Refine search

Reports

12 December 2019

Published

Central Agencies 2019

Treasury

Premier and Cabinet

Financial reporting

Internal controls and governance

Management and administration

Risk

The Auditor-General for New South Wales, Margaret Crawford, released her report today on the results of the financial audits of NSW Government central agencies, namely the Premier and Cabinet, Treasury and Customer Service clusters. There are 191 agencies in these clusters, including government financial, superannuation and insurance entities.

Unqualified audit opinions were issued on the financial statements for all agencies in the clusters. There were two high risk and 99 moderate risk audit findings on internal controls. Of these, 31 percent were repeat issues, and most related to weaknesses in information technology access controls.

The report notes a number of audit observations including:

a qualified opinion on information technology internal controls at an outsourced service provider
self-insurance losses of $1.4 billion partly due to unfavourable movements in the risk free discount rate, and increases in workers compensation claims, including psychological injury claims
a shortfall (unfunded liability) of $637 million at 30 June 2019 in the Home Building Compensation Fund, due to premiums not being sufficient to meet costs of the scheme
agencies self-assessed against the Australian Cyber Security Centre’s ‘Essential 8’ cyber risk mitigation strategies for the first time in 2018-19. Based on their own self assessments, more work needs to be done to improve cyber security resilience.

This report analyses the results of our financial statement audits of the Treasury, Premier and Cabinet and Customer Service clusters for the year ended 30 June 2019. Our key observations are summarised below.

This report provides parliament and other users of the NSW Government's central agencies and their cluster agencies financial statements with the results of our audits, observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
government financial services.

Central agency clusters were significantly impacted by Machinery of Government changes which took effect on 1 July 2019. This report is focussed on agencies now in the Treasury, Premier and Cabinet and Customer Service clusters. Some of these agencies may have been in another cluster during 2018–19. Please refer to the section on Machinery of Government changes for more details.

Central agencies and their key responsibilities are set out below.

Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes are where the government reorganises these structures and functions and they are given effect by Administrative orders.

The MoG changes announced following the NSW State election on 23 March 2019 significantly impacted Central Agencies’ clusters through Administrative Changes Orders issued on 2 April 2019 and 1 May 2019. These orders took effect on 1 July 2019.

Section highlights

Significant impacts of the 2019 MoG changes included:

abolishing the former Department of Finance, Services and Innovation, and creating the Department of Customer Service as the principal agency within the newly established Customer Service cluster
transferring Jobs for NSW, Destination NSW and the Western City and Aerotropolis Authority into the Treasury cluster
transferring Arts and Culture entities and Aboriginal Affairs NSW into the Premier and Cabinet cluster
new responsibilities, risks and challenges for each cluster

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations on the 2019 financial reporting of agencies in the Treasury, Premier and Cabinet, and Customer Service clusters.

Section highlights

Unqualified audit opinions were issued on the 30 June 2019 financial statements of all agencies within the three clusters, and the Legislature.
The NSW Self Insurance Corporation (Corporation) 2018–19 financial statements did not include an estimate of the liability for unreported incidents of abuse that have occurred within NSW Government institutions. This is because the Corporation’s financial exposure could not be reliably measured at 30 June 2019. The exposure was instead disclosed as an unquantified contingent liability in the financial statement notes. This liability may be material to the Corporation and the Total State Sector financial statements.
We recommend management and those charged with governance review instructions provided to management experts each year, along with other significant accounting judgements.
Agencies will be implementing the requirements of new accounting standards shortly. These could significantly impact their financial positions and operating results. We noted instances where agencies need to do more work on their impact assessments to minimise the risk of errors in the 2019–20 financial statements.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury, Premier and Cabinet and Customer Service clusters.

Section highlights

The 2018–19 audits found two high risk and 99 moderate risk issues across the agencies. Of these, 31 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration.
NSW Government agency self-assessment results show that the NSW Public Sector's cyber security resilience needs urgent attention.
GovConnect received a qualified opinion from the auditor of their service provider, Unisys, over weaknesses in information technology controls.
Crown revenues from taxes, fines and fees continued to increase, but this was offset by decreases in stamp duty on property sales.
The CTP reform resulted in green slip refunds of $198 million to vehicle owners. Unclaimed refunds are to be returned to motorists through a reduction in green slip premiums.

Background

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Section highlights

Last year's Auditor-General's Report to Parliament recommended Treasury consult with STC Pooled Fund and PCS Fund Trustees to prescribe prudential standards and requirements. Treasury has not taken specific action to address this recommendation.
We recommend Treasury formally assess the merits of implementing prudential standards and supervision arrangements, after considering the risks, benefits and costs to scheme members.
The NSW Self Insurance Corporation did not include an estimate of the liability for unreported incidents of abuse that have occurred within NSW Government institutions because it could not be reliably measured at 30 June 2019. The amounts involved could be material to the Corporation's and Total State Sector's financial statements.
Insurance scheme liabilities were significantly impacted by unfavourable movements in economic assumptions, including a decrease in the risk free discount rate, and adverse changes in non-economic assumptions, such as higher medical costs.

Appendix one – Timeliness of financial reporting by agency

Appendix two – Management letter findings by agency

Appendix three – Status of 2018 recommendations

Appendix four – Cluster agencies

Appendix five – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

5 December 2019

Published

Stronger Communities 2019

Justice

Community Services

Compliance

Financial reporting

Internal controls and governance

Management and administration

Project management

Service delivery

Shared services and collaboration

Workforce and capability

A report has been released on the NSW Stronger Communities cluster.

From 1 July 2019, the functions of the former Department of Justice, the former Department of Family and Community Services and many of the cluster agencies moved to the new Stronger Communities cluster. The Department of Communities and Justice is the principal agency in the new Stronger Communities cluster.

The report focuses on key observations and findings from the most recent financial audits of agencies in the Stronger Communities cluster.

Unqualified audit opinions were issued on the financial statements for all agencies in the cluster.

There were 157 audit findings on internal controls. Two of these were high risk and 59 were repeat findings from previous financial audits. ‘Cluster agencies should prioritise actions to address internal control weaknesses promptly with particular focus given to issues that are assessed as high risk’, the Auditor-General said.

The report notes that the NSW Government’s new workers' compensation legislation, which gave eligible firefighters presumptive rights to workers' compensation, cost emergency services agencies $180 million in 2018–19, mostly in increased premiums.

Download the PDF version of report

This report analyses the results of our audits of financial statements of the agencies comprising the Stronger Communities cluster for the year ended 30 June 2019. The table below summarises our key observations.

This report provides parliament and other users of the financial statements of agencies in the Stronger Communities cluster with the results of our audits, our observations, analyses, conclusions and recommendations in the following areas:

financial reporting
audit observations.

This cluster was significantly impacted by the Machinery of Government (MoG) changes on 1 July 2019. This report focuses on the agencies that from 1 July 2019, comprised the Stronger Communities cluster. The MoG changes moved some agencies from the clusters to which they belonged in 2018–19 to the Stronger Communities cluster. Conversely, the MoG also moved some agencies formerly in the Family and Community Services cluster and Justice cluster elsewhere. Please refer to the section on Machinery of Government changes for more details.

The Department of Communities and Justice is the principal agency of the cluster. The newly created department combines functions of the former Department of Justice and the Department of Family and Community Services.

Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes occur when the government reorganises these structures and functions and those changes are given effect by Administrative Orders.

The MoG changes announced following the NSW State election on 23 March 2019 significantly impacted the Stronger Communities cluster through Administrative Changes Orders issued on 2 April 2019 and 1 May 2019. These orders took effect on 1 July 2019.

Section highlights

The 2019 MoG changes significantly impacted the former Justice and Family and Community Services (FACS) departments and clusters.

The Stronger Communities cluster combines most of the functions and agencies of the former Justice and FACS clusters from 1 July 2019.
The Department of Communities and Justice is now the principal agency in the new cluster.
The MoG changes bring new responsibilities, risks and challenges to the cluster.
A temporary office has been established by the Department of Communities and Justice to support the cluster in the planning, delivery and reporting associated with implementing the changes.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations relating to the financial reporting of agencies in the Stronger Communities cluster for 2019.

Section highlights

Unqualified audit opinions were issued for all agencies' 30 June 2019 financial statements. However, further actions can be taken by some cluster agencies to enhance the quality of their financial reporting.
In November 2018, the Department of Justice implemented a new Victims Support Services system called VS Connect. Significant data quality issues arising from the VS Connect system implementation impacted the Department's ability to reliably estimate its Victims Support Scheme claims liabilities at 30 June 2019.
We recommend the Department of Communities and Justice resolves the data quality issues in the new VS Connect System before 30 June 2020 and capture and apply lessons learned from recent project implementations, including LifeLink, Justice SAP and VS Connect, in any relevant future implementations.
Our audits found some cluster agencies needed to do more work on their impact assessments and preparedness to implement the new accounting standards, to minimise the risk of errors in their 2019–20 financial statements.
Cluster agencies with annual leave balances exceeding the State's target should further review their approach to managing leave balances.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Stronger Communities cluster.

Section highlights

Cluster agencies should action recommendations to address internal control weaknesses promptly. Particular focus should be given to prioritising high risk issues. The 2018–19 financial audits of cluster agencies identified 157 internal control issues. Of these, two were high risk and 37.6 per cent were repeat findings from previous audits.
Data from the Department of Justice shows the inmate population reached a maximum of 13,798, compared to an operational capacity of 14,626 beds on 31 August 2019. This equates to an operational vacancy rate of 5.7 per cent, which is more than the recommended 5.0 per cent buffer. This is the first time the vacancy rate has exceeded the target over the last five years. Growth in the NSW prison population is being managed through the NSW Government's $3.8 billion Prison Bed Capacity Program.
In September 2018, the NSW Government introduced new workers' compensation legislation, which gives eligible firefighters presumptive rights to workers' compensation when diagnosed with one of 12 prescribed cancers. The new legislation cost emergency services agencies $180 million in 2018–19, mainly through additional workers' compensation premiums.

Appendix one – Timeliness of financial reporting by agency

Appendix two – Management letter findings by agency

Appendix three – List of 2019 recommendations

Appendix four – Status of 2018 recommendations

Appendix five – Cluster agencies

Appendix six – Financial data

Copyright notice

5 November 2019

Published

Internal Controls and Governance 2019

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Compliance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

financial controls
information technology controls
gifts and benefits
internal audit
contingent labour
sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers
policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
an absence of privileged user activity reviews at 35 per cent of agencies
password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
providing on-going training, awareness activities and support to employees, not just at induction
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use and tenure to agency executive teams
strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

internal control trends
information technology controls, including access to agency systems
protecting sensitive information held within agencies
managing large and diverse workforces (controls around employing and managing contingent workers)
maintaining an ethical culture (management of gifts and benefits)
effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
providing on-going training, awareness activities and support to employees, not just at induction
regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:

documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
involving the CAE more extensively in executive forums as an observer
documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:

preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Key areas where agencies can improve their management of sensitive data include:

identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
developing comprehensive data breach management policies to ensure data breaches are appropriately managed
maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

18 June 2019

Published

Biosecurity risk management

Industry

Risk

The report focuses on the Department of Primary Industries’ (DPI) as the lead agency for biosecurity in New South Wales. It examines how well the department responds to biosecurity emergencies and manages compliance activities. DPI’s state partners include NSW Health, the NSW Environment Protection Authority, Local Land Services, and Local Control Authorities to manage biosecurity risks in New South Wales.

Biosecurity is the protection of the economy, environment, and community from the negative impacts of pests, diseases, weeds, and contaminants.

National and State governments have defined roles and responsibilities for biosecurity in Australia, reflecting the allocation of powers in the Australian Constitution. The Australian Government has direct responsibility for biosecurity (quarantine) at the international border, and works jointly with the states and territories to set the legislative framework and policy direction for managing biosecurity nationally. It also works with state and territory governments to ensure there is a national approach to biosecurity. State governments manage their biosecurity activities within the national framework.

The Department of Primary Industries (DPI), within the Department of Industry, is the lead agency for biosecurity in NSW. This audit was conducted with the Department of Industry as the auditee. On 2 April 2019 the NSW Government announced it will abolish the Department of Industry. From 1 July 2019 the Department of Planning, Industry and Environment, will have responsibility for biosecurity activities described in this report.

The NSW Biosecurity Strategy 2013–2021 (the Strategy) articulates the NSW Government’s responsibilities for biosecurity within the national legislative framework. Achieving the outcomes of the strategy relies on DPI fulfilling two key responsibilities. Firstly, undertaking direct actions, such as implementing strong regulatory compliance and licensing activities, and managing biosecurity emergency responses. Secondly, leading the response to biosecurity risks by fostering effective collaboration with stakeholders across government, industry, and the wider community.

In NSW, 11 regional Local Land Services (LLS) are the key partners for DPI in meeting its biosecurity responsibilities. Each LLS develops and implements strategies to manage invasive pests and diseases within their regions. They also investigate new reports of pests or diseases in their regions and staff local emergency control centres when an emergency response is triggered.

Local Control Authorities (LCAs) also have a role in biosecurity management. LCAs include local councils and a small number of specialist regional agencies. Their role focuses on strategies to manage weeds within their local areas.

This audit assessed the effectiveness and economy of DPI’s biosecurity emergency response and prevention activities. It looks at DPI’s emergency response practice and its compliance program as a key prevention activity for which DPI has primary responsibility. DPI sets policy and procedural compliance standards for management of biosecurity risks in NSW and also conducts an annual program of property inspections and investigations that ensure that its compliance policies and procedures are being applied effectively.

Appendix one - Response from agency

Appendix two - Location of selected biosecurity emergency responses

Appendix three - About the audit

Appendix four - Performance auditing

Parliamentary Reference: Report number #321 - released 18 June 2019

Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Banner image: ‘Yellow crazy ant’, supplied and permitted for use by NSW Department of Primary Industries under Creative Commons Attribution-ShareAlike 3.0 Unported Licence. Full terms.

27 May 2019

Published

Engagement of probity advisers and probity auditors

Transport

Education

Health

Compliance

Internal controls and governance

Procurement

Project management

Workforce and capability

Three key agencies are not fully complying with the NSW Procurement Board’s Direction for engaging probity practitioners, according to a report released today by the Acting Auditor-General for New South Wales, Ian Goodwin. They also do not have effective processes to achieve compliance or assure that probity engagements achieved value for money.

Probity is defined as the quality of having strong moral principles, honesty and decency. Probity is important for NSW Government agencies as it helps ensure decisions are made with integrity, fairness and accountability, while attaining value for money.

Probity advisers provide guidance on issues concerning integrity, fairness and accountability that may arise throughout asset procurement and disposal processes. Probity auditors verify that agencies' processes are consistent with government laws and legislation, guidelines and best practice principles.

According to the NSW State Infrastructure Strategy 2018-2038, New South Wales has more infrastructure projects underway than any state or territory in Australia. The scale of the spend on procuring and constructing new public transport networks, roads, schools and hospitals, the complexity of these projects and public scrutiny of aspects of their delivery has increased the focus on probity in the public sector.

A Procurement Board Direction, 'PBD-2013-05 Engagement of probity advisers and probity auditors' (the Direction), sets out the requirements for NSW Government agencies' use and engagement of probity practitioners. It confirms agencies should routinely take into account probity considerations in their procurement. The Direction also specifies that NSW Government agencies can use probity advisers and probity auditors (probity practitioners) when making decisions on procuring and disposing of assets, but that agencies:

should use external probity practitioners as the exception rather than the rule
should not use external probity practitioners as an 'insurance policy'
must be accountable for decisions made
cannot substitute the use of probity practitioners for good management practices
not engage the same probity practitioner on an ongoing basis, and ensure the relationship remains robustly independent.

The scale of probity spend may be small in the context of the NSW Government's spend on projects. However, government agencies remain responsible for probity considerations whether they engage external probity practitioners or not.

The audit assessed whether Transport for NSW, the Department of Education and the Ministry of Health:

complied with the requirements of ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’
effectively ensured they achieved value for money when they used probity practitioners.

These entities are referred to as 'participating agencies' in this report.

We also surveyed 40 NSW Government agencies with the largest total expenditures (top 40 agencies) to get a cross sector view of their use of probity practitioners. These agencies are listed in Appendix two.

Conclusion

We found instances where each of the three participating agencies had not fully complied with the requirements of the NSW Procurement Board Direction ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’ when they engaged probity practitioners. We also found they did not have effective processes to achieve compliance or assure the engagements achieved value for money.

In the sample of engagements we selected, we found instances where the participating agencies did not always:

document detailed terms of reference
ensure the practitioner was sufficiently independent
manage probity practitioners' independence and conflict of interest issues transparently
provide practitioners with full access to records, people and meetings
establish independent reporting lines reporting was limited to project managers
evaluate whether value for money was achieved.

We also found:

agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners
the NSW Procurement Board does not effectively monitor agencies' compliance with the Direction's requirements. Our enquiries revealed that the Board has not asked any agency to report on its use of probity practitioners since the Direction's inception in 2013.

There are no professional standards and capability requirements for probity practitioners

NSW Government agencies use probity practitioners to independently verify that their procurement and asset disposal processes are transparent, fair and accountable in the pursuit of value for money.

Probity practitioners are not subject to regulations that require them to have professional qualifications, experience and capability. Government agencies in New South Wales have difficulty finding probity standards, regulations or best practice guides to reference, which may diminish the degree of reliance stakeholders can place on practitioners’ work.

The NSW Procurement Board provides direction for the use of probity practitioners

The NSW Procurement Board Direction 'PBD-2013-15 for engagement of probity advisers and probity auditors' outlines the requirements for agencies' use of probity practitioners in the New South Wales public sector. All NSW Government agencies, except local government, state owned corporations and universities, must comply with the Direction when engaging probity practitioners. This is illustrated in Exhibit 1 below.

Appendix one – Response from agencies

Appendix two – List of selected agencies

Appendix three – About the audit

21 February 2019

Published

Compliance of expenditure with Section 12A of the Public Finance and Audit Act 1983 - Law Enforcement Conduct Commission

Justice

Compliance

Management and administration

The Hon. Troy Grant MP, Minister for Police and Minister for Emergency Services requested an audit under section 27B(3)(c) of the Public Finance and Audit Act 1983, to determine whether expenditure on overseas travel by the Law Enforcement Conduct Commission (the Commission) complied with section 12A of the Public Finance and Audit Act 1983.

On 9 November 2018, the Hon. Troy Grant MP, Minister for Police and Minister for Emergency Services (the Minister), requested an audit under s. 27B(3)(c) of the Public Finance and Audit Act 1983 (the PF&A Act) to determine whether the expenditure of $8,074.66 on overseas travel by the Law Enforcement Conduct Commission (the LECC) complied with s. 12A of the PF&A Act.

In forming my audit conclusion, I have reviewed documentation provided by the Minister and the LECC, made enquiries of LECC staff, and sought independent legal advice on key aspects of the PF&A Act and the Law Enforcement Conduct Commission Act 2016 (the LECC Act) and their interface.

In my opinion, the LECC did not comply with s. 12A of the PF&A Act because the Minister:

had not delegated his authority to approve expenditure for overseas travel to an officer in the LECC
had specifically declined approving a request from the LECC to incur expenditure on the travel in question.

Despite this, the LECC incurred the expenditure.

In my view, the LECC required the Minister’s approval to incur the overseas travel expenditure before it could legally spend funds for this purpose from its appropriation.

The LECC is an independent investigative body, funded by appropriation, to oversight NSW Police and the Crime Commission

The Bill to establish the LECC was introduced to parliament following a review of the police oversight system.¹ The establishment of the LECC drew together functions previously undertaken by the Police Integrity Commission, the Ombudsman and the Inspector of the Crime Commission. It aimed to ‘remove overlapping responsibilities, inefficiencies and failures’ and ‘create a single civilian law enforcement oversight body’.²

Part 4 of the LECC Act sets out the functions of the Commission as an independent investigative body. The objects of the LECC Act are summarised in Appendix one. The LECC Act provides that the Minister cannot direct the LECC on how to perform its functions.

Notably, s. 22 of the LECC Act states:

The Commission and Commissioners are not subject to the control or direction of the Minister in the exercise of their functions.

For the financial year ended 30 June 2018, under s. 22 of the Appropriation Act 2017 (NSW), $21,195,000 was appropriated to the Minister for the LECC’s services. This provided the statutory basis for the sum in question to be drawn from the Consolidated Fund, but only in accordance with the PF&A Act.

The PF&A Act is the legislation that governs the administration of public finances

The PF&A Act determines how expenditure is to occur and sets out the conditions under which such expenditure can occur in NSW public sector agencies.The LECC is an agency within the NSW public sector.

Section 12A of the PF&A Act stipulates that:

A Minister to whom a sum of money is appropriated out of the Consolidated Fund for a use or purpose (whether by an annual Appropriation Act or other Act) may delegate to another Minister or to an officer of any authority, or authorise another Minister to delegate to an officer of any authority, the committing or incurring of expenditure from the sum so appropriated.

Section 12 of the PF&A Act also stipulates that:

Expenditure shall be committed or incurred by an officer of an authority only within the limits of a delegation in writing conferred on the officer by a person entitled to make the delegation.

The relevant ‘authority’ in this case was the Office of the Law Enforcement Conduct Commission (Office of the LECC) - a body which, under the Government Sector Employment Act 2013 (the GSE Act)³employs the staff of the LECC.

Prima facie, as the LECC is funded by appropriation and is subject to the PF&A Act, its officers can only commit or incur expenditure with a delegation from the Minister.

The Minister did not delegate his right to approve expenditure on overseas travel

In April 2017, the Minister approved the LECC’s financial delegations under the authority vested in him by s. 12A of the PF&A Act. However, he reserved his right to approve any expenditure on overseas travel. This effectively required the LECC to obtain his approval for each instance of such expenditure.⁴

The Minister declined approval of a LECC request for an officer to travel overseas

In August 2017, the Chief Commissioner sought the Minister’s approval to incur overseas travel expenditure. The Minister exercised his right under the PF&A Act to decline the request and confirmed this in writing:

Establishment of LECC being in its infancy, travel is not supported at this time. Operating priorities should be the focus at this time.

The LECC paid the overseas travel expenses without a delegation or Ministerial approval

In October 2017, despite the absence of a delegation or approval from the Minister to incur expenditure on overseas travel, the Chief Commissioner approved a total of $8,074.66 for the LECC’s Director of Covert Services to travel to, and attend an international conference.

The LECC booked and paid for the travel in four payments between October and December 2017. Over the same period the Chief Commissioner reimbursed the agency for these expenses from his personal funds. On 13 October 2017, the Chief Commissioner wrote to the Minister asking him to reconsider his decision. On 12 January 2018, in the absence of a response from the Minister, the Chief Commissioner directed the LECC’s finance officer to ‘repay the relevant costs to my account’.⁵ On 16 January 2018, the LECC’s Chief Executive Officer approved the reimbursement to the Chief Commissioner, which occurred on 17 January 2018. Appendix three provides further detail on the series of payments.

The Chief Commissioner first disclosed he had been reimbursed for the expenses, without Ministerial approval, in March 2018. In August 2018, the Chief Commissioner made a further disclosure about the expenditure at Budget Estimates.⁶

The Chief Commissioner argues the overseas travel expenditure was properly incurred

The Chief Commissioner argues the LECC’s overseas travel expenditure was properly incurred because:

the travel was undertaken in pursuit of the detective and investigative functions specified in s. 26(b)(i) of Part 4 of the LECC Act⁷
a specific reservation in public policy cannot be qualified by general rules of public policy.⁸ The Chief Commissioner argues s. 22 of the LECC Act is a specific provision that conflicts with the general provisions in ss. 12 and 12A of the PF&A Act. In his view, the conflict is resolved by applying the principle that a specific later provision effectively repeals an earlier general provision. In his view, the LECC Act contains a specific provision that the Minister cannot direct the LECC in exercising its functions, whereas the PF&A Act contains general provisions which deal with the spending of public money.

The Chief Commissioner believes the Minister’s decision⁷:

was not made in the bona fide exercise of the power conferred on him by the PF&A Act as it interfered with the management of the LECC’s operating priorities
and his failure to enquire into the operational situation of the LECC were not decisions a rational decision maker could have made
was made for an improper purpose and was biased, in that the Minister had approved expenditure for a member of NSW Police to travel to the conference, but denied the same to a member of the LECC, which oversights NSW Police
breached s. 22 of the LECC Act, because it directed the LECC Commissioners in the exercise of their functions.

The Crown Solicitor and Solicitor General advised the expenditure breached the PF&A Act

On 7 September 2017, the Crown Solicitor advised the Office of Police (part of the Department of Justice) that:

The Minister’s authority to determine whether or not to approve a particular expenditure from the amount appropriated from the Consolidated Fund for the purpose of the Commission under the Constitution Act 1902 and the PF&A Act is not affected by s.22 of the LECC Act. These have different spheres of operation. It is not unusual for otherwise independent bodies to be subject to restrictions with respect to the use of public moneys.⁹

Subsequently, the Crown Solicitor asked the Solicitor General to review the matter of her previous advice. On 14 December 2017, the Solicitor General concurred with the Crown Solicitor’s advice. He concluded that:

Although LECC has a high degree of independence under its legislation, it is a body operating in the public sector and within the context of the broad policies of the government of the day in relation to public administration... it is not a function of LECC or its Commissioners to deal directly with money appropriated to the Minister out of the Consolidated Fund.¹⁰

The Secretary of the Department of Justice forwarded the Crown Solicitor’s and the Solicitor General’s advice to the Chief Commissioner.¹¹The Chief Commissioner continues to contest the Crown Solicitor’s and the Solicitor General’s advice.¹²

The Minister referred the matter to the Inspector of the LECC

In August 2018, the Minister referred the Chief Commissioner’s disclosure in Budget Estimates¹³ that he had been personally reimbursed for an expense concerning overseas travel by an officer of the LECC, to the Inspector of the LECC (the Inspector).¹⁴ The Inspector is the person, under s. 122 of the LECC Act, responsible for 'auditing the operation of the Commission for the purpose of monitoring compliance with the law of the State'. On 4 September 2018, the Inspector recused himself from investigating the Minister’s complaint.¹⁵ In his letter to the Premier dated 19 September 2018, he wrote ‘I informed the Minister for Police that I had acquired information in my capacity as Inspector of LECC (and in the discharge of my statutory functions) prior to receiving his letter of complaint…’. He further suggested to the Minister and the Premier that an Assistant Inspector be appointed to investigate the complaint under s. 121(1) of the LECC Act to give ‘proper and independent’ consideration to the Minister’s complaint.¹⁶

The Minister asks the Auditor General to audit the transaction’s compliance with the PF&A Act

An Assistant Inspector appointed under section 121 of the LECC Act can exercise any function of the Inspector, including ‘auditing the operations of the Commission’. The reasons why an Assistant Inspector was not appointed to investigate the matter are not apparent. Instead, on 9 November 2018, the Minister requested the Auditor General to conduct an audit of whether the expenditure complied with s. 12A of the PF&A Act.¹⁷

¹  By the former shadow Attorney General, Mr Andrew Tink AM.
²  Second reading speech of Minister Troy Grant for the LECC Bill.
³  Per the definition of ‘authority’ in s. 4(1) of the PF&A Act and the definition of ‘Public Service agency’ in s. 3 of the GSE Act and Part 3 of Schedule 1 to the GSE Act.

⁴ A timeline of the key events relevant to this audit is set out in Appendix two.

⁵ Note from the Chief Commissioner to LECC’s finance officer.

⁶ Portfolio Committee No.4 - Legal Affairs (Police, Emergency Services).

⁷ Letter from the Chief Commissioner to the Secretary of the Department of Justice 24 November 2017.

⁸Letter from the Chief Commissioner to the Auditor‑General 12 December 2018.

⁹ Crown Solicitor’s advice ‑ NSW Parliamentary website.

¹⁰ Solicitor‑General’s advice ‑ NSW Parliamentary website.

¹¹ The Chief Commissioner acknowledged receipt of the Crown Solicitor’s and Solicitor‑General’s advice on 24 November 2017 and 26 February 2018 respectively.

¹² Letter from the Chief Commissioner to the Auditor‑General 12 December 2018.

