The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor‑General for New South Wales, Margaret Crawford, released a report today examining procurement management in Local Government.

The audit assessed the effectiveness of procurement management practices in six councils. All six councils had procurement management policies that were consistent with legislative requirements, but the audit found compliance gaps in some councils. The audit also identified opportunities for councils to address risks to transparency and accountability, and to ensure value for money is achieved when undertaking procurement.

The Auditor‑General recommended that the Department of Planning, Industry and Environment review the Local Government (General) Regulation 2005 and publish updated and more comprehensive guidance on procurement management for the Local Government sector. The report also generated insights for the Local Government sector on opportunities to strengthen procurement practices.

Effective procurement is important in ensuring councils achieve their objectives, demonstrate value for money and deliver benefits to the community when purchasing goods and services. Procurement also comes with risks and challenges in ensuring the purchased goods and services deliver to expectations. The risks of fraud and conflicts of interest also need to be mitigated.

The legislative requirements related to procurement in the Local Government sector are focused on sourcing and assessing tender offers. These requirements are included in the Local Government Act 1993 (the Act), the Local Government Amendment Act 2019 (the Amendment), the Local Government (General) Regulation 2005 (the Regulation), the Tendering Guidelines for NSW Local Government 2009 (the Tendering Guidelines), the Government Information (Public Access) Act 2009 (the GIPA Act) and the State Records Act 1998.

General requirements and guidance relevant to councils are also available in the Model Code of Conduct for Local Councils in NSW 2018 (the Model Code), the NSW Government Procurement Policy Framework 2019 and in publications by the Independent Commission Against Corruption (ICAC).^₁

Individual councils have developed their own procurement policies and procedures to expand on the legislative requirements. Understandably, these vary to reflect each council’s location, size and procurement needs. Nevertheless, the general principles of effective procurement management (such as transparency and accountability) and risk-mitigating practices (such as segregation of duties and the provision of training) are relevant to all councils.

The Audit Office of New South Wales Report on Local Government 2018 provided a sector-wide summary of aspects of procurement management in Local Government (see Section 2.1 of this report). This audit builds on this state-wide view by examining in detail the effectiveness of procurement management practices in six councils. This report also provides insights on opportunities to strengthen procurement management in the sector.

The selected councils for this audit were Cumberland City Council, Georges River Council, Lockhart Shire Council, Tweed Shire Council, Waverley Council and Wollongong City Council. They were selected to provide a mix of councils of different geographical classifications, sizes, priorities and levels of resourcing.

Recommendations

1. By June 2022, the Department of Planning, Industry and Environment should:
   1. publish comprehensive and updated guidance on effective procurement practices – including electronic tender submissions and procurements below the tender threshold
   2. review and update the Local Government (General) Regulation 2005 to reflect the increasing use of electronic tender submissions rather than paper copies.
2. By December 2021, the six audited councils should consider the opportunities to improve procurement management in line with the improvement areas outlined in chapter three of this report.
3. Cumberland City Council should immediately:
   1. ensure contract values are consistent between the contract register and the annual report
   2. introduce procedures to ensure supplier performance reviews are conducted as per the council’s policy
4. Georges River Council should immediately:
   1. ensure contract values are consistent between the contract register and the annual report
   2. introduce procedures to ensure all the steps up to the awarding of a contract are documented as per the council’s policy
   3. introduce procedures to ensure outcome evaluations are conducted as per the council’s policy.
5. Lockhart Shire Council should immediately:
   1. include additional information in the council’s contract register to ensure compliance with Section 29(b), (f), (g), (h) and (i) of the GIPA Act
   2. ensure contract values are consistent between the contract register and the annual report.
6. Waverley Council should immediately ensure contracts are disclosed in the annual report as per Section 217(1)(a2) of the Regulation.

While all six councils had procurement policies in place and were generally compliant with legislative requirements, this report has identified common gaps in processes and practices that expose risks to transparency, accountability and value for money.

This section discusses how councils can mitigate risks and ensure the best outcomes are achieved from their procurements.

Documented justification of procurement needs

The ICAC notes that determining what goods and services an agency requires is the first step of procurement, and the scope for corruption in how need is determined is significant. Without documenting how procurement needs have been justified, councils cannot demonstrate that they fulfill business needs, nor how the procurements may link to the councils’ strategic plans to deliver to the community.

This audit found that none of the six councils’ policies required them to document justification of procurement needs, and none did so consistently in practice. Councils can address this gap by building into their procurement planning process a requirement for staff to document the justification of procurement needs. For higher value procurements, this could be extended to include analysis of options, an assessment of risks and defining intended outcomes. Similarly, clearly establishing and documenting how relevant procurements relate to a council’s community strategic plans or operational plans helps ensure transparency.

Although a formal business case may not be required for many procurements (for example, low-value procurements or routine replacements), some form of documented justification for the expenditure should still be kept on record to demonstrate that the procurement relates to business purposes and is needed.

Segregation of duties

Segregation of duties is an effective control for reducing risks of error, fraud and corruption in procurement. It works on the principle that one person should not have end-to-end control of a procurement. Effective segregation of duties also often involves managerial or independent oversight that is built into the process. Four of the audited councils (Cumberland City Council, Georges River Council, Lockhart Shire Council and Wollongong City Council) appropriately addressed segregation of duties in their procurement frameworks. For example:

• All procurements in Cumberland City Council required a delegated officer’s approval before commencing, and the requisitioning department is responsible for ensuring the completion of the goods, works or services associated with each contract. For contracts over $50,000, a specific ‘Authority to Procure’ form had to be completed by the requesting staff, signed by an approver and then forwarded to the procurement team.

• Reflecting its small size, all procurements in Lockhart Shire Council were managed by one senior staff member. Nevertheless, this staff member had to bring contract management plans to the rest of the Executive Leadership Team for review and discussion, with large contracts such as those above the tender threshold referred to Council for approval.

The ICAC notes that segregation of duties helps to control discretion, which has particular risk implications for some types of procurement.₂ This includes those involving low-value and high-volume transactions, restricted tenders, long-standing procurements and ‘pet projects’ (projects advocated by individual staff members). In cases where corruption risks are low, ICAC notes that monitoring staff’s involvement in procurement may be a cost-effective alternative to total segregation of duties.

Assessment of supplier performance

Councils need to monitor and assess supplier performance to ensure suppliers deliver the goods and services as agreed. The audit found that all six councils consistently monitored progress in capital works and for externally funded projects. Contract monitoring in these cases included ensuring timelines, funding, and legislative requirements were met. This is positive, as capital works made up the bulk of procurements (in terms of volume) in all of the audited councils.

That said, in all six councils, the level of scrutiny was lower for other types of procurements, and there is scope for improvement. For instance, the approach to monitoring capital works or externally funded projects could be replicated across other procurements of a similar nature and value. Conducting assessments and keeping records of supplier performance on all procurements does not need to be onerous, but instead provides useful information to inform future decision-making—including by helping ensure supplier pricing remains competitive, and avoiding re-engaging underperforming suppliers.

The NSW Government Procurement Policy Framework requires that NSW Government agencies establish systems and processes jointly with the suppliers to ensure compliance with contract terms and performance requirements. It also advises that agencies should drive continuous improvement and encourage innovation in coordination with suppliers and key stakeholders.

Centralised contract register

Centrally registering a contract provides improved transparency of procurement activities and facilitates monitoring and compliance checks. While councils are already required to maintain a contract register for all contracts above the reporting threshold (as per the GIPA Act), given the threshold is set at a relatively high benchmark ($150,000), there is merit in councils extending the practice to procurements below the reporting threshold. A central and comprehensive register of contracts helps avoid duplication of procurements and re-contracting of underperforming suppliers.

Three of the audited councils (Georges River Council, Tweed Shire Council and Wollongong City Council) had contract register policies that applied to procurements below the reporting threshold during the audited period. For example, Georges River Council required contracts valued at $10,000 or above to be registered with the procurement team, and Tweed Shire Council had a threshold of $50,000.

Evaluation of community outcomes and value for money

Councils may be progressing procurements to fulfill their strategic and business plans, or using them to fulfill commitments to the community. In these instances, outcomes evaluation is an important way to demonstrate to the community that the intended benefits and value for money have been delivered.

Five of the six audited councils did not require evaluations of community outcomes and value for money. While Georges River Council required contracts valued at $50,000 or more to be monitored, evaluated and reported on at least annually throughout the contract and also at its conclusion, in the procurements we examined the only ‘outcome evaluations’ that the council had conducted were community surveys that did not refer to individual procurements. Councils can miss opportunities to understand the impact of their work on the local community if evaluations of procurement outcomes are not completed. Evaluation findings are also valuable in guiding future resource allocation decisions.

Value for money in the procurement of goods and services is more than just having the specified goods delivered or services carried out. The NSW Government Procurement Policy Framework requires that state government agencies track and report benefits to demonstrate how value for money is being delivered. The framework notes that value for money is not necessarily the lowest price, nor the highest quality good or service, but requires a balanced assessment of a range of financial and non-financial factors, such as: quality, cost, fitness for purpose, capability, capacity, risk, total cost of ownership or other relevant factors.

Procurement training

Effective procurement management relies on the capability of staff involved in various stages of the process. Guidance can be provided through training, which is an important element of any procurement management framework. It ensures that staff members are aware of the councils' policies and procedures. If structured appropriately and provided in a timely manner, training can help to standardise practices, ensure compliance, reduce chances of error, and mitigate risks of fraud or corruption.

The ICAC notes that effective procurement management depends on the competence of staff undertaking procurements and the competence of those who oversee procurement activities. As the public sector is characterised by varying levels of procurement expertise, the ICAC notes that the sector would benefit from a structured approach to training and the application of minimum standards.₃

At the time of this audit, only Wollongong City Council addressed staff training requirements in its procurement management framework. Exhibit 8 details its approach.

Two of the audited councils have now also introduced procurement training:

• Georges River Council implemented online training, which is mandatory for new staff and serves as refresher training for existing staff. The council also provides in-person training for selected staff (covering contract management, contract specification writing and contractor relationship management) and has developed quick reference cards for all staff to increase awareness of the council's procurement processes.
• Tweed Shire Council implemented mandatory online training for all staff members. The training covers the council's procurement policy and protocol as well as relevant legislation. It is linked to relevant council documents such as the Procurement Toolkit on the council's intranet, and includes a quiz for which training participants must score at least 80 per cent to have the training marked as completed.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – Councils’ procurement contracts

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #345 - released 17 December 2020

The Auditor-General for New South Wales, Margaret Crawford, released a report today reviewing the additional entitlements claimed by Members of the New South Wales Parliament (Members) under the Parliamentary Remuneration Tribunal’s Determination (the Determination).

The Auditor-General found three material instances of Member non-compliance with the Determination. The Department of Parliamentary Services has subsequently requested the three Members repay amounts incorrectly claimed.

The report also acknowledges that the Department has worked with the Tribunal to address two of the three recommendations made in the 2019 Auditor-General’s review. These are now reflected in the 2020 Determination. The Department expects to address the third recommendation in the 2021 Determination.

The Auditor General has reviewed the compliance of the Members of the NSW Parliament (Members) with certain requirements outlined in the Parliamentary Remuneration Tribunal's Determination (the Determination) for the year ended 30 June 2020.

The Auditor General's review of Members' compliance with the Determination analyses claims made by Members during the 2019–20 financial year by testing a sample of transactions. Our sample included 66 claims submitted by 43 of the 136 Members.

Results

Our review identified three instances of material non compliance with the Determination for the year ended 30 June 2020:

• one Member claimed the General Travel Allowance for the full cost of a charter flight used to both attend a family event and perform the Member's parliamentary duties instead of estimating and claiming only the cost related to the Member's parliamentary duties
• one Member claimed the Communications Allowance for the same expenditure twice
• one Member elected to repay the allowance claimed in lieu of providing evidence to support their claims. The Member claimed the Sydney Daily Allowance and advised that they did not have records to support that the purpose of the travel related to their parliamentary duties.

The Determination requires Members to maintain appropriate records of expenditure for the purpose of any audit or assurance engagements. Repeated reviews have identified Members who elect to repay the allowances claimed in lieu of providing supporting documents. Justifying a claim for an allowance with supporting documents should not rely on the Auditor-General's review. Last year, we recommended the Department of Parliamentary Services (the Department) work with the Tribunal to provide additional guidance to Members to clarify the definition of parliamentary duties, the activities that meet the definition and the requirements for retaining documents. The recommendation is currently being considered by the Department.

Our review also identified 22 other departures from the administrative requirements of the Determination:

• two Members did not make the required authorisations and attributions on a publication to claim the expenditure from the Communications Allowance
• seven reconciliations for the Sydney Allowance were submitted after the due date
• 13 Members' claims were not submitted to the Department for payment within 60 days of receipt or occurrence of the expense.

Our audit procedures identified three other departures from the Department's administrative guidelines, which support the application of the Determination. Three Members submitted their annual loyalty scheme declarations after the due date specified in the guidelines (31 July 2020). The Declaration is important because it affirms that loyalty scheme benefits accrued using the Member's parliamentary allowances and entitlements were not used for private purposes.

Background

The Parliamentary Remuneration Tribunal (the Tribunal) determines the salary and additional entitlements of Members of NSW Parliament (Members), which are set out in the Tribunal's annual Determination

Appendix one – Response from Department of Parliamentary Service

This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.

Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.

Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines:

• our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
• our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.

Appendix one – Timeliness of financial reporting by agency

Appendix two – List of 2020 recommendations

Appendix three – Status of 2019 recommendations

Appendix four – Agencies most impacted by recent emergency events

Appendix five – Management letter findings by agency

Appendix six – Financial data

This report analyses the results of our audits of financial statements of the Health cluster for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

The impacts of the COVID-19 pandemic on the cluster were significant and included changes to the operations of the health entities and increased revenue, expenditure, assets and liabilities.

As a part of this year's audits of health entities, we have considered:

• financial implications of the COVID-19 emergency at both health entity and cluster levels
• changes to agencies' operating models
• agencies' access to technology and the maturity of systems and controls to prevent unauthorised and fraudulent access to data.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The response to the COVID-19 pandemic primarily impacted the financial reporting of NSW Health through:

• additional revenue from the State government in the form of grants and stimulus payments
• additional revenue from the Commonwealth government under the National Partnership Agreement for COVID-19 to cover part of the cost of responding to the COVID-19 pandemic
• increased expenses, largely due to increased payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists and increased cleaning costs
• increased purchases of personal protective equipment.

Chapter one outlines the impacts of NSW Health’s response to the COVID-19 pandemic. This chapter outlines our other audit observations related to the financial reporting of agencies in the Health cluster for 2020.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

The primary impact of the COVID-19 pandemic on the effectiveness of the internal controls of NSW Health and health entities relates to the effectiveness of controls implemented by HealthShare relating to the stocktake of personal protective equipment inventories. Inventory managed by HealthShare increased by 2,746 per cent during 2019–20. HealthShare’s inventory controls did not maintain pace with the sudden, significant increase.

The impacts of NSW Health’s response to the COVID-19 pandemic are outlined in chapter one. This chapter outlines other observations and insights from our financial statement audits of agencies in the Health cluster.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations 

Appendix three – Financial data

Appendix four – Analysis of financial indicators 

Appendix five – Analysis of performance against budget

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Auditor-General’s Report to Parliament

Health 2020

11 December 2020

This corrigendum has been prepared to amend the following text within the Auditor-General’s Report to Parliament on Health 2020, dated 10 December 2020.

NSW Health emergency department treatment times

On page five the original text was as follows:

NSW Health also measures the percentage of patients whose clinical care in emergency departments is completed within four hours. The measure is used as an indicator of accessibility to public hospital services.

NSW Health aims to complete clinical care in the emergency department for 81 per cent of patients within four hours. In 2019–20 NSW Health reports it completed clinical care within four hours for 72.1 per cent of patients (a 7.3 per cent decrease from 2018–19).

At Western Sydney Local Health District, 59 per cent of patients were treated within the targeted timeframe. NSW Health attribute this to the profile of patients presenting in emergency departments and additional time taken processing COVID-19 patients to ensure staff safety.

The original text has now been changed to:

NSW Health also measures the percentage of patients with total time in the emergency department of four hours or less for each local health district. The measure is used as an indicator of accessibility to public hospital services.

The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations
• the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statement audits of agencies in the Transport cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining NSW Health’s management of health and safety risks to nurses and junior doctors in high demand hospital wards over the past five years, including during the first six months of the 2020 COVID-19 health emergency.

The Auditor-General found that while NSW Health effectively managed most incidents and risks to the physical health and safety of hospital staff during ‘business as usual’ activities, systems and resources are not fully effective to manage staff psychological and wellbeing risks, particularly for nurses.

The Auditor-General found that NSW Health was effective in managing most COVID-19 health and safety risks to hospital staff. Overall effectiveness could have been improved had pandemic preparedness training been delivered across all Local Health Districts. Additionally, state-wide communication systems could have been improved to provide hospital clinicians with access to a ‘single source of truth’ with the latest advice from NSW Health authorities.

NSW Health’s planning and preparation for the supply of Personal Protective Equipment (PPE) was partially effective. At various times, some PPE items could not be sourced from established suppliers. Face masks, goggles and protective gowns were substituted with products that differed in shape, size and fitting from usual items, and in some hospitals, substituted masks were used without being locally fit tested by hospital staff.

The Auditor-General made seven recommendations aimed at enhancing hospital health and safety risk reporting practices, along with a recommendation that NSW Health conduct a post pandemic 'lessons learned' review and make policy and operational recommendations for future pandemic responses.

Over the past decade, there have been increases in the numbers of health and safety incidents affecting nurses and junior doctors in NSW hospitals. These increases have been associated with higher numbers of patients with acute mental health conditions, age-related cognitive impairments, and patients presenting in emergency departments under the influence of drugs and alcohol.  

This audit commenced in August 2019, with a focus on the health, safety and wellbeing of nurses and junior doctors in high demand hospital wards. Our audit focused on emergency departments, mental health wards and aged care wards during 'business as usual’ periods of hospital operations. 

In the early months of 2020, the novel coronavirus (COVID-19) brought new health and safety risks to hospital staff. These risks included the potential for infection amongst health workers, increased staff workloads, and impacts on staff wellbeing.  

In May 2020, we expanded the focus of the audit to assess the effectiveness of NSW Health’s management of the health and safety risks to staff during the COVID-19 health emergency. We assessed the impacts on emergency departments and intensive care units, as these were the wards where staff were most likely to come into contact with COVID-19.  

The Audit Office acknowledges the ongoing health and safety challenges that the pandemic has brought to NSW Health staff – in particular to hospital clinicians and the managers who support them.  

This audit assessed the effectiveness of NSW Health’s:

• systems, forums and workplace cultures to support reporting and generate data about risk
• initiatives to support safe workplaces and effectively respond to health and safety incidents
• actions to continuously improve staff health, safety and wellbeing in hospital environments.

The first three chapters of this report describe the effectiveness of NSW Health’s ‘business as usual’ health and safety risk management. The fourth and fifth chapters describe the effectiveness of NSW Health’s health and safety risk management during the COVID-19 pandemic.  

1. Audit recommendations

By December 2021, NSW Health should:

1. Evaluate the effectiveness of the new incident management system to enable full reporting of health and safety incidents and risks in all hospital wards, including those where incidents and risks are common, and monitor for consistency of reporting over time
2. Expand the categories of hospital incident data reported to Ministry executives in the Work Health and Safety Dashboard reports, including by linking injury data to incident types by hospital ward category, and monitor in conjunction with Local Health Districts for emerging trends and improvement over time
3. Ensure that nurses and junior doctors have regular opportunities to report on risks to their psychological health and wellbeing, and that system managers have access to aggregate data to guide responses to mitigate these risks
4. Develop and implement an evidence-based guiding framework and strategy to support hospital staff in the aftermath of traumatic or unexpected workplace incidents, and monitor implementation
5. At regular intervals, publicly report aggregate Root Cause Analysis data detailing the hospital system factors that contribute to clinical incidents
6. Develop and implement a systemwide platform for sharing research and information about hospital health and safety initiatives across the health system
7. Conduct a post-pandemic 'lessons learned' review focusing on the effectiveness of key strategies deployed in the management of the COVID-19 pandemic and make policy and operational recommendations for future pandemic responses. In particular, ensure:
   • regular scenario-based pandemic training for hospital staff
   • updated policies and protocols for hospital infection controls
   • capability to upscale authoritative communication with frontline health workers at the earliest notification of a health emergency and for the duration of the emergency
   • systems and safeguards to ensure the supply and availability of clinically appropriate personal protective equipment (PPE) during all phases of a pandemic.

Local Health Districts were effective in leading health and safety infection control activity

According the NSW Health Influenza Pandemic Plan (Pandemic Plan), the Chief Executives of Local Health Districts have ultimate responsibility for public health unit preparations during health emergencies. If necessary, they can ‘draw on the support of the State Pandemic Management Team and local emergency management resources’.

During the preparations and early response phases to the COVID-19 pandemic, Local Health Districts were at the forefront of most NSW hospital activity. They took the lead role in developing hospital infection control protocols and guidance about the appropriate uses of Personal Protective Equipment (PPE). Each Local Health District established its own responses to the health emergency, based on the best clinical advice available to them. The localised approach meant that there were some minor differences in infection control practices across the NSW health system.

Throughout February and March 2020, there was limited centralised policy or guidance from the Ministry and its Pillar Health agencies about COVID-19 infection control practices. It was not possible to mandate practices at a time when information about the virus was evolving. Clinical responses were changing as more became known about COVID-19, especially about its patterns of transmission and its impacts on people with the disease.

During February and March 2020, Local Health District executives communicated with hospital staff via a range of methods. Some sent daily e-memos with the latest updates. Some scheduled more regular meetings with hospital clinicians. Some Districts set up extensive staff training sessions and information briefings to keep all personnel updated with the latest advice. Physical distancing made it difficult to bring staff together in large groups, so a range of communications measures were implemented.

Clinical staff also utilised their clinical training and expertise to prepare their wards and train frontline staff in infection control procedures. Some sourced information from national and international colleagues to add to localised knowledge of the virus.

