net $400 million. The increase in the estimate over the last five years is mainly due to the extent of remediation required, as more evidence of contamination has become known.	Measuring the remaining costs to remediate requires the use of estimation techniques and judgements, making the actual outcome inherently uncertain. We reviewed evidence to support the provision for remediation, including future costs estimates and this evidence supported management’s estimate.
The State Insurance Regulatory Authority have administered the refund of $138 million in Green slip refunds to policy holders through Service NSW during 2017–18. At 30 June 2018, $112 million in refunds are yet to be claimed. We reviewed the systems and processes supporting the refund process. While we found that this supports the disbursement of refunds to policyholders there were some deficiencies in Service NSW’s project controls when the program was being developed.	Service NSW should apply the lessons learnt from this program to other programs it is delivering or will be delivering for agencies.
Revenue NSW recorded $30.4 billion from taxes, fines and fees in 2017–18 ($30.0 billion in 2016–17) to support the State’s finances.	Crown revenue has steadily increased over the last five years predominately driven by rises in payroll tax and land tax and responsibility for collection of the Emergency Services Levy transferring to Revenue NSW under the Emergency Services Levy Act 2017 effective from July 2017.
3.3 Managing maintenance
Place Management NSW manages significant commercial and retail leases and maintains public domain spaces and other assets around the harbour foreshore. It has consistently underspent its asset maintenance budget. In 2017–18, asset maintenance expenses were only 34 per cent of budgeted maintenance expense. Currently, Place Management NSW does not use any ratios or benchmarks to determine the adequacy of its maintenance spend or to monitor whether it is achieving its budgeted maintenance program.	This may be contributing to a high proportion of unplanned maintenance, which Place Management NSW reports was 38 per cent of total maintenance expense in 2017–18. Place Management NSW is outsourcing its property and facilities management function from 1 December 2018 to an external service provider.

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Observation	Conclusions and recommendation
5.1 Superannuation funds
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). However, legislation allows the responsible Minister to prescribe prudential standards, reporting and audit requirements.	Structured and comprehensive prudential oversight of these Funds is important as they operate in a volatile financial sector, have 103,000 members and manage investments of $43.3 billion. Recommendation: Treasury should consult with the Trustees of the STC Pooled Fund and PCS Fund to prescribe appropriate prudential standards and requirements, including oversight arrangements.
5.2 Insurance and compensation
Nominal Insurer and NSW Self Insurance Corporation investment performance marginally exceeded benchmark over the past five years.	Investment returns can impact on the premiums required to maintain an adequate funding ratio in addition to other factors such as claims experience and discount rates.
The Workers Compensation Nominal Insurer (Nominal Insurer) and NSW Self Insurance Corporation's net collected premiums and contributions decreased over the past five years.	The insurance schemes' investment performance and stable claim payments have enabled less reliance on net collected premiums and contributions as a source of funding, over the past five years.
Reforms were introduced to manage the Home Warranty Scheme's financial sustainability risks.	The Home Warranty Scheme has not collected sufficient premiums to fund expected claims costs, since commencing operations in 2011. In 2017–18, the Crown contributed $181 million for historical shortfalls. New reforms started on 1 January 2018 enabling the Scheme to price premiums based on risk.

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

Appendix four - Timeliness of financial reporting and audit reporting

Appendix five - Management letter findings by risk rating

Appendix six – Financial data

30 October 2018

Published

Internal Controls and Governance 2018

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Environment

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.

This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.

This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.

This report offers insights into internal controls and governance in the NSW public sector

This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:

Internal control trends
Information technology (IT), including IT vendor management
Transparency and performance reporting
Management of purchasing cards and taxis
Fraud and corruption control.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.

The focus of the report has changed since last year

Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Agencies selected for the volume account for 95 per cent of the state's expenditure

While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.

Observation	Conclusions and recommendations
2.1 High risk findings
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16.	Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority.
2.2 Common findings
We found several internal controls and governance findings common to multiple agencies.	Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective.
2.3 New and repeat findings
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies.	The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies.
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases	Recommendation: Agencies should reduce IT risks by: assigning ownership of recommendations to address IT control deficiencies, with timeframes and actions plans for implementation ensuring audit and risk committees and agency management regularly monitor the implementation status of recommendations.

Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.

Observation	Conclusions and recommendations
3.1 Management of IT vendors
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review.	Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by: internal audit focusing on key contracting activities experienced officers who are independent of contract administration performing spot checks or peer reviews targeted analysis of data in contract registers.
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract.	Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination.
Performance management Eighty-six per cent of agencies meet with vendors to discuss performance. Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance.	Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by: a more active, rigorous approach to both risk and performance management checking the accuracy of vendor reporting against those KPIs and where appropriate seeking assurance over their accuracy invoking performance based payments clauses in contracts when performance falls below agreed standards.
Transitioning services Forty-three per cent of the IT vendor contracts did not contain transitioning-out provisions. Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor.	Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'.
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete.	Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by: monitoring contract end dates and contract extensions, and commence new procurements through their central procurement teams in a timely manner managing their contractual commitments, budgeting and cash flow requirements. Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations.
3.2 IT general controls
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review.	Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments.
User access administration Seventy-two deficiencies were identified related to user access administration, including: thirty issues related to granting user access across 43 per cent of agencies sixteen issues related to removing user access across 30 per cent of agencies twenty-six issues related to periodic reviews of user access across 50 per cent of agencies.	Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems.
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities.	Recommendation: Agencies should: review the number of, and access granted to privileged users, and assess and document the risks associated with their activities monitor user access to address risks from unauthorised activity.
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters.	Recommendation: Agencies should ensure IT password settings comply with their password policies.
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment.	Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed.

This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.

Observation

Conclusion or recommendation

4.1 Reporting on performance

Only 57 per cent of agencies linked reporting on performance to their strategic objectives.

The use of targets and reporting performance over time was limited and applied inconsistently.

Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information.

Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports.

There is no independent assurance that the performance metrics agencies report in their annual reports are accurate.

Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported.

Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited.

The relevance and accuracy of performance information is enhanced when:

policies and guidance support the consistent and accurate collection of data
internal review processes and management oversight are effective
independent review processes are established to provide effective challenge to the assumptions, judgements and methodology used to collect the reported performance information.

4.2 Reporting on reports

Agency reporting on major projects does not meet the requirements of the annual reports regulation.

Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations.

NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations.

Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress.

The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works.

Sixteen of 30 agencies reported some information on completed major works.

Conclusion: Agencies could improve their transparency if they reported, or were required to report:

on both works in progress and projects completed during the year
actual costs and completion dates, and forecast completion dates for major works, against original and revised budgets and original expected completion dates
explanations for significant cost overruns, delays and key project performance metrics.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.

Observation	Conclusion or recommendation
5.1 Management of purchasing cards
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement.	Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards.
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy.	Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'.
Preventative controls We found that: all agencies maintained purchasing card registers seventy-six per cent provided training to cardholders prior to being issued with a card eighty-nine per cent appointed a program administrator, but only half of these had clearly defined roles and responsibilities thirty-two per cent of agencies place merchant blocks on purchasing cards forty-seven per cent of agencies place geographic restrictions on purchasing cards.	Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as: updating purchasing card registers to contain all mandatory fields required by TPP17–09 appointing a program administrator for the agency's purchasing card framework and defining their role and responsibility for the function strengthening preventive controls to prevent misuse.
Detective controls Ninety-two per cent of agencies have designed and implemented at least one control to monitor purchasing card activity. Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used.	Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to: detect misuse and investigate exceptions analyse trends to highlight cost saving opportunities.
5.2 Management of taxis
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition: a further 41 per cent of agencies have not reviewed their policies by the scheduled revision date, or do not have a scheduled revision date more than half of all agencies’ policies do not offer alternative travel options. For example, only 36 per cent of policies promoted the use of general Opal cards.	Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies: limit the circumstances where taxi use is appropriate offer alternate, lower cost options to using taxis, such as general Opal cards and rideshare.
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews.	Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program.

Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.

Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:

unreported frauds in organisations can be almost three times the number of reported frauds
our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.

Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.

Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.