¹³ Portfolio Committee No.4 - Legal Affairs (Police, Emergency Services).

¹⁴ Letter from the Minister to the Hon. Terry Buddin SC, Inspector of the LECC.

¹⁵ Letter from the Hon. Terry Buddin SC, Inspector of the LECC to the Minister 4 September 2018.

¹⁶ Letter from the Hon. Terry Buddin to the Premier 19 September 2018.

¹⁷ Ss. 12 and12A of the PF&A Act were repealed by the Government Sector Finance Legislation (Repeal and Amendment) Act 2018 Schedule 2[5] and re‑enacted as s5.2 of the Government Sector Finance Act 2018. However, these provisions were the law at the time of the events.

In forming my adverse conclusion, I considered the Chief Commissioner’s argument that s. 22 of the LECC Act prevailed over those sections of the PF&A Act that deal with spending public money, and:

the principles of statutory interpretation that might apply when a potential conflict between a general provision in one Act and specific provisions in another exists
whether an apparent conflict exists
whether the Chief Commissioner was entitled to incur the expenditure without Ministerial approval
whether the Minister was lawfully entitled to withhold approval for the expenditure from the Chief Commissioner.

The principles of statutory interpretation apply where potential conflicts exist between Acts

A basic principle of statutory interpretation is that all legislation be given its full scope and effect. Courts, and thereby other interpreters, are not at liberty to consider any word or meaning as superfluous. The starting point is that all words must be given some meaning and effect.¹⁸ If there is an apparent conflict between two Acts, the pieces of legislation should be read in such a way as to avoid that conflict by giving the words the construction that produces the greatest harmony and the least inconsistency.¹⁹

One way conflict can be avoided is to apply the approach that a later general provision does not override an earlier specific provision.²⁰ However, this approach is rebuttable, as a later general Act might also be said to qualify an earlier specific Act.²¹ The reverse can also apply, in that a later specific Act can be claimed to qualify or supersede an earlier general provision. In such a case, it is said that the later Act impliedly repeals the earlier. This is an easier case to make out because it is apparent the parliament has dealt with the specific instance and it would be reasonable to expect that it had considered any contrary general legislation. However, here again, the courts have qualified this approach by suggesting it should be presumed unlikely that a parliament would intend to contradict itself. If the specific Act was intended to qualify an earlier general Act, then the legislation would have spelt this out.

One must therefore always start from the premise that all words are to be given meaning and effect, and that meaning should enable both pieces of legislation to operate. It is only where the point is reached that it is not possible for both pieces of legislation to operate to their full extent that the approaches to resolving conflicts can be usefully invoked. The approaches may then be useful to determine which is the primary provision and which provision must give way to the requirements set out in that primary provision.

Is there an apparent conflict between the LECC Act and the PF&A Act that needs to be resolved?

No. The LECC Act deals specifically with the operational functions of the LECC, while the PF&A Act deals with the specific issue of expenditure by a delegate of the Minister.

The Chief Commissioner argues that s. 22 of the LECC Act is a specific provision and should take precedence over general delegation provisions in the PF&A Act, namely ss. 12 and 12A. He argues this because s. 22 deals specifically with the operation of the LECC and prohibits the Minister from directing the LECC in the performance of its functions. In his view, this includes the administrative and financial functions impliedly invested in the LECC for it to perform the specific functions referred to in the LECC Act.

However, it can also be readily argued that s. 22 of the LECC Act deals with the general issue of Minister's directions to the LECC and the PF&A deals with the specific issue of expenditure by a delegate of the Minister. While the expenditure of funds may be essential for the LECC to perform its functions, that expenditure is controlled by the PF&A Act, as it controls all expenditure from the Consolidated Fund. The PF&A Act is the specific legislation that relates to expenditure.

The issues that have arisen can be resolved by looking at the effect of the two Acts in their application to the facts. In my view, the PF&A Act and the LECC Act can be applied to the facts under consideration as they deal with different issues and are thereby capable of separate operation.

Was the LECC able to incur expenditure without Ministerial approval?

No. The PF&A Act applies to the LECC in the same way it applies to all NSW Government agencies. While the Minister had approved the LECC’s financial delegations under the authority vested in him by s. 12A of the PF&A Act, he reserved his right to approve all expenditure on overseas travel. This effectively required the LECC to obtain his approval for each instance of such expenditure. As the Minister did not approve the overseas travel request, the Chief Commissioner was not legally able to authorise the expenditure.

The PF&A Act determines how expenditure is to occur and sets out the conditions under which such expenditure can occur in New South Wales public sector agencies. Expenditure can ‘only be committed or incurred by an officer of an authority within the limits of a delegation in writing conferred on the officer by a person entitled to make the delegation’.²²

Was the Minister lawfully entitled to withhold approval of the overseas travel expenditure?

Yes. If one accepts the premise that the PF&A Act determines the basis on which public money can be spent, it follows that the Minister could exercise the discretion reserved to him by financial delegation and withhold approval of the overseas travel expenditure for the LECC officer.

Section 22 of the LECC Act prevents the Minister from directing the LECC to send (or not to send) an officer to a conference. However, the Minister did not direct the LECC as to whether the person should or should not attend the conference. Rather, he exercised the responsibility given to him to determine how public funds were to be spent.

The appropriation to the LECC provided funding to the delegate of the Minister to support the performance of the agency’s functions. However, the expenditure of money for overseas travel was governed by ss. 12 and 12A of the PF&A Act. This gave the Minister discretion to approve or refuse to approve expenditure for overseas travel on a case by case basis. It follows from this that the Chief Commissioner was not entitled to spend money for overseas travel, even though in the Commissioner’s view it was beneficial to the performance of the LECC’s functions.

It may be suggested that the Minister’s refusal to provide funding for a particular function may have the same effect as directing an agency not to perform that function. NSW’s constitutional structure of government establishes that public money can only be spent in accordance with legislation and if expenditure requires a Minister’s approval, that approval establishes the ability of an agency to spend that money. That said, in reserving approval for certain types of expenditures, care should be exercised not to unduly interfere with the legitimate functions of independent agencies.

¹⁸ Commonwealth v Baume (1905) 2 CLR 405 per Griffith CJ at 414.

¹⁹ Australian Alliance Assurance Co Ltd v Attorney‑General (Qld) [1916] St R Qld 135 at 161.

²⁰ Maybury v Plowman (1913) 16 CLR 468 at 473‑4 the approach is often described within the Latin tag (generalia specialibus non derogant).

²¹ Associated Minerals Consolidated Ltd v Wyong Shire Council [1974] 2 NSWLR 681 at 686.

²² Section 12(1) of the PF&A Act.

This assurance audit is a ‘direct engagement’ whereby the Auditor‑General provides the Minister and parliament with reasonable assurance about whether $8,074.66 spent on overseas travel by the LECC complied, in all material respects with s. 12A of the PF&A Act.

My audit was conducted in accordance with applicable Standards on Assurance Engagements (ASAE 3100 ‘Compliance Engagements’).

In conducting my audit, I have complied with:

the independence requirements of Australian Auditing and Assurance Standards
ASQC 1 ‘Quality Control for firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Service Engagements’
relevant ethical pronouncements.

Parliament promotes independence by ensuring the Auditor‑General and the Audit Office of New South Wales are not compromised in their roles by:

providing that only parliament, and not the executive government, can remove an Auditor‑General
mandating the Auditor‑General as auditor of public sector agencies
precluding the Auditor‑General from providing non‑audit services.

I have reviewed documentation provided by the Minister and the LECC, gained an understanding of the LECC’s controls and processes for approving and making expenditure and made enquiries of LECC staff. I have also:

gained an understanding of the relevant pieces of legislation and case law
reviewed the advice of the Crown Solicitor and the Solicitor‑General
sought independent legal advice on key aspects of the PF&A Act and the Law Enforcement Conduct Commission Act 2016 (the LECC Act) from an acknowledged expert in statutory interpretation
conducted interviews with key persons
reviewed the documentation listed in Appendix four.

Appendix one - Legislated functions of the LECC

Appendix two - Timeline of events

Appendix three - The transactions

Appendix four - Interviews and key documents

12 December 2018

Published

Newcastle Urban Transformation and Transport Program

Transport

Planning

Compliance

Infrastructure

Management and administration

Procurement

Project management

The urban renewal projects on former railway land in the Newcastle city centre are well targeted to support the objectives of the Newcastle Urban Transformation and Transport Program (the Program), according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. The planned uses of the former railway land achieve a balance between the economic and social objectives of the Program at a reasonable cost to the government. However, the evidence that the cost of the light rail will be justified by its contribution to the Program is not convincing.

The Newcastle Urban Transformation and Transport Program (the Program) is an urban renewal and transport program in the Newcastle city centre. The Hunter and Central Coast Development Corporation (HCCDC) has led the Program since 2017. UrbanGrowth NSW led the Program from 2014 until 2017. Transport for NSW has been responsible for delivering the transport parts of the Program since the Program commenced. All references to HCCDC in this report relate to both HCCDC and its predecessor, the Hunter Development Corporation. All references to UrbanGrowth NSW in this report relate only to its Newcastle office from 2014 to 2017.

This audit had two objectives:

To assess the economy of the approach chosen to achieve the objectives of the Program.
To assess the effectiveness of the consultation and oversight of the Program.

We addressed the audit objectives by answering the following questions:

a) Was the decision to build light rail an economical option for achieving Program objectives?
b) Has the best value been obtained for the use of the former railway land?
c) Was good practice used in consultation on key Program decisions?
d) Did governance arrangements support delivery of the program?

