Section highlights

We identified 23 high-risk findings, compared to 20 last year, with ten repeated from last year. Sixteen of the 23 findings related to financial controls and seven related to IT controls.

• The proportion of repeat deficiencies has increased from 47% in 2020–21 to 48% in 2021–22.
• We identified a low level of compliance with TD 21-04 during 2021–22. Most agencies do not have a policy on gifts of government property, and did not annually certify their register of gifts of government property or attest that the agency has not made any gifts.

Section highlights

• We continue to see a high number of deficiencies related to IT General Controls, particularly those related to user access administration and privileged user access.
• We identified deficiencies within IT governance related to IT policies and procedures not effective in managing IT risks. We also identified weaknesses in arrangements with third-party IT service providers which can increase cyber security risk.

Section highlights

• Only 80% of agencies specify how they monitor or ensure that third-party IT service providers comply with the agencies' cyber security policies. IT service providers may pose certain risks to the agency if the provider's cyber security controls have weaknesses.
• There are inconsistent practices and definitions of cyber security incidents across agencies with respect to maintaining incident registers. Five agencies reported nil incidents in their registers for 2021–22, while other agencies recorded up to 1,913 incidents.
• Agencies' self-assessed maturity levels against the NSW Cyber Security Policy mandatory requirements are lower than their target levels in at least one requirement. Maturity levels against the Australian Cyber Security Centre's Essential Eight controls have not improved since last year. 

Section highlights

• Agencies risk over-reliance on the same consultants, as some firms continue to be the highest paid consultants at 60% of agencies for at least three of the past five years.
• Agencies could improve their policies on engaging consultants to include consideration of:
  • probity requirements/conflict of interests
  • rotation of independent consultants from time-to-time
  • additional review where multiple consultants are engaged on the same topic to address the risk of opinion shopping.
• A quarter of agencies have re-engaged the same contractor over the past five years, with one contractor engaged for 19 years. Long-term engagements without reassessment against market increase the risk of dependency on the contractor.

Section highlights

• We identified that most agencies do not include the risk of employment application fraud in their risk registers.
  Post-employment screening has an important role in preventing fraud and managing risk as roles often change and the initial employment screening procedures may not be sufficient to control risk over time. Only 57% of agencies that have an employment screening policy include post-employment screening guidance.
• Screening and induction practices for non-permanent workers are often less stringent than for permanent employees. There is an increased risk that agencies will:
  • fail to identify an applicant with a past history of corrupt or criminal conduct
  • not identify applications with false credentials
  • hire a worker with unsuitable qualifications, skills or experience.

Section highlights

• All agencies maintain a central contract register but 40% are incomplete, risking non-compliance with the Government Information (Public Access) Act 2009 (GIPA Act).
• The contract renewal process could be improved. We identified only 76% of agencies assessed value for money before deciding to renew/extend the contract.
• Most agencies provide some training and support to staff on procurement procedures. Ongoing training and awareness programs allow agencies to communicate to all staff their responsibilities and obligations in relation to procurement activities. 

Section highlights

• Unqualified audit opinions were issued on the financial statements of cluster agencies. Two audits are ongoing.
• Cluster agencies completed all required early close procedures.
• Changes to accommodation arrangements managed by Property NSW on behalf of the department and cluster agencies resulted in the collective derecognition of approximately $100.6 million in right-of-use assets and corresponding lease liabilities totalling $110.4 million from the balance sheets of these agencies.
• