Reports
Actions for Health 2020
Health 2020
This report analyses the results of our audits of financial statements of the Health cluster for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
Financial reporting |
Unqualified financial audit opinions The financial statements of NSW Health and its 25 controlled entities received unqualified opinions. The number of corrected and uncorrected misstatements increased from the prior year. Misstatements related predominantly to the implementation of new accounting standards, asset revaluations and accounting for new revenue streams to cover the cost of HSW Health’s response to the COVID-19 pandemic. Qualified compliance audit opinion We issued a qualified audit opinion for the Ministry of Health’s Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. We identified 18 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2019–20 (30 in 2018–19). |
Financial performance |
NSW Health received an additional $3.3 billion in funding to cover costs associated with its response to the COVID-19 pandemic. The impacts of the COVID-19 pandemic on the cluster were significant for health entities and included changes to operations, increased revenues, expenditure, assets and liabilities. Cancellation of elective surgery and decreased emergency department presentations meant that despite the pandemic, activity levels at many health entities decreased. Health Pathology and HealthShare were notable exceptions. In the period to the 30 June 2020, NSW Health reported that over 900,000 COVID-19 tests were conducted. Health Pathology conducted over 500,000 of these tests. Health Pathology's surge requirements were enhanced through arrangements with 13 private sector providers. HealthShare purchased $864.2 million of personal protective equipment. Overall, NSW Health recorded an operating surplus of $3.1 billion in 2019–20, an increase of $2.0 billion from 2018–19. As in previous years, the surplus largely resulted from additional revenue received to fund capital projects including the construction of new facilities, upgrades and redevelopments. In 2019–20 additional Commonwealth and State funding for the purchase and stockpiling of personal protective equipment also contributed to the operating surplus. |
Overtime payments | The Ambulance Service of NSW’s (NSW Ambulance) reduced their overtime payments to $79.7 million in 2019–20 ($83.1 million in 2018–19). Overtime payments in 2019–20 included $6.8 million related to the response to the 2019–20 bushfire season. NSW Ambulance overtime payments represent 16.8 per cent of total overtime payments in the cluster. |
2. Audit observations
Internal control deficiencies |
We identified more internal control deficiencies in 2019–20. The number of repeat issues from prior years also remains high. NSW Health addressed 18 out of the 25 information system control deficiencies during the year. Several key agreements lacked formal documentation. This included agreements between the Ministry and health entities, between health entities and agencies in other clusters and between the Ministry and health departments in other jurisdictions. |
Infrastructure delivery | NSW Health had 44 ongoing major capital projects at 30 June 2020 with a total revised budget of $12.3 billion. The revised total budget of $12.3 billion is $2.0 billion more than the original budget. NSW Health revises budgets when it combines project stages. |
This report provides parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
The impacts of the COVID-19 pandemic on the cluster were significant and included changes to the operations of the health entities and increased revenue, expenditure, assets and liabilities.
As a part of this year's audits of health entities, we have considered:
- financial implications of the COVID-19 emergency at both health entity and cluster levels
- changes to agencies' operating models
- agencies' access to technology and the maturity of systems and controls to prevent unauthorised and fraudulent access to data.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The response to the COVID-19 pandemic primarily impacted the financial reporting of NSW Health through:
- additional revenue from the State government in the form of grants and stimulus payments
- additional revenue from the Commonwealth government under the National Partnership Agreement for COVID-19 to cover part of the cost of responding to the COVID-19 pandemic
- increased expenses, largely due to increased payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists and increased cleaning costs
- increased purchases of personal protective equipment.
Chapter one outlines the impacts of NSW Health’s response to the COVID-19 pandemic. This chapter outlines our other audit observations related to the financial reporting of agencies in the Health cluster for 2020.
Section highlights
- Unqualified audit opinions were issued for all health entities’ financial statements, although more misstatements were identified than last year.
- NSW Health recorded an operating surplus of $3.1 billion, an increase of $2.0 billion from 2018–19. This is largely due to additional capital grants for new facilities, upgrades and redevelopments and additional Commonwealth and State funding for the purchase of personal protective equipment.
- NSW Health’s expenses increased by 5.5 per cent in 2019–20 (7.0 per cent in 2018–19) despite the impact of the COVID-19 pandemic. The primary causes for the growth in expenses are increases in:
- employee related expenses due to higher employee numbers, increased overtime and a 2.5 per cent award increase
- payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists
- payments to private health operators due to the first full year of operation of the Northern Beaches hospital.
- The Ambulance Service of NSW (NSW Ambulance) continued to report higher overtime payments than other health entities. However, despite the response to the 2019–20 bushfire season, their overtime payments were lower than last year. NSW Ambulance paid $79.7 million in overtime payments in 2019–20 ($83.1 million in 2018–19).
- A qualified audit opinion was issued for the Ministry of Health’s Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. There were 18 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2019–20 (30 in 2018–19)
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
The primary impact of the COVID-19 pandemic on the effectiveness of the internal controls of NSW Health and health entities relates to the effectiveness of controls implemented by HealthShare relating to the stocktake of personal protective equipment inventories. Inventory managed by HealthShare increased by 2,746 per cent during 2019–20. HealthShare’s inventory controls did not maintain pace with the sudden, significant increase.
The impacts of NSW Health’s response to the COVID-19 pandemic are outlined in chapter one. This chapter outlines other observations and insights from our financial statement audits of agencies in the Health cluster.
Section highlights
- The number of internal control deficiencies has increased since 2018–19. More than a third of control deficiencies are repeat issues.
- Control deficiencies that relate to managing employees’ leave and employee’s time recording continue to be difficult for entities to resolve, particularly during the ongoing response to the COVID-19 pandemic.
- Several key agreements were undocumented. These included agreements between the Ministry and the health entities, between health entities, and between the Ministry and entities in other clusters and jurisdictions. These related to:
- a loan arrangement between the Ministry and HealthShare for $319 million.
- Northern Sydney Local Health District's use of land and buildings owned by the Graythwaite Charitable Trust
- agreements for the treatment of New South Wales residents while they are interstate, and interstate residents receiving treatment while they are in New South Wales from Queensland, Victoria, South Australia and the ACT for both 2019–20 and 2018–19.
- NSW Health reported that they completed nine major capital projects during 2019–20. As at 30 June 2020 there were 44 ongoing major capital health projects in NSW. The revised capital budget for these projects in total was $2.0 billion more than the original budget of $10.3 billion. NSW Health reported the budget revisions are largely the result of combining project stages.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Financial data
Appendix four – Analysis of financial indicators
Appendix five – Analysis of performance against budget
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Auditor-General’s Report to Parliament
Health 2020
11 December 2020
This corrigendum has been prepared to amend the following text within the Auditor-General’s Report to Parliament on Health 2020, dated 10 December 2020.
NSW Health emergency department treatment times
On page five the original text was as follows:
NSW Health also measures the percentage of patients whose clinical care in emergency departments is completed within four hours. The measure is used as an indicator of accessibility to public hospital services.
NSW Health aims to complete clinical care in the emergency department for 81 per cent of patients within four hours. In 2019–20 NSW Health reports it completed clinical care within four hours for 72.1 per cent of patients (a 7.3 per cent decrease from 2018–19).
At Western Sydney Local Health District, 59 per cent of patients were treated within the targeted timeframe. NSW Health attribute this to the profile of patients presenting in emergency departments and additional time taken processing COVID-19 patients to ensure staff safety.
The original text has now been changed to:
NSW Health also measures the percentage of patients with total time in the emergency department of four hours or less for each local health district. The measure is used as an indicator of accessibility to public hospital services.
Local Health Districts | Target % (2019–20) | Actual % (2019–20) |
Central Coast | 77.0 | 59.9 |
Far West | 90.2 | 86.6 |
Hunter New England | 81.0 | 72.5 |
Illawarra Shoalhaven | 79.0 | 60.2 |
Mid North Coast | 82.0 | 76.7 |
Murrumbidgee | 85.3 | 81.9 |
Nepean Blue Mountains | 79.0 | 65.5 |
Northern NSW | 81.0 | 78.2 |
Northern Sydney | 79.0 | 73.9 |
South Eastern Sydney | 78.0 | 70.3 |
South Western Sydney | 78.0 | 61.2 |
Southern NSW | 85.0 | 83.0 |
Sydney | 76.0 | 70.9 |
Sydney Children’s Hospitals Network | 80.0 | 72.1 |
Western NSW | 85.9 | 81.0 |
Western Sydney | 78.0 | 59.0 |
St Vincent's Health Network* | 75.0 | 65.4 |
The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.
Actions for Internal controls and governance 2020
Internal controls and governance 2020
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Actions for Health capital works
Health capital works
This report examines whether NSW Health effectively planned and delivered major capital works to meet the demand for health services in New South Wales.
The report found that NSW Health has substantially expanded health infrastructure across New South Wales since 2015. However, the program was driven by Local Health District priorities without assessment of the State’s broader and future‑focussed health requirements.
The report found that unclear decision making roles and responsibilities between Health Infrastructure and the Ministry of Health limited the ability of NSW Health to effectively test and analyse investment options.
Project delays and budget overruns on some major projects indicate that Health Infrastructure's project governance, risk assessment and management systems could be improved.
The Auditor‑General recommends that NSW Health ensure its capital projects offer the greatest value to New South Wales by establishing effective policy guidance and enhancing project governance and management systems.
Since 2011–12, NSW Health has aimed to improve its facilities and build 'future focused' infrastructure. The NSW Government’s 2015–16 election commitments established a four-year $5.0 billion capital program for NSW Health to build and upgrade more than 60 hospitals and health services. The 2019–20 State Budget committed a further $10.1 billion over four years for another 29 projects. This is the largest investment to date on health capital works in New South Wales.
Recent reviews of infrastructure have recognised that population and demographic growth will require a change in the delivery and composition of health infrastructure, including considering greater use of non-traditional, non-capital health service options and assets.
To ensure that expenditure on capital works represents the best value for money, NSW Health's business cases need to be robust and supported by evidence that demonstrates they are worthy investments. The NSW Process of Facility Planning has been the main framework guiding the detailed planning and development of NSW Health's capital works proposals. This framework was developed by the then NSW Department of Health in 2010. Its aim is to ensure investment proposals are supported by rigorous planning processes that address health service needs and provide value for money.
Infrastructure projects of the complexity and scale being delivered by NSW Health carry inherent risks. For example, unplanned cost escalations can potentially impact on the State’s finances. Unforeseen delays can also reduce the intended benefits. The growth in the State’s health capital spend and project profile, means its exposure to such risks has increased over time.
The objective of this audit was to assess the effectiveness of planning and delivery of major capital works to meet demand for health services in New South Wales. To address this objective, the audit examined whether:
- the Ministry of Health has effective procedures for planning and prioritising investments in major health capital works
- Health Infrastructure develops robust business cases for initiated major capital works that reliably inform government decision making
- Health Infrastructure has effective project governance and management systems that support delivering projects on-time, within budget and achievement of intended benefits.
The audit focused on the Ministry of Health and Health Infrastructure – being the lead agencies within NSW Health responsible for prioritising, planning and delivering major health capital works across the State. The audit examined 13 business cases for eight discrete projects over a ten-year period.
ConclusionNSW Health has substantially expanded health infrastructure across New South Wales since 2015. However, its planning and prioritisation processes were not assessed against a long-term statewide health infrastructure plan and lacked rigorous assessment against non-capital options creating a risk that they do not maximise value for New South Wales. The scale of NSW Health's capital investment is significant and has grown substantially in recent years. The NSW Government’s election commitments in 2015–16 and 2019–20 collectively set out a $15.0 billion capital program to build and upgrade 89 hospitals and health services. NSW Health developed this infrastructure program in the absence of a statewide health infrastructure strategy and investment framework to focus its planning and decisions on the types of capital investments required to meet the long-term needs of the NSW health system. Consequently, locally focused priorities of the State’s 17 Local Health Districts have been the primary drivers of NSW Health’s capital investments since 2015–16. Local Health District investment proposals for hospitals were developed without consideration of alternative health options such as community health service models, technology-driven eHealth care, or private sector options. Without rigorous assessment against a range of potential health service options, there is a risk that selected projects do not maximise value for New South Wales. In recognition of the need for a statewide approach to infrastructure planning, the Ministry of Health recently developed a 20-year Health Infrastructure Strategy and prioritisation framework in 2019. The strategy was approved by the NSW Government in April 2020. NSW Health's ability to effectively test and analyse its capital investment options has been compromised by unclear decision-making roles and responsibilities between its Health Infrastructure and the Ministry of Health agencies. While both Health Infrastructure and the Ministry of Health have responsibilities for the assessment of business cases for proposed infrastructure projects, confusion about the roles of each agency at key steps compromised the efficacy of the process. Health Infrastructure and the Ministry of Health have differing views about which agency is responsible for testing business case inputs and conducting comprehensive options appraisals. As a result of this confusion, Health Infrastructure and the Ministry of Health did not rigorously test Local Health District capital investment proposals against defined statewide health infrastructure investment priorities. The NSW Process of Facility Planning does not clarify the responsibilities of all parties in validating and prioritising Local Health District's Clinical Service Plans and progressing them to business cases. NSW Health's infrastructure priorities are not sufficiently supported by transparent documentation of selection methodology and the rationale for decisions. Consequently, there is a risk that recommended options, whilst having some economic and health service merit, do not represent the greatest value. Substantial delays and budget overruns on some major projects indicate that Health Infrastructure's project governance, risk assessment and management systems could be improved. Health Infrastructure did not fully comply with NSW Government guidelines for developing business cases and making economic appraisals for proposed capital investments. These weaknesses, along with delays and budget overruns on some projects, demonstrate a need for Health Infrastructure to strengthen its project governance, management and quality control systems. |
Over the period of review, NSW Government policies for business case development and submission have emphasised that effective governance arrangements are critical to a proposal's successful implementation.
NSW Health's Process of Facility Planning similarly highlights the importance of effective governance and project management for achieving good outcomes. It prescribes a general governance structure managed by Health Infrastructure that can be tailored to the planning and delivery of health infrastructure projects greater than $10.0 million.
The three major hospital redevelopments examined in metropolitan, regional and rural areas had a combined Estimated Total Cost of more than $1.2 billion and comprised eight discrete projects and 13 separate business cases.
Almost all these projects experienced delivery challenges which impacted achievement of their original objectives and intended benefits. This is expected in complex and large-scale health infrastructure programs. However, in some projects the impacts were significant and resulted in substantial delays, unforeseen costs, and diversion of resources from other priority areas.
Our review of the selected case studies highlighted opportunities for enhancing governance and project management. Specifically, it indicates a need for improving transparency in the management of contingencies, risk management and assessments particularly relating to adverse site conditions and the selection of contractors. There is also a need to strengthen forward planning for options to address unfunded priorities within business cases that risk complicating the delivery of future project stages resulting in unforeseen costs and potentially avoidable budget overruns.
In February 2017, the Ministry's Capital Strategy Group approved the use of surplus funds of $13.76 million from Stage 1 of the Hornsby Ku-ring-gai Hospital Redevelopment for new works deemed needed to support Stage 2. Following this decision, Health Infrastructure finalised and submitted a business case addendum for Stage 1 to the Ministry in March 2017, addressing the new works comprising a two-storey building for medical imaging and paediatric floors. The business case addendum also addressed options to fit out and procure major medical imaging equipment. The Ministry approved the Stage 1 business case in July 2017, noting the Ministry's Capital Strategy Group had already approved the use of remaining Stage 1 funds to deliver the new works.
Stage 1 was completed in 2015, almost two years before the Stage 1 business case addendum was prepared in February 2017.
The Ministry's decision to approve the new works using $13.76 million of surplus Stage 1 funds did not comply with the NSW Treasury Circular TC 12/20. This policy establishes the Treasurer's approval must be sought and received before a new capital project with an Estimated Total Cost of $5.0 million or more can be approved by NSW Health. The Ministry therefore exceeded its delegated authority in making this decision, as it was not evident it had sought and received the Treasurer's approval prior to doing so.
Consequently, the surplus Stage 1 funds should not have been used by the Ministry to deliver new works in the circumstances. Instead, they should have been released from the Stage 1 project in accordance with established NSW Health procedures, and the Stage 1 Estimated Total Cost revised down accordingly. This did not occur, and NSW Health ultimately directed $11.0 million in surplus Stage 1 funds to the new works.
These circumstances indicate a need to strengthen transparency and accountability within NSW Health for the approval of new projects, and how contingency funds are used in the management of major health capital works. They also demonstrate the impact of weaknesses with options appraisal as the initial Stage 1 business case did not consider alternative options for addressing the initially unfunded works later covered by the Stage 1 business case addendum and ultimately funded from the Stage 1 contingency provision.
In addition to proposing the above-noted new works, the 2017 Stage 1 Business Case Addendum for the Hornsby-Ku-ring-gai development sought to retrospectively address the estimated funding gap of around $14.0 million for the internal fit out, supply of major medical imaging equipment, and cost to operate the medical imaging service at Hornsby Ku-ring-gai Hospital also not addressed in the originally Stage 1 business case.
The Stage 1 business case addendum considered various procurement options to purchase and run the medical imaging services ranging from State operation purchase options to private operation purchase options.
It recommended outsourcing the operation and provision of equipment to the private sector based on estimated savings to the public sector initially of around $650,000 per annum reducing over time to $270,000. The Ministry endorsed this option in June 2017, but it did not ultimately proceed.
A July 2018 report to the Executive Steering Committee on the project shows NSW Health later decided to deliver operation of the medical imaging unit 'traditionally' with an updated estimate of the cost at approximately $16.4 million. The report also shows the Ministry supported the costs now being met by the Northern Sydney Local Health District.
This means the funding gap previously identified in the Stage 1 business case addendum for fitting out the medical imaging building and supply of major medical equipment would need to be met fully by the State, representing a $16.4 million cost overrun for the project.
Examined reports to the Executive Steering Committee show this was largely funded by the Northern Sydney Local Health District via the disposal of land realising approximately $15.0 million in proceeds.
This initially unforeseen cost, along with the additional $11.0 million for the new works approved under the Stage 1 business case addendum, were ultimately merged with the Stage 2 project initially approved in 2017–18 with an Estimated Total Cost of $200 million.
The 2019–20 State Budget provided an additional $65.0 million for a further Stage 2A to deliver additional built capacity to support outpatient services, enhanced allied health services, re-housed community health services and the delivery of prioritised clinical services unfunded as part of Stage 2. The funds were approved based on an Investment Decision Template (IDT) that examined two options in addition to the base case representing scoping alternatives to the preferred master planned capital solution.
However, we found the IDT showed around 23 per cent of the $65.0 million sought (i.e. $15.0 million) was to be allocated to fund the deficit in Stage 2, which had arisen as a result of project delays due to adverse site conditions. This was not discussed in the IDT.
The February 2020 report to the Executive Steering Committee shows a combined Stage 2 and 2A final forecast cost of $292.6 million against a potential budget of $290.7 million representing an overall deficit for the project of around 0.6 per cent.
However, this favourable final budget position does not transparently show the funding challenges experienced over the project's implementation to-date. The three major budget issues include:
- inappropriate use of around $11.0 million in Stage 1 contingency for originally unfunded works contrary to Treasury policy
- the additional $16.4 million cost unforeseen in the Stage 1 business case for delivering medical imaging services mostly funded through the sale of land
- an additional $15.0 million from Stage 2A to cover the budget overrun in Stage 2 due to adverse site conditions.
The cumulative impact of these events is that Stages 1 and 2 of the Hornsby project cost approximately $42.4 million than it should have in the circumstances around 14 per cent more than what the revised combined Estimated Total Cost for both stages should have been after releasing the $11.0 million in surplus Stage 1 funds, with Stage 2 delayed by around 14 months.
Major construction projects often experience adverse site conditions which can be difficult to fully detect in advance. However, we found this was a common occurrence in the projects we examined sometimes with significant time and/or budget impacts indicating scope to enhance related risk and cost assessments. Specifically:
- Hornsby Ku-ring-gai Hospital Redevelopment Stage 2: adverse site conditions during demolition works resulted in an 11-month delay for delivering the medical imaging unit and 14-month delay completing Stage 2 main works including need for additional $15.0 million in funds to cover the resultant budget deficit for the project.
- Blacktown Mt Druitt Hospital Redevelopment Stage 2: adverse site conditions combined with project complexity delayed completion of the early works by approximately five months. This contributed to the delay in completing the main construction works which occurred around nine months later than planned in the business case.
- Dubbo Health Service Redevelopment Stages 3 and 4: Health Infrastructure advised adverse site conditions including asbestos containing materials and ground conditions delayed works for the main building with completion forecast for March 2021, around 21 months later than planned in the final business case. This resulted in the need for additional $13.5 million to cover increased construction costs and risks, increasing the Stage 3 and 4 forecast final cost from $150 million to $163.5 million as at February 2020.
These examples indicate a risk the cumulative impact of adverse site conditions may be substantial when measured across both time and Health Infrastructure's full delivery program. They also point to potential for Health Infrastructure to achieve efficiencies and improved outcomes from strengthening its approach to assessing and mitigating the risks from adverse site conditions.
Main construction works on Stage 1 of the Dubbo Health Service Redevelopment were completed in October 2015, approximately 13 months later than planned in the final business case. Delays were mainly due to insolvency of the early works contractor resulting in their departure from the project. The ensuing 11-month delay in completing the early works significantly impacted the overall schedule and delivery of main construction works.
The insolvency event was significant as it affected nine separate Health Infrastructure projects – three of which had yet to reach practical completion. It also affected state-funded projects in other sectors. It resulted in the need for additional funding of $11.5 million that was provided in the 2014–15 State Budget increasing the total Stage 1 and 2 budget from $79.8 million to $91.3 million.
Health Infrastructure’s analysis of lessons learned shows it worked actively to mitigate the impacts of the insolvency event across all affected projects. However, it also indicates a risk the lessons were mainly focused on mitigating the impacts after an insolvency event occurred rather than on prevention.
Although Health Infrastructure initially commissioned a financial assessment of the now insolvent early works contractor before engagement, it did not detect any risks of the impending insolvency and instead concluded the contractor was in a strong financial position. However, the contractor became insolvent shortly after commencement approximately seven months later. This indicates a risk of weaknesses in the assessment performed that was not explicitly addressed by the lessons learned.
Delivery of the main construction works were further impacted by disputes with the main works contractor over the scope of works for the renal unit resulting in Health Infrastructure terminating the contract in November 2016 following lengthy negotiations over several months.
The scope of works relating to the renal unit were ultimately transferred to Stages 3 and 4 and were delivered in December 2019, around five years later than originally planned in the business case.
Health Infrastructure advised the delay was ultimately beneficial to the project because the refurbishment works for the renal unit, initially scheduled for Stages 1 and 2, would have been demolished to accommodate the new Western Cancer Centre proposed after Stages 1 and 2 and currently being delivered in parallel with Stages 3 and 4.
Health Infrastructure advised the actual cost of Stages 1 and 2 was $84.7 million against the budget of $91.3 million. The residual $6.6 million relates to the renal works not delivered during Stage 1 and 2 and transferred to Stage 3 and 4.
Health Infrastructure advised the contractual provisions for mitigating insolvency events 'in-flight' are limited highlighting the importance of proactive and effective due diligence prior to engaging contractors for significant construction projects.
Health Infrastructure's 2017-20 Corporate Plan identifies the development of a quality framework to support delivery of future-focused outcomes as a key organisational priority. Related initiatives within the Corporate Plan describe a framework underpinned by a Quality Committee providing advice on:
- records management, to meet the requirements of the State Records Act 1998
- project assurance, to ensure future focused outcomes and enhance Health Infrastructure's Standards, Policies, Procedures and Guidelines, Templates and Design Guidance Notes
- knowledge management and library services, to promote and leverage from project learnings.
Although Health Infrastructure has some elements of a quality framework it is not yet fully in place. Health Infrastructure advised it had yet to establish the quality framework and related committee described in its Corporate Plan due in part to its focus on responding to the growth of its capital program.
Health Infrastructure's Development and Innovation team has been active in supporting continuous improvement in knowledge and project management including development of business cases. Although useful, these initiatives have relied heavily on leveraging and disseminating insights from Gateway reviews and have not formed part of a systematic quality and continuous improvement framework.
The limited focus on the quality of business cases is reflected in internal performance monitoring and reporting which focuses mainly on tracking the delivery of projects against internal benchmarks, often revised from the baselines in the business case, and expenditure against cashflow targets. There is no evident internal monitoring and/or reporting to the Chief Executive and Board on defined quality metrics linked to business case development and staff capability.
Performance reporting on balanced scorecard metrics has similarly focused mainly on process rather than quality and has been inconsistent in recent years.
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Appendix four – Ministry of Health planning tools and guidelines
Appendix five – Streamlined investment decision process for Health Capital Projects
Appendix six – Timeline of business cases and relevant policy guidelines
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #338 - released 12 August 2020
Actions for Internal Controls and Governance 2018
Internal Controls and Governance 2018
The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.
This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.
This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.
This report offers insights into internal controls and governance in the NSW public sector
This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:
- highlighting the potential risks posed by weaknesses in controls and governance processes
- helping agencies benchmark the adequacy of their processes against their peers
- focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.
Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.
Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:
- Internal control trends
- Information technology (IT), including IT vendor management
- Transparency and performance reporting
- Management of purchasing cards and taxis
- Fraud and corruption control.
The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.
The focus of the report has changed since last year
Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.
Agencies selected for the volume account for 95 per cent of the state's expenditure
While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.
Observation | Conclusions and recommendations |
---|---|
2.1 High risk findings | |
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16. | Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority. |
2.2 Common findings | |
We found several internal controls and governance findings common to multiple agencies. | Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective. |
2.3 New and repeat findings | |
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies. | The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies. |
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases |
Recommendation: Agencies should reduce IT risks by:
|
Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.
Observation | Conclusions and recommendations |
---|---|
3.1 Management of IT vendors | |
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review. |
Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by:
|
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract. |
Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination. |
Performance management Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance. |
Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by:
|
Transitioning services Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor. |
Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'. |
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete. |
Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by:
Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations. |
3.2 IT general controls | |
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review. |
Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments. |
User access administration
|
Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems. |
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities. |
Recommendation: Agencies should:
|
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters. |
Recommendation: Agencies should ensure IT password settings comply with their password policies. |
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment. |
Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed. |
This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.
Observation | Conclusion or recommendation |
4.1 Reporting on performance | |
Only 57 per cent of agencies linked reporting on performance to their strategic objectives. The use of targets and reporting performance over time was limited and applied inconsistently. |
Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information. Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports. |
There is no independent assurance that the performance metrics agencies report in their annual reports are accurate. Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported. |
Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited. The relevance and accuracy of performance information is enhanced when:
|
4.2 Reporting on reports | |
Agency reporting on major projects does not meet the requirements of the annual reports regulation. Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations. |
NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations. Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress. |
The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works. Sixteen of 30 agencies reported some information on completed major works. |
Conclusion: Agencies could improve their transparency if they reported, or were required to report:
|
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.
Observation | Conclusion or recommendation |
5.1 Management of purchasing cards | |
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement. |
Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards. |
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy. |
Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'. |
Preventative controls We found that:
|
Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as:
|
Detective controls Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used. |
Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to:
|
5.2 Management of taxis | |
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition:
|
Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies:
|
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews. |
Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program. |
Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.
Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:
- unreported frauds in organisations can be almost three times the number of reported frauds
- our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
- fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
- agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.
Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.
Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.
Observation | Conclusion or recommendation |
6.1 Prevention systems | |
Prevention systems Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies. |
Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by:
|
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be. | Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified. |
6.2 Detection systems | |
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program. |
Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment. |
6.3 Notification systems | |
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption. |
Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture |
Actions for Volume Eleven 2012 focusing on Health
Volume Eleven 2012 focusing on Health
One in three ambulance crews were delayed for longer than 30 minutes at hospital. Over the year these delays totalled 84,680 hours of lost time, up from 78,224 last year and 58,399 the year before. The longer ambulance crews are at hospitals the less time they are available to respond to the next emergency.
Actions for Volume One 2012 focusing on themes from 2011
Volume One 2012 focusing on themes from 2011
The following overview of audits from 2011 found agency restructures significantly impacted agency financial reporting processes, agencies are having difficulty establishing and enforcing compliance with their own policies and procedures, agencies experienced problems complying with regulations and providing adequate documentation to support their financial statements, the poor quality of some financial statements with 1,256 misstatements identified, 540 so significant they had to be corrected, deficiencies in information security exist across many agencies, computer system disaster recovery plans for financial systems not existing or outdated, do not align with agencies’ business recovery requirements, do not properly identify and assess critical systems and processes and testing is incomplete.
Actions for Managing IT Services Contracts
Managing IT Services Contracts
Neither agency (NSW Ministry of Health and NSW Police Force) demonstrated that they continued to get value for money over the life of these long term contracts or that they had effectively managed all critical elements of the three contracts we reviewed post award. This is because both agencies treated contract extensions or renewals as simply continuing previous contractual arrangements, rather than as establishing a new contract and financial commitment. Consequently, there was not a robust analysis of the continuing need for the mix and quantity of services being provided or an assessment of value for money in terms of the prices being paid.
Parliamentary reference - Report number #220 - released 1 February 2012
Actions for Readiness to respond: Follow-up audit
Readiness to respond: Follow-up audit
The Ambulance Service of New South Wales has substantially implemented the 28 recommendations of the 2001 audit report that it accepted. It has also introduced significant new initiatives to improve performance that were not part of the 2001 recommendations. It has made substantial changes to its organisation and operations to implement these changes. Many of the changes are still proceeding. The Service has addressed a key finding of the 2001 audit report - that it did not have adequate, relevant or credible management data for decision making. The Service now has five years of operational data from the Computer Aided Dispatch (CAD) system.
Parliamentary reference - Report number #167 - released 6 June 2007
Actions for Responding to homelessness
Responding to homelessness
Many projects, both Partnership Against Homelessness and by individual agencies, have shown good results or led to improvements. One example is helping mental health patients maintain stable housing. Another is providing street outreach services to homeless people in inner Sydney. Despite these efforts, we were unable to determine how well the government is responding to homelessness statewide. This is because there are no statewide performance measures or targets on homelessness. Also there is limited benchmarking, and no formal means of spreading information on homelessness initiatives and projects.
Parliamentary reference - Report number #165 - released 2 May 2007