Conclusion
1. The urban renewal projects on the former railway land are well targeted to support the objectives of the Program. However, there is insufficient evidence that the cost of the light rail will be justified by its contribution to Program objectives.

The planned uses of the former railway land achieve a balance between the economic and social objectives of the Program at a reasonable cost to the Government. HCCDC, and previously UrbanGrowth NSW, identified and considered options for land use that would best meet Program objectives. Required probity processes were followed for developments that involved financial transactions. Our audit did not assess the achievement of these objectives because none of the projects have been completed yet.

Analysis presented in the Program business case and other planning documents showed that the light rail would have small transport benefits and was expected to make a modest contribution to broader Program objectives. Analysis in the Program business case argued that despite this, the light rail was justified because it would attract investment and promote economic development around the route. The Program business case referred to several international examples to support this argument, but did not make a convincing case that these examples were comparable to the proposed light rail in Newcastle.

The audited agencies argue that the contribution of light rail cannot be assessed separately because it is a part of a broader Program. The cost of the light rail makes up around 53 per cent of the total Program funding. Given the cost of the light rail, agencies need to be able to demonstrate that this investment provides value for money by making a measurable contribution to the Program objectives.

2. Consultation and oversight were mostly effective during the implementation stages of the Program. There were weaknesses in both areas in the planning stages.

Consultations about the urban renewal activities from around 2015 onward followed good practice standards. These consultations were based on an internationally accepted framework and met their stated objectives. Community consultations on the decision to close the train line were held in 2006 and 2009. However, the final decision in 2012 was made without a specific community consultation. There was no community consultation on the decision to build a light rail.

The governance arrangements that were in place during the planning stages of the Program did not provide effective oversight. This meant there was not a single agreed set of Program objectives until 2016 and roles and responsibilities for the Program were not clear. Leadership and oversight improved during the implementation phase of the Program. Roles and responsibilities were clarified and a multi-agency steering committee was established to resolve issues that needed multi-agency coordination.

The light rail is not justified by conventional cost-benefit analysis and there is insufficient evidence that the indirect contribution of light rail to achieving the economic development objectives of the Program will justify the cost.

Analysis presented in Program business cases and other planning documents showed that the light rail would have small transport benefits and was expected to make a modest contribution to broader Program objectives. Analysis in the Program business case argued that despite this, the light rail was justified because it would attract investment and promote economic development around the route. The Program business case referred to several international examples to support this argument, but did not make a convincing case that these examples were comparable to the proposed light rail in Newcastle.

The business case analysis of the benefits and costs of light rail was prepared after the decision to build light rail had been made and announced. Our previous reports, and recent reports by others, have emphasised the importance of completing thorough analysis before announcing infrastructure projects. Some advice provided after the initial light rail decision was announced was overly optimistic. It included benefits that cannot reasonably be attributed to light rail and underestimated the scope and cost of the project.

The audited agencies argue that the contribution of light rail cannot be assessed separately because it is part of a broader Program. The cost of the light rail makes up around 53 per cent of the total Program funding. Given the high cost of the light rail, we believe agencies need to be able to demonstrate that this investment provides value for money by making a measurable contribution to the Program objectives.

Recommendations
For future infrastructure programs, NSW Government agencies should support economical decision-making on infrastructure projects by:

providing balanced advice to decision makers on the benefits and risks of large infrastructure investments at all stages of the decision-making process
providing scope and cost estimates that are as accurate and complete as possible when initial funding decisions are being made
making business cases available to the public.

The planned uses of the former railway land achieve a balance between the economic and social objectives of the Program at a reasonable cost to the government.

The planned uses of the former railway land align with the objectives of encouraging people to visit and live in the city centre, creating attractive public spaces, and supporting growth in employment in the city. The transport benefits of the activities are less clear, because the light rail is the major transport project and this will not make significant improvements to transport in Newcastle.

The processes used for selling and leasing parts of the former railway land followed industry standards. Options for the former railway land were identified and assessed systematically. Competitive processes were used for most transactions and the required assessment and approval processes were followed. The sale of land to the University of Newcastle did not use a competitive process, but required processes for direct negotiations were followed.

Recommendation
By March 2019, the Hunter and Central Coast Development Corporation should:

work with relevant stakeholders to explore options for increasing the focus on the heritage objective of the Program in projects on the former railway land. This could include projects that recognise the cultural and industrial heritage of Newcastle.

Consultations about the urban renewal activities followed good practice standards, but consultation on transport decisions for the Program did not.

Consultations focusing on urban renewal options for the Program included a range of stakeholders and provided opportunities for input into decisions about the use of the former railway land. These consultations received mostly positive feedback from participants. Changes and additions were made to the objectives of the Program and specific projects in response to feedback received.

There had been several decades of debate about the potential closure of the train line, including community consultations in 2006 and 2009. However, the final decision to close the train line was made and announced in 2012 without a specific community consultation. HCCDC states that consultation with industry and business representatives constitutes community consultation because industry representatives are also members of the community. This does not meet good practice standards because it is not a representative sample of the community.

There was no community consultation on the decision to build a light rail. There were subsequent opportunities for members of the community to comment on the implementation options, but the decision to build it had already been made. A community and industry consultation was held on which route the light rail should use, but the results of this were not made public.

Recommendation
For future infrastructure programs, NSW Government agencies should consult with a wide range of stakeholders before major decisions are made and announced, and report publicly on the results and outcomes of consultations.

The governance arrangements that were in place during the planning stages of the Program did not provide effective oversight. Project leadership and oversight improved during the implementation phase of the Program.

Multi-agency coordination and oversight were ineffective during the planning stages of the Program. Examples include: multiple versions of Program objectives being in circulation; unclear reporting lines for project management groups; and poor role definition for the initial advisory board. Program ownership was clarified in mid-2016 with the appointment of a new Program Director with clear accountability for the delivery of the Program. This was supported by the creation of a multi-agency steering committee that was more effective than previous oversight bodies.

The limitations that existed in multi-agency coordination and oversight had some negative consequences in important aspects of project management for the Program. This included whole-of-government benefits management and the coordination of work to mitigate impacts of the Program on small businesses.

Recommendations
For future infrastructure programs, NSW Government agencies should:

develop and implement a benefits management approach from the beginning of a program to ensure responsibility for defining benefits and measuring their achievement is clear
establish whole-of-government oversight early in the program to guide major decisions. This should include:
- agreeing on objectives and ensuring all agencies understand these
- clearly defining roles and responsibilities for all agencies
- establishing whole-of-government coordination for the assessment and mitigation of the impact of major construction projects on businesses and the community.

By March 2019, the Hunter and Central Coast Development Corporation should update and implement the Program Benefits Realisation Plan. This should include:

setting measurable targets for the desired benefits
clearly allocating ownership for achieving the desired benefits
monitoring progress toward achieving the desired benefits and reporting publicly on the results.

Appendix one - Response from agencies

Appendix two - About the audit

Appendix three - Performance auditing

Parliamentary reference - Report number #310 - released 12 December 2018

29 November 2018

Published

Central Agencies 2018

Treasury

Premier and Cabinet

Finance

Financial reporting

Internal controls and governance

Management and administration

Risk

The Auditor-General for New South Wales, Margaret Crawford, released her report today on the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters. While clear audit opinions were issued on all agency financial statements, the report notes that some complex accounting requirements caused significant errors in agency financial statements submitted for audit, which were corrected before the financial statements were approved.

This report analyses the results of our audits of the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster agencies for the year ended 30 June 2018. The table below summarises our key observations.

This report provides parliament and other users of the NSW Government's central agencies and their cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
liquidity risk management
government financial services.

The central agencies and their key responsibilities are set out below.

Central agencies	Key central agency responsibilities	Cluster responsibilities
The Treasury	Financial and economic advisor to NSW Government Manages the NSW Government’s financial resources.	The cluster: provides investment and debt management services though TCorp manages residual business arising from privatisation of government businesses provides insurance and compensation cover, including workers compensation insurance includes NSW Government superannuation funds.
Department of Premier and Cabinet	Drives NSW Government’s objectives and sets targets Works with clusters to coordinate policy and achieve NSW Government priorities.	The cluster: includes integrity agencies, such as the Independent Commission Against Corruption, Audit Office of NSW and Ombudsman’s Office other agencies, such as Barangaroo Delivery Authority and Infrastructure NSW.
Department of Finance, Services and Innovation	Supports agency service delivery in relation to the key enabling functions of NSW Government, including procurement, property and asset management, ICT and digital innovation.	The cluster: is responsible for state revenue and rental bond administration regulates statutory insurance schemes, workplace safety and consumer protection provides access to a range of NSW Government services via Service NSW manages the NSW Government communications network.
Public Service Commission	Works to promote and maintain a strong ethical culture across the government sector and improve the capabilities, performance and configuration of the sector’s workforce to deliver better services to the public.	The Public Service Commission is an independent agency within the Premier and Cabinet cluster.

Note: The Audit Office of NSW is an independent agency included in the Premier and Cabinet cluster for administrative purposes, but not commented on in this report.

A full list of agencies that this report covers by relevant cluster is included in Appendix three.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation clusters for 2018.

Observation	Conclusions and recommendations
2.1 Quality of financial reporting
Unqualified opinions were issued for all agencies' financial statements submitted to the Audit Office. Complex accounting requirements caused significant errors in some agency financial statements, which were corrected before the financial statements were approved.	Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement. Recommendation: Agencies should respond to key accounting issues when they are identified by preparing accounting papers and engaging with Treasury, the Audit Office and their Audit and Risk Committee when these matters are identified.
2.2 Timeliness of financial reporting
Most agencies complied with the statutory timeframe for completion of early close procedures, 48 agencies in the Treasury cluster did not comply with the statutory requirement to prepare financial statements, and the audits of nine agencies in the Treasury cluster were not completed within the statutory timeframe. All financial statement information of the 48 agencies that did not prepare financial statements has been captured in the consolidated financial statements of their parent entity, which was subject to audit.	Early close procedures allow financial reporting issues and risks to be addressed early in the audit process. The timeliness of financial reporting can be improved by performing more robust early close procedures.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

our financial statement audits of agencies in the Treasury, Premier and Cabinet and Finance, Services and Innovation cluster for 2018
the areas of focus identified in the Audit Office work program.

The Audit Office work program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.

Observation	Conclusions and recommendations
3.1 Internal controls
The 2017–18 audits found one high risk issue and 83 moderate risk issues across the agencies. Nineteen per cent of all issues were repeat issues.	Agencies should focus on rectifying repeat issues.
The high risk issue at Service NSW related to several deficiencies in procurement and contract management processes.	Service NSW may not be achieving value-for-money from their procurement and contract management activities. The high risk issue should be rectified as a matter of priority. This includes updating and implementing its procurement, vendor and contract management frameworks and delivering training to key staff involved in procurement and contract management activities.
Property NSW has implemented several controls during the year to rectify the high risk issue identified last year related to its transition to a new property and facility management service provider. However, the service providers performance remains below expectations and there are further opportunities to improve oversight and lift performance.	Property NSW can better define roles and accountabilities with the service provider and formalise policies and processes associated with its monitoring and oversight of the service provider. Implementing relevant KPIs, receiving timely reports and providing timely review and feedback to the service provider may help to lift performance.
GovConnect received unqualified opinions from their service auditor on all business process controls, except for information technology controls provided by Unisys, where a qualified opinion was received from the service auditor. A qualified opinion was received because of several deficiencies in user access controls.	These internal control deficiencies increase the risk of unauthorised access to key business systems, and increase audit effort and costs associated with addressing the risks arising from the deficiencies.
3.2 Audit Office annual work program
Remediation of the Barangaroo site is now estimated to cost the Barangaroo Delivery Authority in excess of net $400 million. The increase in the estimate over the last five years is mainly due to the extent of remediation required, as more evidence of contamination has become known.	Measuring the remaining costs to remediate requires the use of estimation techniques and judgements, making the actual outcome inherently uncertain. We reviewed evidence to support the provision for remediation, including future costs estimates and this evidence supported management’s estimate.
The State Insurance Regulatory Authority have administered the refund of $138 million in Green slip refunds to policy holders through Service NSW during 2017–18. At 30 June 2018, $112 million in refunds are yet to be claimed. We reviewed the systems and processes supporting the refund process. While we found that this supports the disbursement of refunds to policyholders there were some deficiencies in Service NSW’s project controls when the program was being developed.	Service NSW should apply the lessons learnt from this program to other programs it is delivering or will be delivering for agencies.
Revenue NSW recorded $30.4 billion from taxes, fines and fees in 2017–18 ($30.0 billion in 2016–17) to support the State’s finances.	Crown revenue has steadily increased over the last five years predominately driven by rises in payroll tax and land tax and responsibility for collection of the Emergency Services Levy transferring to Revenue NSW under the Emergency Services Levy Act 2017 effective from July 2017.
3.3 Managing maintenance
Place Management NSW manages significant commercial and retail leases and maintains public domain spaces and other assets around the harbour foreshore. It has consistently underspent its asset maintenance budget. In 2017–18, asset maintenance expenses were only 34 per cent of budgeted maintenance expense. Currently, Place Management NSW does not use any ratios or benchmarks to determine the adequacy of its maintenance spend or to monitor whether it is achieving its budgeted maintenance program.	This may be contributing to a high proportion of unplanned maintenance, which Place Management NSW reports was 38 per cent of total maintenance expense in 2017–18. Place Management NSW is outsourcing its property and facilities management function from 1 December 2018 to an external service provider.

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Observation	Conclusions and recommendation
5.1 Superannuation funds
The SAS Trustee Corporation (STC) Pooled Fund and the Parliamentary Contributory Superannuation (PCS) Fund are not required to comply with the prudential and reporting standards issued by the Australian Prudential Regulation Authority (APRA). However, legislation allows the responsible Minister to prescribe prudential standards, reporting and audit requirements.	Structured and comprehensive prudential oversight of these Funds is important as they operate in a volatile financial sector, have 103,000 members and manage investments of $43.3 billion. Recommendation: Treasury should consult with the Trustees of the STC Pooled Fund and PCS Fund to prescribe appropriate prudential standards and requirements, including oversight arrangements.
5.2 Insurance and compensation
Nominal Insurer and NSW Self Insurance Corporation investment performance marginally exceeded benchmark over the past five years.	Investment returns can impact on the premiums required to maintain an adequate funding ratio in addition to other factors such as claims experience and discount rates.
The Workers Compensation Nominal Insurer (Nominal Insurer) and NSW Self Insurance Corporation's net collected premiums and contributions decreased over the past five years.	The insurance schemes' investment performance and stable claim payments have enabled less reliance on net collected premiums and contributions as a source of funding, over the past five years.
Reforms were introduced to manage the Home Warranty Scheme's financial sustainability risks.	The Home Warranty Scheme has not collected sufficient premiums to fund expected claims costs, since commencing operations in 2011. In 2017–18, the Crown contributed $181 million for historical shortfalls. New reforms started on 1 January 2018 enabling the Scheme to price premiums based on risk.

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

Appendix four - Timeliness of financial reporting and audit reporting

Appendix five - Management letter findings by risk rating

Appendix six – Financial data

28 November 2018

Published

Transport 2018

Transport

Asset valuation

Compliance

Financial reporting

Infrastructure

Management and administration

Procurement

Risk

Service delivery

Workforce and capability

The Auditor-General for New South Wales, Margaret Crawford released her report today on key observations and findings from the 30 June 2018 financial statement audits of agencies in the Transport cluster. Unqualified audit opinions were issued for all agencies' financial statements. However, assessing the fair value of the broad range of transport related assets creates challenges.

This report analyses the results of our audits of financial statements of the Transport cluster for the year ended 30 June 2018. The table below summarises our key observations.

This report provides Parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2018.

Observation	Conclusions and recommendations
2.1 Quality of financial reporting
Unqualified audit opinions were issued for all agencies' financial statements	Sufficient audit evidence was obtained to conclude the financial statements were free of material misstatement.
2.2 Key accounting issues
Valuation of assets continues to create challenges. Although agencies complied with the requirements of the accounting standards and Treasury policies on valuations, we identified some opportunities for improvements at RMS.	RMS incorporated data from its asset condition assessments for the first time in the valuation methodology which improved the valuation outcome. Overall, we were satisfied with the valuation methodology and key assumptions, but we noted some deficiencies in the asset data in relation to asset component unit rates and old condition data for some components of assets. Also, a bypass and tunnel were incorrectly excluded from RMS records and valuation process since 2013. This resulted in an increase for these assets’ value by $133 million. The valuation inputs for Wetlands and Moorings were revised this year to better reflect the assets' characteristics resulting in a $98.0 million increase.
2.3 Timeliness of financial reporting
Residual Transport Corporation did not submit its financial statements by the statutory reporting deadline.	Residual Transport Corporation remained a dormant entity with no transactions for the year ended 30 June 2018.
With the exception of Residual Transport Corporation, all agencies completed early close procedures and submitted financial statements within statutory timeframes.	Early close procedures allow financial reporting issues and risks to be addressed early in the reporting and audit process.
2.4 Financial sustainability
NSW Trains and the Chief Investigator of the Office of Transport Safety Investigations reported negative net assets of $75.7 million and $89,000 respectively at 30 June 2018.	NSW Trains and the Chief Investigator of the Office of Transport Safety Investigations continue to require letters of financial support to confirm their ability to pay liabilities as they fall due.
2.5 Passenger revenue and patronage
Transport agencies revenue growth increased at a higher rate than patronage.	Public transport passenger revenue increased by $114 million (8.3 per cent) in 2017–18, and patronage increased by 37.1 million (5.1 per cent) across all modes of transport based on data provided by TfNSW.
Negative balance Opal Cards resulted in $3.8 million in revenue not collected in 2017–18 and $7.8 million since the introduction of Opal. A total of 1.1 million Opal cards issued since its introduction have negative balances.	Transport for NSW advised it is liaising with the ticketing vendor to implement system changes and are investigating other ways to reduce the occurrences.
2.6 Cost recovery from public transport users
Overall cost recovery from users has decreased.	Overall cost recovery from public transport users (on rail and bus services by STA) decreased from 23.2 per cent to 22.4 per cent between 2016–17 and 2017–18. The main reason for the decrease is due to expenditure increasing at a faster rate than revenue in 2017–18.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

our financial statement audits of agencies in the Transport cluster for 2018
the areas of focus identified in the Audit Office annual work program.

The Audit Office Annual Work Program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters.

Observation	Conclusions and recommendations
3.1 Internal controls
There was an increase in findings on internal controls across the Transport cluster.	Key themes related to information technology, employee leave entitlements and asset management. Eighteen per cent of all issues were repeat issues.
3.2 Audit Office Annual work program
The Transport cluster wrote-off over $200 million of assets which were replaced by new assets or technology.	Majority of this write-off was recognised by RMS, with $199 million relating to the write-off of existing assets which have been replaced during the year.
RailCorp is expected to convert to TAHE from 1 July 2019.	Several working groups are considering different aspects of the TAHE transition including its status as a for-profit Public Trading Enterprise and which assets to transfer to TAHE. We will continue to monitor developments on TAHE for any impact to the financial statements.
RMS' estimated maintenance backlog at 30 June 2018 of $3.4 billion is lower than last year. Sydney Trains' estimated maintenance backlog at 30 June 2018 increased by 20.6 per cent to $434 million. TfNSW does not quantify its backlog maintenance.	TfNSW advised it is liaising with Infrastructure NSW to develop a consistent definition of maintenance backlog across all transport service providers.
Not all agencies monitor unplanned maintenance across the Transport cluster.	Unplanned maintenance can be more expensive than planned maintenance. TfNSW should develop a consistent approach to define, monitor and track unplanned maintenance across the cluster.

This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by Cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited.

We report this information on service delivery to provide additional context to understand the operations of the Transport cluster and to collate and present service information for different modes of transport in one report.

In our recent performance audit, Progress and measurement of Premier's Priorities, we identified 12 limitations of performance measurement and performance data. We recommended that the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all agency data sources.

Appendix one - Status of 2016 and 2017 recommendations

Appendix two - Cluster agencies

Appendix three - Financial data

Appendix four - Bus contracts regions

30 October 2018

Published

Internal Controls and Governance 2018

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Environment

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

The Auditor-General for New South Wales Margaret Crawford found that as NSW state government agencies’ digital footprint increases they need to do more to address new and emerging information technology (IT) risks. This is one of the key findings to emerge from the second stand-alone report on internal controls and governance of the 40 largest NSW state government agencies.

This report analyses the internal controls and governance of the 40 largest agencies in the NSW public sector for the year ended 30 June 2018.

This report covers the findings and recommendations from our 2017–18 financial audits that relate to internal controls and governance at the 40 largest agencies (refer to Appendix three) in the NSW public sector.

This report offers insights into internal controls and governance in the NSW public sector

This is our second report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. The way agencies deliver services increasingly relies on contracts and partnerships with the private sector. Many of these arrangements deliver front line services, but others provide less visible back office support. For example, an agency may rely on an IT service provider to manage a key system used to provide services to the community. The contract and service level agreements are only truly effective where they are actively managed to reduce risks to continuous quality service delivery, such as interruptions caused by system outages, cyber security attacks and data security breaches.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures, and report on those that present heightened risks for agencies to mitigate. This report divides these into the following five areas:

Internal control trends
Information technology (IT), including IT vendor management
Transparency and performance reporting
Management of purchasing cards and taxis
Fraud and corruption control.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2018 cluster financial audit reports, which will be tabled in Parliament from November to December 2018.

The focus of the report has changed since last year

Last year's report topics included asset management, ethics and conduct, and risk management. We are reporting on new topics this year. We plan to introduce new topics and re-visit our previous topics in subsequent reports on a cyclical basis. This will provide a baseline against which to measure the NSW public sectors’ progress in implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Agencies selected for the volume account for 95 per cent of the state's expenditure

While we have covered only 40 agencies in this report, those selected are a large enough group to identify common issues and insights. They represent about 95 per cent of total expenditure for all NSW public sector agencies.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume presents this year’s controls and governance findings in more detail.

Observation	Conclusions and recommendations
2.1 High risk findings
We found six high risk findings (seven in 2016–17), one of which was repeated from both last year and 2015–16.	Recommendation: Agencies should reduce risk by addressing high risk internal control deficiencies as a priority.
2.2 Common findings
We found several internal controls and governance findings common to multiple agencies.	Conclusion: Central agencies or the lead agency in a cluster can play a lead role in helping ensure agency responses to common findings are consistent, timely, efficient and effective.
2.3 New and repeat findings
Although internal control deficiencies decreased over the last four years, this year has seen a 42 per cent increase in internal control deficiencies.	The increase in new IT control deficiencies and repeat IT control deficiencies signifies an emerging risk for agencies.
IT control deficiencies feature in this increase, having risen by 63 per cent since last year. The number of repeat IT control deficiencies has doubled and is driven by the increasing digital footprint left by agencies as government prioritises on-line interfaces with citizens, and the number of transactions conducted through digital channels increases	Recommendation: Agencies should reduce IT risks by: assigning ownership of recommendations to address IT control deficiencies, with timeframes and actions plans for implementation ensuring audit and risk committees and agency management regularly monitor the implementation status of recommendations.

Government agencies’ financial reporting is now heavily reliant on information technology (IT). IT is also increasingly important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our audits reviewed whether agencies have effective controls in place to manage both key financial systems and IT service contracts.

Observation	Conclusions and recommendations
3.1 Management of IT vendors
Contract management framework Although 87 per cent of agencies have a contract management policy to manage IT vendors, one fifth require review.	Conclusion: Agencies can more effectively manage IT vendor contracts by developing policies and procedures to ensure vendor management frameworks are kept up to date, plans are in place to manage vendor performance and risk, and compliance with the framework is monitored by: internal audit focusing on key contracting activities experienced officers who are independent of contract administration performing spot checks or peer reviews targeted analysis of data in contract registers.
Contract risk management Forty-one per cent of agencies are not using contract management plans and do not assess contract risks. Half of the agencies that did assess contract risks, had not updated the risk assessments since the commencement of the contract.	Conclusion: Instead of applying a 'set and forget' approach in relation to management of contract risks, agencies should assess risk regularly and develop a plan to actively manage identified risks throughout the contract lifecycle - from negotiation and commencement, to termination.
Performance management Eighty-six per cent of agencies meet with vendors to discuss performance. Only 24 per cent of agencies sought assurance about the accuracy of vendor reporting against KPIs, yet sixty-seven per cent of the IT contracts allow agencies to determine performance based payments and/or penalise underperformance.	Conclusion: Agencies are monitoring IT vendor performance, but could improve outcomes and more effectively manage under-performance by: a more active, rigorous approach to both risk and performance management checking the accuracy of vendor reporting against those KPIs and where appropriate seeking assurance over their accuracy invoking performance based payments clauses in contracts when performance falls below agreed standards.
Transitioning services Forty-three per cent of the IT vendor contracts did not contain transitioning-out provisions. Where IT vendor contracts do make provision for transitioning-out, only 28 per cent of agencies have developed a transitioning-out plan with their IT vendor.	Conclusion: Contract transition/phase out clauses and plans can mitigate risks to service disruption, ensure internal controls remain in place, avoid unnecessary costs and reduce the risk of 'vendor lock-in'.
Contract Registers Eleven out of forty agencies did not have a contract register, or have registers that are not accurate and/or complete.	Conclusion: A contract register helps to manage an agency’s compliance obligations under the Government Information (Public Access) Act 2009 (the GIPA Act). However, it also helps agencies more effectively manage IT vendors by: monitoring contract end dates and contract extensions, and commence new procurements through their central procurement teams in a timely manner managing their contractual commitments, budgeting and cash flow requirements. Recommendation: Agencies should ensure their contract registers are complete and accurate so they can more effectively govern contracts and manage compliance obligations.
3.2 IT general controls
Governance Ninety-five per cent of agencies have established policies to manage key IT processes and functions within the agency, with ten per cent of those due for review.	Conclusion: Regular review of IT policies ensures risks are considered and appropriate strategies and procedures are implemented to manage these risks on a consistent basis. An absence of policies can lead to ad-hoc responses to risks, and failure to consider emerging IT risks and changes to agency IT environments.
User access administration Seventy-two deficiencies were identified related to user access administration, including: thirty issues related to granting user access across 43 per cent of agencies sixteen issues related to removing user access across 30 per cent of agencies twenty-six issues related to periodic reviews of user access across 50 per cent of agencies.	Recommendation: Agencies should strengthen the administration of user access to prevent inappropriate access to key systems.
Privileged access Forty per cent of agencies do not periodically review logs of the activities of privileged users to identify suspicious or unauthorised activities.	Recommendation: Agencies should: review the number of, and access granted to privileged users, and assess and document the risks associated with their activities monitor user access to address risks from unauthorised activity.
Password controls Twenty-three per cent of agencies did not comply with their own policy on password parameters.	Recommendation: Agencies should ensure IT password settings comply with their password policies.
Program changes Fifteen per cent of agencies had deficient IT program change controls mainly related to segregation of duties and authorisation and testing of IT program changes prior to deployment.	Recommendation: Agencies should maintain appropriate segregation of duties in their IT functions and test system changes before they are deployed.

This chapter outlines our audit observations, conclusions and recommendations from our review of how agencies reported their performance in their 2016–17 annual reports. The Annual Reports (Statutory Bodies) Regulation 2015 and Annual Reports (Departments) Regulation 2015 (annual reports regulation) currently prescribes the minimum requirements for agency annual reports.

Observation

Conclusion or recommendation

4.1 Reporting on performance

Only 57 per cent of agencies linked reporting on performance to their strategic objectives.

The use of targets and reporting performance over time was limited and applied inconsistently.

Conclusion: There is significant disparity in the quality and consistency of how agencies report on their performance in their annual reports. This limits the reliability and transparency of reported performance information.

Agencies could improve performance reporting by clearly linking strategic objectives to reported outcomes, and reporting on performance against targets over time. NSW Treasury may need to provide more guidance to agencies to support consistent and high-quality performance reporting in annual reports.

There is no independent assurance that the performance metrics agencies report in their annual reports are accurate.

Prior performance audits have noted issues related to the collection of performance information. For example, our 2016 Report on Red Tape Reduction highlighted inaccuracies in how the dollar-value of red tape reduction had been reported.

Conclusion: The ability of Parliament and the public to rely on reported information as a relevant and accurate reflection of an agency's performance is limited.

The relevance and accuracy of performance information is enhanced when:

policies and guidance support the consistent and accurate collection of data
internal review processes and management oversight are effective
independent review processes are established to provide effective challenge to the assumptions, judgements and methodology used to collect the reported performance information.

4.2 Reporting on reports

Agency reporting on major projects does not meet the requirements of the annual reports regulation.

Forty-seven per cent of agencies did not report on costs to date and estimated completion dates for major works in progress. Of the 47 per cent of agencies that reported on major works, only one agency reported detail about significant cost overruns, delays, amendments, deferments or cancellations.

NSW Treasury produce an annual report checklist to help agencies comply with their annual report obligations.

Recommendation: Agencies should comply with the annual reports regulation and report on all mandatory fields, including significant cost overruns and delays, for their major works in progress.

The information the annual reports regulation requires agencies to report deals only with major works in progress. There is no requirement to report on completed works.

Sixteen of 30 agencies reported some information on completed major works.

Conclusion: Agencies could improve their transparency if they reported, or were required to report:

on both works in progress and projects completed during the year
actual costs and completion dates, and forecast completion dates for major works, against original and revised budgets and original expected completion dates
explanations for significant cost overruns, delays and key project performance metrics.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency preventative and detective controls over purchasing card and taxi use for 2017–18.

Observation	Conclusion or recommendation
5.1 Management of purchasing cards
Volume of credit card spend Purchasing card expenditure has increased by 76 per cent over the last four years in response to a government review into the cost savings possible from using purchasing cards for low value, high volume procurement.	Conclusion: The increasing use of purchasing cards highlights the importance of an effective framework for the use and management of purchasing cards.
Policy framework We found all agencies that held purchasing cards had a policy in place, but 26 per cent of agencies have not reviewed their purchasing card policy by the scheduled date, or do not have a scheduled revision date stated within their policy.	Recommendation: Agencies should mitigate the risks associated with increased purchasing card use by ensuring policies and purchasing card frameworks remain current and compliant with the core requirements of TPP 17–09 'Use and Management of NSW Government Purchasing Cards'.
Preventative controls We found that: all agencies maintained purchasing card registers seventy-six per cent provided training to cardholders prior to being issued with a card eighty-nine per cent appointed a program administrator, but only half of these had clearly defined roles and responsibilities thirty-two per cent of agencies place merchant blocks on purchasing cards forty-seven per cent of agencies place geographic restrictions on purchasing cards.	Agencies have designed and implemented preventative controls aimed at deterring the potential misuse of purchasing cards. Conclusion: Further opportunities exist for agencies to better control the use of purchasing cards, such as: updating purchasing card registers to contain all mandatory fields required by TPP17–09 appointing a program administrator for the agency's purchasing card framework and defining their role and responsibility for the function strengthening preventive controls to prevent misuse.
Detective controls Ninety-two per cent of agencies have designed and implemented at least one control to monitor purchasing card activity. Major reviews, such as data analytics (29 per cent of agencies) and independent spot checks (49 per cent of agencies) are not widely used.	Agencies have designed and implemented detective controls aimed at identifying potential misuse of purchasing cards. Conclusion: More effective monitoring using purchasing card data can provide better visibility over spending activity and can be used to: detect misuse and investigate exceptions analyse trends to highlight cost saving opportunities.
5.2 Management of taxis
Policy framework Thirteen per cent of agencies have not developed and implemented a policy to manage taxi use. In addition: a further 41 per cent of agencies have not reviewed their policies by the scheduled revision date, or do not have a scheduled revision date more than half of all agencies’ policies do not offer alternative travel options. For example, only 36 per cent of policies promoted the use of general Opal cards.	Conclusion: Agencies can promote savings and provide more options to staff where their taxi use policies: limit the circumstances where taxi use is appropriate offer alternate, lower cost options to using taxis, such as general Opal cards and rideshare.
Detective controls All agencies approve taxi expenditure by expense reimbursement, purchasing card and Cabcharge, and have implemented controls around this approval process. However, beyond this there is minimal monitoring and review activity, such as data monitoring, independent spot checks or internal audit reviews.	Conclusion: Taxi spend at agencies is not significant in terms of its dollar value, but it is significant from a probity perspective. Agencies can better address the probity risk by incorporating taxi use into a broader purchasing card or fraud monitoring program.

Fraud and corruption control is one of the 17 key elements of our governance lighthouse. Recent reports from ICAC into state agencies and local government councils highlight the need for effective fraud control and ethical frameworks. Effective frameworks can help protect an agency from events that risk serious reputational damage and financial loss.

Our 2016 Fraud Survey found the NSW Government agencies we surveyed reported 1,077 frauds over the three year period to 30 June 2015. For those frauds where an estimate of losses was made, the reported value exceeded $10.0 million. The report also highlighted that the full extent of fraud in the NSW public sector could be higher than reported because:

unreported frauds in organisations can be almost three times the number of reported frauds
our 2015 survey did not include all NSW public sector agencies, nor did it include any NSW universities or local councils
fraud committed by citizens such as fare evasion and fraudulent state tax self-assessments was not within the scope of our 2015 survey
agencies did not estimate a value for 599 of the 1,077 (56 per cent) reported frauds.

Commissioning and outsourcing of services to the private sector and the advancement of digital technology are changing the fraud and corruption risks agencies face. Fraud risk assessments should be updated regularly and in particular where there are changes in agency business models. NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy now requires agencies develop, implement and maintain a fraud and corruption control framework, effective from 1 July 2018.

Our Fraud Control Improvement Kit provides guidance and practical advice to help organisations implement an effective fraud control framework. The kit is divided into ten attributes. Three key attributes have been assessed below; prevention, detection and notification systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency fraud and corruption controls for 2017–18.

Observation	Conclusion or recommendation
6.1 Prevention systems
Prevention systems Ninety-two per cent of agencies have a fraud control plan in place, 81 per cent maintain a fraud database and 79 per cent report fraud and corruption matters as a standing item on audit and risk committee agendas. Only 54 per cent of agencies have an employment screening policy and all agencies have IT security policies, but gaps in IT security controls could undermine their policies.	Conclusion: Most agencies have implemented fraud prevention systems to reduce the risk of fraud. However poor IT security along with other gaps in agency prevention systems, such as employment screening practices heightens the risk of fraud and inappropriate use of data. Agencies can improve their fraud prevention systems by: completing regular fraud risk assessments, embedding fraud risk assessment into their enterprise risk management process and reporting the results of the assessment to the audit and risk committee maintaining a fraud database and reviewing it regularly for systemic issues and reporting a redacted version of the database on the agency's website to inform corruption prevention networks developing policies and procedures for employee screening and benchmarking their current processes against ICAC's publication ‘Strengthening Employment Screening Practices in the NSW Public Sector’ developing and maintaining up to date IT security policies and monitoring compliance with the policy.
Twenty-three per cent of agencies were not performing fraud risk assessments and some agency fraud risk assessments may not be as robust as they could be.	Conclusion: Agencies' systems of internal controls may be less effective where new and emerging fraud risks have been overlooked, or known weaknesses have not been rectified.
6.2 Detection systems
Detection systems Several agencies reported they were developing a data monitoring program, but only 38 per cent of agencies had already implemented a program.	Studies have shown data monitoring, whereby entire populations of transactional data are analysed for indicators of fraudulent activity, is one of the most effective methods of early detection. Early detection decreases the duration a fraud remains undetected thereby limiting the extent of losses. Conclusion: Data monitoring is an effective tool for early detection of fraud and is more effective when informed by a comprehensive fraud risk assessment.
6.3 Notification systems
Notification system All agencies have notification systems for reporting actual or suspected fraud and corruption. Most agencies provide multiple reporting lines, provide training and publicise options for staff to report actual or suspected fraud and corruption.	Conclusion: Training staff about their obligations and the use of fraud notification systems promotes a fraud-aware culture

Appendix one - List of 2018 recommendations

Appendix two - Status of 2017 recommendations

Appendix three - Cluster agencies

Audit progress

Sector

Year

Report type

Topic

Reports

Section highlights

Section highlights

Section highlights

Background

Section highlights

Section highlights

Section highlights

This report offers insights into internal controls and governance in the NSW public sector

Areas of specific focus of the report have changed since last year

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

There are no professional standards and capability requirements for probity practitioners

The NSW Procurement Board provides direction for the use of probity practitioners

The LECC is an independent investigative body, funded by appropriation, to oversight NSW Police and the Crime Commission

The PF&A Act is the legislation that governs the administration of public finances

The Minister did not delegate his right to approve expenditure on overseas travel

The Minister declined approval of a LECC request for an officer to travel overseas

The LECC paid the overseas travel expenses without a delegation or Ministerial approval

The Chief Commissioner argues the overseas travel expenditure was properly incurred

The Crown Solicitor and Solicitor General advised the expenditure breached the PF&A Act

The Minister referred the matter to the Inspector of the LECC

The Minister asks the Auditor General to audit the transaction’s compliance with the PF&A Act

The principles of statutory interpretation apply where potential conflicts exist between Acts

Is there an apparent conflict between the LECC Act and the PF&A Act that needs to be resolved?

Was the LECC able to incur expenditure without Ministerial approval?

Was the Minister lawfully entitled to withhold approval of the overseas travel expenditure?

This report offers insights into internal controls and governance in the NSW public sector

The focus of the report has changed since last year

Agencies selected for the volume account for 95 per cent of the state's expenditure