Observation	Conclusion or recommendation
6.1 Prevention systems
Prevention systems Ninety-two per cent of agencies have a fraud control plan in place, 81 per cent maintain a fraud database and 79 per cent report fraud and corruption matters as a standing item on audit and risk committee agendas. Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies.	Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by: completing regular fraud risk assessments, embedding fraud risk assessment into their enterprise risk management process and reporting the results of the assessment to the audit and risk committee maintaining a fraud database and reviewing it regularly for systemic issues and reporting a redacted version of the database on the agency's website to inform corruption prevention networks developing policies and procedures for employee screening and benchmarking their current processes against ICAC's publication ‘Strengthening Employment Screening Practices in the NSW Public Sector’ developing and maintaining up to date IT security policies and monitoring compliance with the policy.
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be.	Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified.
6.2 Detection systems
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program.	Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment.
6.3 Notification systems
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption.	Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

27 June 2018

Published

Assessment of the use of a training program

Finance

Internal controls and governance

Management and administration

The Department of Finance, Services and Innovation (DFSI) and Service NSW's use of Franklin Covey's '7 Habits' program (the Program) met identified business needs according to a report released today by the Auditor-General for New South Wales Margaret Crawford.

This audit assesses the effectiveness and economy of the Department of Finance, Services and Innovation's, including Service NSW's, use of the Franklin Covey ‘7 Habits’ program (the Program). On 15 March 2018, the Hon. Victor Dominello MP, Minister for Finance, Services and Property, requested the Auditor General conduct this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 (the Act).

About the agencies

The Department of Finance, Services and Innovation (the Department) is the lead agency of the Finance, Services and Innovation cluster. The Department has a number of divisions and business units, including: ICT and Digital Government, Property and Advisory Group, Better Regulation, NSW Fair Trading, Government and Corporate Services, and Revenue NSW. At 30 June 2017, the Department (excluding Service NSW) had 5,239 full-time equivalent staff.

Service NSW is a central point of contact for customers accessing NSW Government Services. It is a Division of the Finance, Services and Innovation cluster and operates as an executive agency. As an executive agency, Service NSW is led by a Chief Executive Officer, who is responsible to the Minister for Finance, Services and Property but appointed by the Secretary of the Department of Finance, Services and Innovation. Service NSW was established in 2013 and has operated under the Finance, Services and Innovation cluster since July 2015. At 30 June 2017, Service NSW had 1,989 full-time equivalent staff.

About the Program

The Program that the Department and Service NSW are implementing, and which is the subject of this audit, is a professional development training course which focusses on organisational culture emphasising personal effectiveness, leadership development and change management. All staff in the Department and Service NSW will receive the training, which involves:

a 360-degree assessment where every staff member receives feedback from their manager, direct reports, and peers
a two-day training workshop, which will be delivered face to face by accredited facilitators
2 years of online access to all training materials created by the provider of the Program.

As part of the licensing arrangement purchased by the agencies, the Program also provides access (at no extra cost) to the full range of the provider's training and development courses that might be useful for other learning and development activities. This includes courses to improve staff capability in communication skills, leadership, productivity and customer engagement. The Department is considering using one of these courses to develop leadership capabilities. Service NSW has integrated three of these courses into its people development curriculum.

Service NSW commenced the first sessions of the Program in May 2017. At 24 April 2018, around 1,000 staff had undertaken the training. Service NSW expects all staff to complete the Program by June 2019.

The Department of Finance, Services and Innovation commenced the first sessions of the Program in August 2017. At 18 April 2018, around 175 staff had undertaken the training. The Department expects all staff to complete the Program by December 2019.

Audit objective and criteria

The audit sought to assess the effectiveness and economy of the Finance, Services and Innovation cluster’s use of the Program. In making this assessment, we considered whether:

the Program is being used effectively, including whether
1. there is an identified need for the Program
2. the use of the Program meets the identified need
3. Finance, Services and Innovation cluster agencies evaluate the effectiveness of the Program
the Program is economical, including whether:
1. the procurement complies with all relevant policies and processes
2. funding and resources allocated to the Program are reasonable.

Conclusion

The Department of Finance, Services and Innovation, and Service NSW developed workforce strategies which identified a business need to improve organisational culture and staff engagement. The Program met the identified business needs and both agencies negotiated value for money contracts for the delivery of the Program when compared to other available options for training all staff.

However, the agencies did not document evidence to show that training all staff members was necessary to meet their business needs, as compared with training fewer staff members at a lower overall cost. As a result, we are unable to form a view on whether the approach to train all staff members was economical. The agency heads have subsequently provided information supporting their decisions to train all staff members. This information indicates their decisions were based on evidence that this would meet the goals of their workforce strategies, including improving employee engagement scores and organisational culture change.

The Department is paying $1,320,700, over three years, for up to 5,600 staff to participate in the Program ($235.84 per person). Service NSW is paying $595,000, over two years, for up to 2,400 staff to participate in the Program ($247.92 per person).

The agencies are collecting the data they need to evaluate the Program and there is some evidence that the Program is achieving its objectives in Service NSW. Due to the timing of this audit, there is not yet enough information available to comment on whether the Program is achieving its objectives in the Department.

Sector-wide learnings

Implementing robust learning and development frameworks

Agencies should evidence decisions about how proposed learning and development opportunities will meet staff and business needs - both in the program design, and through evaluation. In many cases, organisations may have unique needs or circumstances, or may want to trial innovative approaches to improving organisational capability. Innovation should be encouraged, to avoid the risk that agencies are locked into outdated training and development models. However such approaches should be balanced by ensuring that business needs are well scoped and defined.
Agencies implementing innovative or new approaches to learning and development should build-in iterative evaluations (such as pulse surveys, or collecting post-participation qualitative feedback) to ensure that the training is delivered on intended benefits, and to inform improvements to ongoing rollout.
Agencies implementing innovative or new training programs should ensure they build enough flexibility into contracts so that they can assess how well programs are meeting staff and business needs, and use evidence to inform whether further rollout should occur.

Appendix one – Response from agencies

Appendix two – Evaluation methodologies

Appendix three – About the audit

22 June 2018

Published

Fraud controls in local councils

Local Government

Fraud

Internal controls and governance

Management and administration

Risk

Many local councils need to improve their fraud control systems, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. The report highlights that councils often have fraud control procedures and systems in place, but are not ensuring people understand them and how they work. There is also significant variation between councils in the quality of their fraud controls.

Fraud can directly influence councils’ ability to deliver services, and undermine community confidence and trust. ICAC investigations, such as the recent Operation Ricco into the former City of Botany Bay Council, show the financial and reputational damage that major fraud can cause. Good fraud control practices are critical for councils and the community.

The Audit Office of New South Wales 2015 Fraud Control Improvement Kit (the Kit) aligns with the Fraud and Corruption Control Standard AS8001-2008 and identifies ten attributes of an effective fraud control system. This audit used the Kit to assess how councils manage the risk of fraud. It identifies areas where fraud control can improve.

Fraud can disrupt the delivery and quality of services and threaten the financial stability of councils.

Recent reviews of local government in Queensland and Victoria identify that councils are at risk of fraud because they purchase large quantities of goods and services using devolved decision making arrangements. The Queensland Audit Office in its 2014–15 report 'Fraud Management in Local Government' found that ‘Councils are exposed to high-risks of fraud and corruption because of the high volume of goods and services they procure, often from local suppliers; and because of the high degree of decision making vested in councils'. They also highlight some common problems faced by councils including the absence of fraud control plans and failure to conduct regular reviews of their internal controls. Also, in 2008 and 2012 the Victorian Auditor-General identified the importance of up-to-date fraud control planning, clearly documented related policies, training staff to identify fraud risks and the importance of controls such as third party management.

Investigations into councils by the NSW Independent Commission Against Corruption (ICAC), such as the recent Operation Ricco, show the impact that fraud can have on councils. These impacts include significant financial loss, and negative public perceptions about how well councils manage fraud. The findings of these investigations also show the importance of good fraud controls for councils.

Operation Ricco

In its report on Operation Ricco, the ICAC found that the Chief Financial Officer (CFO) of the City of Botany Bay Council and others dishonestly exercised official functions to obtain financial benefits for themselves and others by causing fraudulent payments from the Council for their benefit. It also identified the CFO received inducements for favourable treatment of contractors.

The report noted that there were overwhelming failures in the council’s procedures and governance framework that created significant opportunities for corruption, of which the CFO and others took advantage.

It found weaknesses across a wide variety of governance processes and functions, including those involving the general manager, the internal audit function, external audit, and the operation of the audit committee.