When the first evidence of COVID-19 community transmission was identified in the Northern Sydney Local Health District, hospital staff followed infection control protocols that were based on local guidance and information. With the support from the District executive team and infectious diseases experts, hospital clinicians set up their own infection control protocols and PPE protections. Within a week the District had produced a matrix to guide staff in the uses of PPE during COVID-19 procedures, and had circulated the guidance to all hospital clinicians.

At the end of March 2020, a version of the Northern Sydney PPE matrix was published on the Clinical Excellence Commission’s website and it has now become NSW Health’s standard guideline for PPE during COVID-19 procedures. Once this guideline was published centrally, infection control practices were standardised across NSW hospitals.

This form of District-led policy making is not ‘business as usual’ practice for NSW Health. Policy making processes were somewhat reversed during the early response phases to COVID-19. This flexible policy approach supports the governance arrangements described in the Pandemic Plan, which assigns responsibility for ‘supporting and maintaining quality care across health services and implementing infection control measures as appropriate’ to Local Health Districts.

In non-health emergency situations, clinical policy and protocols are usually initiated and developed by the Ministry and the Clinical Excellence Commission and are subsequently shared across the health system after a quality control process. The localised approach adopted in the months from February to March 2020, allowed for rapid and flexible responses to changing information – to protect the health and safety of the hospital workforce and the wider community.

Hospital staff across NSW would have been better prepared for COVID-19 if pandemic training had been delivered across all Local Health Districts in the past decade

Local Health Districts are responsible for training hospital staff in preparation for public health emergencies. NSW’s policy describing Public Health Emergency Response Preparedness Minimum Standards requires that clinical staff participate in at least one annual emergency training exercise if they hold a position where they are likely to be called upon in an emergency. Staff must participate in an actual response exercise or a relevant training session. The training must also include re-familiarisation with PPE.

Available evidence about emergency response training in NSW indicates that at least two Local Health Districts have delivered pandemic focussed training in the past decade. Our interviews with managers of emergency departments and intensive care units indicates that most other Districts have focused their emergency training on mass patient trauma incidents such as plane crashes, train crashes and terrorist attacks. While the potential for these types of mass trauma events is real, and warrants training and preparation, significant global outbreaks of diseases have also had potential to threaten NSW communities. In previous decades, global health communities have been at risk of diseases such as the Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).

In the two Districts where pandemic training was provided in NSW, staff participated in community influenza vaccination exercises. These were focused on upskilling staff to follow emergency command structures, manage high volume patient flows, and organise sanitisation logistics during a hospital-based training exercise.

Our interviews with nurse managers in emergency departments and intensive care units indicate that in the majority of other Local Health Districts, key personnel were unaware of the NSW Pandemic Plan. Interviewed staff also reported insufficient scenario-based training in pandemic responses over the last ten years.

The Ministry, the Clinical Excellence Commission and the Health Education and Training Institute (HETI) are responsible for online training and 'state-wide strategies and resources to maintain high levels of compliance with infection control and patient safety recommendations'. The HETI website contains online training modules in infection control and PPE donning and doffing procedures. Other infection control information and research is available on the websites of the Clinical Excellence Commission and the Agency for Clinical Innovation.

Online training modules are effective for upskilling staff in a range of skills, but are not a substitute for real-time, rapid incident response training. Face-to-face training provides opportunities for first responders to test procedures in hospital environments. Incident response training provides opportunities for staff to assess their levels of compliance with protocols and their competence with equipment in scenario situations. It is the responsibility of Local Health Districts to provide this form of training to the health staff in their District.

Two NSW Health policies that govern clinical arrangements during pandemics are outdated

The Ministry had not updated two policies that had the potential to assist emergency departments and intensive care units in aspects of their ward preparation for the COVID-19 pandemic. Both policies were on the NSW Health website, but neither were shared with hospital staff in the planning phases for the pandemic. Both policies are out of date and have not been revised within required timeframes.

The 2010 Influenza Pandemic - Providing Critical Care policy was due for review in May 2015 and was not updated at the time of the COVID-19 health emergency. Similarly, the 2007 policy Hospital Response to Pandemic Influenza Part 1: Emergency Department Response was due for review in June 2012 and has not been updated.

These policies were designed to assist clinical staff to make necessary ward arrangements for infection control. They set out the steps for rapid identification of contingent workforces, isolation procedures, and management of patient flows to separate those with suspected infection from other patient cohorts. They were a potential addendum to the NSW Pandemic Plan which describes the command and control responsibilities of health agencies in health emergencies.

Our interviews with nurse managers from emergency departments and intensive care units indicate that in the absence of pandemic policy, they sought clinical guidance from external sources and Local Health District experts. Interviewees told us that a lack of policy guidance about ward arrangements and infection control practices in a pandemic increased their workloads and hours of overtime in the early response phases to COVID-19. With the support of Local Health Districts, clinical staff made rapid adjustments in order to respond to changing testing requirements and ward arrangements.

The Ministry was slow to establish a centralised communication channel to communicate with frontline staff

NSW Health’s governance and communication arrangements during a pandemic are set out in the Pandemic Plan. The Plan requires that government agencies ‘commence enhanced arrangements, establish communications measures’ and confirm ‘governance arrangements’ when there is evidence of person to person transmission during an influenza outbreak. NSW Health received the first notifications of the novel coronavirus risks in January 2020.

During the preparation and early response phases to COVID-19, the Ministry and its central agencies were slow in establishing a single, authoritative channel through which to communicate consistent messages to frontline staff. Clinical staff required up-to-date information about COVID-19 testing criteria as requirements were changing rapidly, sometimes daily. While there was no expectation for fixed policy at this time, hospital staff required the latest instructions about treatment requirements, and updates on the numbers of COVID-19 infections in their region.

As information about COVID-19 was evolving, information was communicated across the health system via ‘multiple channels and sources’. While the Ministry and its central agencies communicated extensively with Local Health Districts during March 2020, hospital staff reported to us that they weren’t always sure where they could find the latest advice about testing protocols or infection controls.

Frontline staff told audit office staff that they were checking multiple sources and time-stamping advice to ensure they had the most up to date information on a daily basis. While some Local Health Districts managed clear communication links with frontline staff, nurse managers told us that communication was ‘chaotic’ during the early phases of pandemic preparation. Key personnel were not always available outside business hours and nurse managers advise that they spent hours at the end of shifts, seeking and printing the latest advice for weekend and night shift personnel. By the end of March 2020, the Ministry and the Clinical Excellence Commission websites became better organised to communicate with frontline clinicians.

A recommendation to the Ministry of Health after H1N1 swine flu could be equally applied in the COVID-19 context. The NSW Government’s report: Key Recommendations on Pandemic (H1N1) 2009 Influenza recommended the establishment of ‘clear pathways of communication … so that all employees have confidence in where their information will come from and who they should approach if they need additional information.’

NSW Health acknowledges the challenges and the lessons from the early phases of the COVID-19 pandemic. For example, a strategy released in August 2020, sets out NSW Health’s own recommendation for the future management of PPE including: ‘Aligning a single source of truth for PPE education and evidence-based guidance to ensure clarity of information on appropriate use, supported by an influential network of Infection Prevention and Control (IPC) practitioners at the forefront.

Ministry executives advise that communication with health staff has improved since the early phases of the pandemic. The Ministry now sends weekly COVID-19 updates to over 130,000 health staff via email. In addition, NSW Health now has two COVID-19 tabs on its website with current information, including COVID-19 testing advice. According to Ministry executives, these communication channels could be used or replicated if needed for future health emergencies. The Ministry also provides health information and updates via a phone application called Med App. This App is preferred by doctors and is less likely to be used by nurses. As at October 2020, there are 13,000 users of Med App. Push notifications can be made on Med App through SMS alerts.

Personal protective equipment (PPE) was not always available in required sizes and some hospital masks and gowns were substituted with products that differed from the usual items

Since the emergence of COVID-19 in Australia, all clinicians in NSW hospitals have had access to some form of PPE for their clinical requirements. If staff did not have appropriate equipment for each COVID-19 related procedure, they were guided by the formal advice issued to the NSW Health workforce on 11 March 2020 stating that: ‘The safety of NSW Health staff is a priority at all times, especially during COVID-19. Where safe working practices confirm specific PPE (e.g. face shields/masks or other equipment) are required for the protection of staff due to COVID-19, in all circumstances:

• staff are to wear prescribed PPE as instructed
• staff are not to undertake or be required to undertake tasks requiring PPE if the PPE is not available for use. Any such tasks are not to proceed until required PPE is available
• any staff member who is concerned about their safety must raise their concerns immediately to their manager.’

At periods during March and April 2020, some PPE items were not available in the required sizes or the regular brands to which staff were accustomed. HealthShare NSW was not able to source PPE from usual suppliers. HealthShare NSW sourced PPE including N95 masks from non-traditional suppliers. Some PPE items differed in shape and size from the usual hospital equipment. While senior executives from HealthShare NSW advise that all products were approved by the Therapeutic Goods Administration (TGA), in some hospitals, nurse managers advise that staff were not able to ‘fit test’ substituted masks. Fit testing determines the type and the size of the respirator mask that achieves an adequate seal on an individual’s face.

In March and April 2020, ‘duck bill’ (N95) masks were not available in some hospitals. According to stock managers and clinical managers in Local Health Districts, duck bills are the preferred mask for staff with smaller faces, particularly female staff members. The duck bill mask is a standard PPE product, and as such, is fit tested during mandatory PPE training. During the early response phases to COVID-19, most Local Health Districts were provided with substitute N95 masks. Fit testing of the substituted N95 masks was not able to be conducted in all NSW hospitals during the early phases of COVID-19. During the first wave of COVID-19 in March and April 2020, hospital staff told audit staff that there was no time and a lack of equipment to appropriately fit test substituted N95 masks.

Nurse managers in emergency departments advise that in some instances, staff made adaptations to PPE to improve protections, such as doubling masks, adding elastics or bringing their own equipment. These adaptations were not consistent with guidelines. Nurse managers advise that in some cases, adaptations to PPE or ill-fitting masks created pressure sores and contact dermatitis. Just over half of the stock managers of Local Health Districts advised that PPE stock was procured from outside the HealthShare NSW system. Stock managers in some Districts advise that facial shields and goggles sourced from non-traditional suppliers by HealthShare NSW were of a lesser quality than standard equipment. Stock managers and nurse managers reported that the changes in PPE products caused confusion and stress amongst staff.

Local Health Districts were proactive in assisting hospital staff to mitigate risks of COVID-19 infections. Some Local Health Districts assigned ‘tiger teams’ to assist staff with their PPE practices. Tiger teams provide clinical expertise and advice to staff, answer questions about infection control and provide training on PPE practice in hospital ward environments. They assist and support PPE donning and doffing practices to ensure the appropriate sequencing of applying and removing PPE for effective infection control. They provide mask fit checking guidance to assist staff in correct PPE practices.

Districts ran extensive refresher PPE training sessions for clinical staff. Some hospitals ran regular PPE demonstrations so that staff could observe correct PPE procedures at set times during the day. These activities assisted staff to implement appropriate infection control in the period before the Clinical Excellence Commission’s web-based materials and videos became available in late March and early April 2020. These online resources now provide comprehensive guidance to hospital staff in PPE practices.

HealthShare NSW placed limits or caps on some high-demand PPE items that were too low to meet requirements in some Local Health Districts and had to be adjusted to meet actual demand

The NSW Pandemic Plan describes the responsibilities of the Ministry and its central agencies to manage and maintain the State Medical Stockpile of essential PPE supplies and antiviral medications. During a pandemic, HealthShare NSW has responsibility for warehousing, monitoring and distributing health supplies to the health workforce.

Due to a reported global shortage of PPE and limits to the NSW stockpile, HealthShare NSW placed limits on the provision of approximately 100 high-demand items to NSW hospitals. HealthShare NSW advise that the PPE order capping ceilings were implemented ‘to ensure local stockpiling does not occur’. A centralised ordering process was established with Local Health Districts so that PPE product ordering occurred through single hospital locations (214 across the State), rather than at the ward level. Escalation processes were established to allow Districts to request one-off increases to supply, and a process was set up to permanently increase the order cap limit for any PPE item by facility.

According to HealthShare NSW, ‘as incoming central supply has improved, order caps have subsequently increased in line with strong engagement and governance with the Local Health Districts to ensure the appropriate levels of supply are provided’. The original capped levels were determined by assessing PPE usage in wards during the flu season of 2019. As the flu season case numbers of 2019 were relatively low, some Local Health District managers advised that the levels of PPE during 2019 were not comparable to the level of PPE required for the COVID-19 pandemic.

After advocacy from hospital stock managers and clinicians, HealthShare NSW increased capped PPE levels in many Local Health Districts.

Executive members of the State Health Emergency Operations Centre (SHEOC) advise that its PPE supply strategy needs to be carefully developed as there are vast differences in PPE usage rates during 'business as usual' periods and pandemic periods. If NSW Health kept the level of PPE required in planning for a worst-case scenario, this would equate to an extensive surplus of PPE that could not be utilised during business as usual periods. The SHEOC Executive advise that it is not feasible or economical to store this level of PPE. They advise that given the costs of PPE, and the fact that the products have a shelf life, a diversified supply line is a more reliable method for ensuring PPE during surge and non-surge periods.

Early data modelling showed ICU patient numbers at levels not manageable with levels of ventilators and equipment

Early projections of patient numbers requiring acute care for COVID-19, were at levels that would not have been manageable with the equipment and resources of NSW hospitals. Throughout March through to May 2020, government data modelling indicated significant surges of community infections and surges in intensive care patients.

Early estimates were based on overseas trends, and if actual cases had matched projections, NSW hospitals would not have had sufficient ventilators to meet demand. The knowledge of this shortfall caused high levels of anxiety among nursing and medical staff.

While the data was based on the best available information, it had negative implications for the health and safety of the nurse and junior doctor workforce. Managers of intensive care wards and emergency departments reported stress amongst the workforce. Staff concerns were primarily about being faced with ‘the unmanageable’, along with heightened fears about contracting the virus with the knowledge that there was insufficient equipment to treat acute patients.

As it transpired, overall numbers of COVID-19 infections were lower than projected during the early months of the pandemic. The lower infection rates in the general population have meant fewer instances of patients requiring intensive care in NSW hospitals. In addition, HealthShare NSW has been able to increase the numbers of ventilators in NSW hospitals to prepare for future surges in patients requiring acute respiratory care.

SHEOC Executive advise that NSW Health undertook an accelerated procurement strategy in early 2020 to increase its stock of ventilators, and that ventilator capacity has always far-exceeded actual requirements.

NSW Health has developed a strategy to improve the management of PPE for the NSW health workforce

In August 2020, NSW Health released a strategy that sets out its future management and planning approaches to the provision of PPE for the NSW Health workforce. NSW Health’s Personal Protective Equipment (PPE) Strategy describes the learnings and challenges during the COVID-19 pandemic in sourcing and distributing PPE. It sets out the systems and methods for distributing PPE to staff and patients and focuses on how staff are kept informed on the appropriate use of PPE at all times. A supporting communications strategy has been developed to support its implementation.

The strategy contains enhanced transparency measures to regularly inform staff about PPE stock levels and to provide data about PPE usage rates by item types in wards in NSW hospitals. The NSW Health PPE strategy describes a changed approach to ordering, storing and allocating PPE. This includes diversifying the supply lines for PPE products to increase supply options in circumstances where supply lines become disrupted. It includes a centralised system for coordinating the supply of hospital PPE through Local Heath District coordination points and centralised distribution points in large hospitals.

Our interviews with hospital PPE stock managers and nurse managers indicate that staff find the new ordering system to be an improvement upon the previous stock ordering method.

According to the Personal Protective Equipment (PPE) Strategy, NSW health is upgrading its models for monitoring and benchmarking PPE usage across the health system. Systems are being improved for forecasting demand volumes during business as usual periods and during health emergency surges.

Appendix one – Response from agency

Appendix two – Audit methodology

Appendix three – About the audit 

Appendix four – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #344 - released 9 December 2020

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

• financial and information technology controls
• business continuity and disaster recovery planning arrangements
• procurement, including emergency procurement
• delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released her report today on State Finances for the year ended 30 June 2020.

‘I am pleased to once again report that I issued an unmodified audit opinion on the State’s consolidated financial statements,’ the Auditor-General said.

The report acknowledges this has been a challenging year, with New South Wales impacted by natural disasters and the COVID-19 pandemic.

The State’s Budget Result, reported in the financial statements, was a deficit of $6.9 billion. This is different to the 2019-20 budget forecast surplus of $1.0 billion and is an outcome of the government’s significant response to bushfires and COVID-19.

The report summarises a number of audit and accounting matters arising from the audit of the Total State Sector Accounts, a sector that comprises 291 entities controlled by the NSW Government with total assets of $495 billion and total liabilities of $256 billion.

Read full report (PDF)

Our audit opinion on the State’s 2019–20 financial statements was unmodified

An unmodified audit opinion was issued on the State’s 2019–20 consolidated financial statements.

The State extended signing its financial statements by six weeks.

Natural disasters, the COVID-19 pandemic and other factors impacted the State’s 2019–20 reporting timetable. The State extended signing its financial statements by six weeks, compared with 2018–19.

All agencies were also given a two-week extension to prepare their financial statements compared with 2018–19. Further extensions beyond two weeks were subsequently approved for the following 11 agencies (7 in 2018–19) to submit completed financial statements for audit:

• Department of Communities and Justice
• Department of Customer Service
• Department of Planning, Industry and Environment
• Department of Regional NSW
• Department of Transport
• Environment Protection Authority
• Infrastructure NSW
• Lord Howe Island Board
• NSW Crown Holiday Parks Land Manager
• Service NSW
• Water Administration Ministerial Corporation.

The extensions reflected that the COVID-19 pandemic impacted agencies’ work environments during the first six months of 2020. This was at a time when many were still implementing machinery of government changes and preparing to implement three significant new accounting standards:

• AASB 15 Revenue from Contracts with Customers (issued December 2014, effective 1 July 2019)
• AASB 16 Leases (issued February 2016, effective 1 July 2019)
• AASB 1058 Income of Not-for-profit entities (issued December 2016, effective 1 July 2019).

These new accounting standards were issued some years before they became effective, to allow reporting entities sufficient time to prepare for implementation. Notwithstanding this, some agencies had not fully implemented the new accounting standards in time for early close procedures, and the unforeseen impact of COVID-19 further complicated the year-end financial reporting processes for the State and its agencies.

The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.

In 2019–20, agency financial statements presented for audit contained 19 errors exceeding $20 million (six in 2018–19). The total value of these errors increased to $1.4 billion ($927 million in 2018–19).

The errors resulted from:

• incorrectly applying Australian Accounting Standards and Treasury Policies
• incorrect judgements and assumptions when valuing noncurrent physical assets and liabilities
• incorrectly interpreting the accounting treatment for unspent stimulus funding.

Errors in agency financial statements exceeding $20m (2016–2020)

$4.1 billion in stimulus funding was allocated in 2019–20

The government implemented an economic stimulus package primarily to mitigate the impacts of the COVID-19 pandemic on New South Wales.

The COVID-19 pandemic and bushfires had a significant impact on the State’s finances, reducing its revenue and increasing its expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health.

The government announced a $4.1 billion health and economic stimulus package in 2019–20. This primarily included:

• $2.2 billion in health measures including purchases of essential medical equipment and increasing clinical health capacity (like intensive care spaces)
• $1.0 billion in small business and land tax relief
• $355 million in extra cleaning services and quarantine costs.

Cluster agencies had spent $3.0 billion (just under 75 per cent) of the COVID-19 stimulus package by 30 June 2020.

The Health cluster incurred most of this expenditure.

Total spend relating to bushfires was $1.3 billion in 2019–20.

The graph below shows the total allocation and spend by cluster to 30 June 2020.

Economic stimulus allocation and spend by cluster to 30 June 2020

Deficit of $6.9 billion compared with a budgeted surplus of $1.0 billion

An outcome of the government’s overall activity and policies is its net operating balance (Budget Result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.

The General Government Sector, which comprises 199 entities, generally provides goods and services funded centrally by the State.

The Non-General Government Sector, which comprises 92 government businesses, generally provides goods and services, such as water, electricity and financial services that consumers pay for directly.

The Budget Result for the 2019–20 financial year was a deficit of $6.9 billion. The original budget forecast, set before the COVID-19 pandemic and bushfires, was a $1.0 billion surplus. The main driver of the change in result was:

• $1.3 billion of higher employee costs, mainly due to:
  • increased workers compensation claims
  • additional personnel required (mainly in the Health sector) to respond to the COVID-19 pandemic
• $2.3 billion of higher operating expenses, mainly due to:
  • $828 million from first time recognition of a child abuse claim liability
  • $507 million from additional insurance claims from the NSW bushfires
  • $343 million from COVID-19 claims by agencies for loss of revenue.
• $1.8 billion in higher grants and subsidy expenses, mainly due to:
  • small business grants
  • COVID-19 quarantine compliance measures
  • costs incurred in response to the 2019–20 bushfires, drought and disaster relief payments
  • third party-controlled assets that were subsequently transferred to councils and utility providers, mainly arising from construction of the CBD and South East Light Rail.

The deficit was further driven by:

• $1.9 billion less taxation revenue, mainly resulting from:
  • $1.3 billion less in payroll tax due to relief measures introduced by the government as part of its COVID-19 economic stimulus
  • $424 million less in gambling and betting taxes, due to venue closures required by COVID-19 public health orders
• $523 million less in dividends and income tax revenue from the Non-General Government Sector, due to lower dividends received from NSW Treasury Corporation and from the State’s other commercial government businesses
• lower fines, regulatory fees and other revenue, due to a $305 million decrease in mining royalties, largely driven by lower coal prices.

Main drivers of the 2019–20 actual vs. budget variance

Revenues increased $209 million to $86.3 billion

In 2019–20, the State’s total revenues increased by $209 million to $86.3 billion, 0.2 per cent higher than in 2018–19. COVID-19 impacted taxation revenue, which fell by $1.1 billion and revenue from the sale of goods and services, which fell by $1.1 billion. These falls were offset by a $2.5 billion (7.7 per cent) increase in grants and subsidies from the Australian Government, mainly in the form of additional stimulus funding.

Taxation revenue fell 3.5 per cent

Taxation revenue fell by $1.1 billion, mainly due to a:

• $861 million fall in payroll tax as a result of COVID-19 relief (reduced payroll tax payments for eligible small businesses)
• $430 million fall in stamp duty collections, driven by lower than expected growth in the property market
• $427 million decline in gambling and betting taxes, mainly due to venue closures driven by COVID-19 public health orders.

Stamp duties of $8.8 billion were the largest source of taxation revenue, $473 million higher than payroll tax, the second-largest source of taxation revenue.

Australian Government grants and subsidies

The State received $34.2 billion in grants and subsides which are mainly from the Australian Government, $2.4 billion more than in 2018–19.

The increase was driven by a $1.1 billion increase in Commonwealth Specific Purpose Payments to support the Health cluster respond to the COVID-19 pandemic. Commonwealth National Partnership Payments increased by a similar amount to provide the State with Natural Disaster relief.

Sales of goods and services

In 2019–20, sales of goods and services fell $1.1 billion. This was due to the COVID-19 pandemic reducing:

• patronage and related transport passenger revenue
• health billing activities with elective surgery being put on hold

Fines, regulatory fees and other revenues

Fines, regulatory fees and other revenues fell $505 million. This was mainly due to a $409 million decrease in mining royalties attributed to a drop in thermal coal prices during 2019–20.

Other dividends and distributions

Other dividends and distributions rose by $616 million due to higher distributions received from the State’s investments. This was due to an additional $1.3 billion held in the State’s investment portfolio compared with last year.

Expenses increased $8.2 billion to $96.0 billion

The State’s expenses increased 9.3 per cent compared with 2018–19. Most of the increase was due to higher employee expenses, other operating costs and grants and subsidies.

Employee expenses, including superannuation, increased 5.7 per cent to $42.6 billion.

Salaries and wages increased to $42.6 billion from $40.3 billion in 2018–19. This was mainly due to increases in staff numbers and a 2.5 per cent increase in pay rates across the sector. Salaries and wages for the Education and Health sectors increased by $659 million and $732 million in each sector respectively.

The Health sector employed an additional 2,763 full time staff in 2019–20. It also incurred more overtime in response to COVID-19. Education increased staff numbers by 4,866 full time equivalents and paid a one off 11 per cent pay rise to school administration staff in 2019–20. Historically, the government wages policy aims to limit growth in employee remuneration and other employee related costs to no more than 2.5 per cent per annum.

Operating expenses increased 8.7 per cent to $27.0 billion.

Operating expenses increased to $27.0 billion in 2019–20 ($24.8 billion in 2018–19) due to higher operating activities in Health. The higher level of activities and related costs is attributed to a full year of operations at the Northern Beaches Hospital (opened November 2018), and responding to COVID-19. The response to COVID-19 involved the State providing viability payments to private hospitals, higher visiting medical officer costs due to additional overtime hours and spending more on equipment to set up COVID-19 testing clinics.

Insurance claims increased by $2.0 billion. This was mainly due to NSW Self Insurance Corporation (SiCorp) recognising a liability for child abuse claims incurred but not reported for the first time, and claims for the 2019–20 bushfires, floods and COVID-19.

Health costs remain the State’s highest expense.

Total expenses of the State were $96 billion ($87.8 billion in 2018–19). Traditionally, the following clusters have the highest expenses as a percentage of total government expenses:

• Health – 24.3 per cent (25.8 per cent in 2018–19)
• Education – 17.6 per cent (19.3 per cent in 2018–19)
• Transport - 12.8 per cent (12.6 per cent in 2018–19).

General public service expenses as a percentage of total State expenses is higher due to a $2.0 billion increase in SiCorp’s accrued claim expenses.

Other expenses increased due to additional grant funding by the State for drought relief and COVID-19 stimulus spend.

Health expenses increased by $632 million compared with 2018–19 but fell as a proportion of total State expenses.

Education expenses remained stable compared with last year due to savings in student transportation costs primarily driven by COVID-19. This led to a decrease in the proportion of the State’s costs relating to education activities.

Grants and subsidies increased $2.5 billion to $14.1 billion.

The increase in grants and subsidies was due to payments the State made to support businesses and local communities in the face of COVID-19 and bushfires. In addition, the State transferred CBD and South East Light Rail assets to councils and utility providers during 2019–20 as it no longer controlled these.

Depreciation expense increased $1.0 billion to $9.2 billion.

Depreciation increased to $9.2 billion from $8.0 billion in 2018–19. At 1 July 2019, the State implemented the new leases standard recognising a right of use (ROU) asset and related lease liability in its financial statements. The value of ROU assets are amortised over the term of the lease. This contributed to $980 million of the increase in 2019–20 depreciation expense. Last year, these costs were previously reported within other operating expenses.

Assets grew by $28.0 billion to $495 billion

The State’s assets primarily include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $28.0 billion to $495 billion. This was a six per cent increase compared with 2018–19, mostly due to changes in asset carrying values.

Of the State’s $28.0 billion increase in asset values, $9.3 billion was due to a new accounting standard requirement for operating leases to be valued and recorded on balance sheet for the first time.

AASB 16 Leases requires entities recognise values for right-ofuse assets (ROU) for the first time. An ROU asset is a lessee’s right to use an asset, the value of which is amortised over the term of the lease. This standard came into effect from 1 July 2019.

Valuing the State’s physical assets

The value of the State’s physical assets increased by $14.1 billion to $365 billion in 2019–20. The assets include land and buildings ($168 billion), infrastructure ($180 billion) and plant and equipment ($16.7 billion). A prior period error relating to the valuation of RMS infrastructure assets reduced the reported values by $1.0 billion from $352 billion to $351 billion at 30 June 2019.

The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include reclassification of physical assets leased under finance leases to right of use assets upon adoption of AASB 16 Leases on 1 July 2019.

Movements in physical asset values

Liabilities increased $38.4 billion to $256 billion

The State borrowed additional funds in response to natural disasters and COVID-19.

The State’s borrowings rose by $33.9 billion to $113.8 billion at 30 June 2020. This accounted for most of the increase in the State’s total liabilities.

The value of TCorp bonds on issue increased by $25.2 billion to $97.0 billion to largely fund capital expenditure and costs associated with the bushfires, drought and COVID-19.

TCorp bonds are actively traded in financial markets and are guaranteed by the NSW Government.

Over 2019–20, TCorp continued to take advantage of lower interest rates, buying back short-term bonds and replacing them with longer dated debt. This lengthens the portfolio matching liabilities with the funding requirements for infrastructure assets.

With effect from 1 July 2019, AASB 16 Leases required the State to recognise liabilities for operating leases for the first time. This increased total lease liabilities from $5.3 billion at 30 June 2019 to $11.8 billion at 30 June 2020.

More than a third of the State’s liabilities relate to its employees. They include unfunded superannuation and employee benefits, such as long service and recreation leave.

Valuing these obligations involves complex estimation techniques and significant judgements. Small changes in assumptions and other variables, such as a lower discount rate, can materially impact the valuation of liability balances in the financial statements.

The State’s unfunded superannuation liability rose $300 million from $70.7 billion to $71.0 billion at 30 June 2020. This was mainly due to a lower discount rate of 0.87 per cent (1.32 per cent in 2018–19). The State’s unfunded superannuation liability represents the value of its obligations to past and present employees less the value of assets set aside to fund those obligations.

The State maintained its AAA credit rating

The object of the Fiscal Responsibility Act 2012 is to maintain the State’s AAA credit rating.

The government manages New South Wales’ finances in accordance with the Fiscal Responsibility Act 2012 (the Act).

The Act establishes the framework for fiscal responsibility and the strategy to maintain the State’s AAA credit rating and service delivery to the people of New South Wales.

The legislation sets out targets and principles for financial management to achieve this.

This year, the State’s credit rating from Standard & Poor’s changed from AAA/Stable to AAA/Negative. Moody’s Investors Service credit rating of Aaa/Stable did not change from the previous year.

The fiscal target for achieving this objective is that General Government annual expenditure growth should be lower than long term average revenue growth.

The State did not achieve its fiscal target of maintaining annual expenditure growth below the long-term revenue growth rate target of 5.6 per cent.

In 2019–20, General Government expenditure grew by 9.7 per cent (5.5 per cent in 2018–19).

Expenditure items that contributed most to the growth rate include:

• recurrent grants and subsidies (20.4 per cent)
• other operating expenses (9.5 per cent)
• employee costs (including superannuation) (5.6 per cent)

Recurrent grant and subsidy expenses increased by $2.8 billion in 2019–20 mainly due to the COVID-19 and natural disaster payments. Other operating expenses increased mainly due to a $2.0 billion increase in SiCorp insurance claims. This included the $828 million provision for child abuse claims incurred but not reported. The bushfires and COVID-19 pandemic also increased the number and cost of claims in 2019–20.

Superannuation funding position since inception of the Act - AASB 1056 Valuation

Appendix one - Prescribed entities

Appendix two - Legal opinions

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of the financial arrangements and management practices of four integrity agencies: the Independent Commission Against Corruption, the NSW Electoral Commission, the NSW Ombudsman, and the Law Enforcement Conduct Commission. The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding. The Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

The audit found that the current approach to determining and administering annual funding for the integrity agencies presents threats to their independent status. The approach used by NSW Treasury and DPC is consistent with the legislative and Constitutional framework for financial management in New South Wales, but it does not sufficiently recognise that the roles and functions of the integrity agencies that are the focus of this audit are different to other departments and agencies. Specific mechanisms that present threats to the independence of the integrity agencies include the absence of transparency in decisions about funding for the integrity agencies, the means of applying efficiency dividends and budget savings and reform measures, the process of providing additional funding from DPC to the integrity agencies, and requests for the integrity agencies to report to DPC on their activities and outcomes.

The Auditor-General outlined the principles that inform the report’s recommendations in order to strengthen the financial arrangements for the integrity agencies. These principles are:

• There should be structured oversight by Parliament of the performance and financial management of the integrity agencies.
• Parliament’s role in the budget process should be expanded to ensure Cabinet is provided with more independent advice on the funding requirements for the integrity agencies.
• There should be transparency to Parliament and the relevant agency for decisions made about funding for the integrity agencies.
• The integrity agencies should be required to demonstrate their accountability as prudent managers of their financial resources.

The report also notes that the NSW Parliament should be consulted when considering the report’s recommendations.

Read full report (PDF)

This audit examined the effectiveness of the financial arrangements and management practices of four integrity agencies. It was conducted with reference to the legislative and Constitutional framework that is currently in place for financial management in New South Wales.

This report appropriately recognises that the government of the day is responsible for the prudent and responsible management of the state’s finances. It identifies several areas of ambiguity in the way the current financial arrangements apply to the integrity agencies that are the subject of this audit. It also highlights threats to the independence of the integrity agencies that may arise from the involvement of the Executive Government in the decision making about funding. The report argues these risks are not mitigated sufficiently under the current financial arrangements.

The recommendations in this report outline the principles that should inform the financial arrangements for the integrity agencies. Consistent with the Audit Office of NSW’s role in auditing NSW Government departments and agencies, the recommendations are directed to NSW Treasury and the Department of Premier and Cabinet. However, the report recognises that the current role of these entities in the funding arrangements for the integrity agencies poses a threat to their independence. Consequently, it is important to recognise the important role of the NSW Parliament in determining the appropriate funding model for the integrity agencies. The audited agencies should consult closely with the NSW Parliament when considering these recommendations to ensure the views of Parliament are reflected appropriately in any changes arising from the implementation of these recommendations. This recognises the appropriate role of the NSW Parliament in safeguarding the independence of its integrity agencies.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments are involved in the processes that lead to decisions about funding for the integrity agencies and managing access to this funding.

The NSW Government, through the Treasurer, is responsible to the citizens of New South Wales for the prudent and responsible management of the state’s finances. The annual budget is the primary process that the NSW Government uses for financial management. Decisions about funding for the integrity agencies are made through this budget process. NSW Treasury provides guidance to all government departments and agencies, including the integrity agencies that are the focus of this audit, on the Government’s priorities for the budget. NSW Treasury also reviews and provides advice to the Expenditure Review Committee of Cabinet on proposals for funding through the budget.

The integrity agencies are subject to the application of ‘efficiency dividends’ and ‘budget savings and reform measures’, which limit their access to the full funding that has been approved by Parliament. NSW Treasury and DPC manage the application of these limits to the integrity agencies. The integrity agencies are grouped within the DPC ‘cluster’, which is an administrative arrangement created by the NSW Government. Clusters do not have legal status but are used for administrative and financial management. DPC has provided additional funding during the financial year to some of the integrity agencies in the years covered in this audit. DPC also oversees the involvement of the integrity agencies in developing and reporting on their outcomes. This is a requirement of NSW Treasury’s outcome budgeting reforms, which are currently being implemented.

Each of the integrity agencies is overseen by a parliamentary committee that includes members of both houses of the NSW Parliament. These committees are responsible for reviewing the performance of the integrity agencies that they oversee. They do not have a role in funding decisions. ICAC and LECC each have additional oversight from an Inspector. The Inspector of the ICAC’s role is to oversee the operations and conduct of ICAC to ensure that it complies with the law. The Inspector of the LECC’s role is to oversee the way LECC carries out its functions, with a focus on the legality of LECC’s use of its powers. Neither of these Inspectors has a role in funding decisions.

The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:

• not considering or commenting on the financial arrangements for our office
• requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies. The inquiry includes the four integrity agencies that are the subject of this audit and our office
• seeking independent legal advice on the framework for the financial arrangements for the integrity agencies
• using additional internal review processes to provide quality assurance to audit conclusions.

On 4 November 2019, the Hon. Don Harwin MLC, Special Minister of State, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983.

Consistent with the Minister’s request, this audit assessed the effectiveness of the financial arrangements and management practices of four integrity agencies - the Independent Commission Against Corruption (ICAC), the NSW Electoral Commission (NSWEC), the NSW Ombudsman (NSWO) and the Law Enforcement Conduct Commission (LECC). The audit also included NSW Treasury and the Department of Premier and Cabinet (DPC) because both departments have a role in the financial arrangements for the integrity agencies. NSW Treasury manages the budget process that determines the annual funding for the integrity agencies. DPC has a role in managing access to this funding because the integrity agencies are placed within the DPC ‘cluster’.

The Audit Office of NSW is an independent integrity agency that receives some of its revenue through the NSW Government’s budget process and sits within the DPC cluster. We have taken the following actions to preserve our independence and mitigate potential conflicts of interest that could arise in conducting this audit:

• not considering or commenting on the financial arrangements for our office
• requesting a deferral of our office’s evidence to an inquiry by the NSW Legislative Council’s Public Accountability Committee that is considering the budget process for integrity agencies and the NSW Parliament, including the four integrity agencies in this audit and our office
• seeking independent legal advice on the framework for the financial arrangements of the four integrity agencies in this audit
• using additional internal review processes to provide quality assurance to audit conclusions.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Opinion from the Crown Solicitor’s Office

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.