Source: Published reports of ICAC investigations July 2017.

The strength of fraud control systems varies significantly across New South Wales local councils, and many councils we surveyed need to improve significantly.

Most surveyed councils do not have fraud control plans that direct resources to mitigating the specific fraud risks they face. Few councils reported that they conduct regular risk assessments or health checks to ensure they respond effectively to the risks they identify.

There are sector wide weaknesses that impact on the strength of councils' fraud control practice. Less than one-third of councils that responded to the survey:

communicate their expectations about ethical conduct and responsibility for fraud control to staff
regularly train staff to identify and respond to suspected fraud
inform staff or the wider community how to report suspected fraud and how reports made will be investigated.

The audit also identified a pattern of councils developing policies, procedures or systems without ensuring people understand them, or assessing that they work. This reduces the likelihood that staff will actually use them.

In general, metropolitan and regional councils surveyed have stronger fraud control systems than rural councils.

Newly amalgamated councils are operating with systems inherited from two or more pre-amalgamated councils. These councils are developing new systems for their changed circumstances.

Five councils surveyed reported that they did not comply with the Public Interest Disclosure Act 1994.

Observations for the sector:
Councils should improve their fraud controls by:

tailoring fraud control plans to their circumstances and specific risks
systematically and regularly reviewing their fraud risks and fraud control systems to keep their plans up to-date
effectively communicating fraud risks, and how staff and the community can report suspected fraud
ensuring that they comply with the Public Interest Disclosure Act 1994.

Recommendation:
That the Office of Local Government:

work with councils to ensure they comply with the Public Interest Disclosure Act 1994.

Despite several New South Wales state entities collecting data on suspected fraud, the cost, extent, and nature of fraud in local councils is not clear.

There are weaknesses in data collection and categorisation. Several state entities receive complaints about councils. These entities often do not separate complaints about fraud from other complaint data, do not separate local council data from other public-sector data, and do not separate complaints about council decisions or councillors from complaints about council staff conduct. Complaints about one incidence of suspected fraud can also be reported multiple times.

Collaboration between state entities and councils to address these weaknesses in data collection could provide a clearer picture to the public and councils on the incidence of suspected fraud. Better information may also help councils decide where to focus fraud control efforts and apply resources more effectively.

Including measures for fraud control strength and maturity in the OLG performance framework may also improve practice in councils. Further, OLG may want to consider how a revised Model Code could better drive fraud control practice in councils.

Recommendations
That the Office of Local Government:

work with state entities and councils to develop a common approach to how fraud complaints and incidences are defined and categorised so that they can:
- better use data to provide a clearer picture of the level of fraud within councils
- measure the effectiveness of, and drive improvement in councils' fraud controls systems

Appendix one – Response from agency

Appendix two – Survey results

Appendix three – About the audit

Appendix four – Performance auditing

Parliamentary reference - Report number #303 - released 22 June 2018

Audit progress

Sector

Year

Report type

Topic

Reports

Conclusion

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

2. Recommendations

As a matter of urgency, Service NSW should:

By March 2021, Service NSW should:

By June 2021, Service NSW should:

By December 2021, Service NSW should:

Recommendations

Documented justification of procurement needs

Segregation of duties

Assessment of supplier performance

Centralised contract register

Evaluation of community outcomes and value for money

Procurement training

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Audit conclusion

Recommendations

Recommendations

Lane Cove Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Recommendations

Nambucca Valley Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Recommendations

Penrith City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Recommendations

Shellharbour City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Recommendations

Audit Conclusion

Not all councils' internal controls adequately addressed risks associated with the administration of LICs

The LIC system is largely transparent for community members who know where to look

Use of LICs collected under VPAs is not always transparent

Credit arrangements with developers are not always well documented or monitored

City of Sydney Council manages a complex development environment across the Sydney CBD and inner suburbs. Overall, governance and internal controls over LICs are effective although there is scope for improved oversight of the projected financial status of contributions plans.

Section highlights

Section highlights

Section highlights

Section highlights

This report offers insights into internal controls and governance in the NSW public sector

The focus of the report has changed since last year

Agencies selected for the volume account for 95 per cent of the state's expenditure

About the agencies

About the Program

Audit objective and criteria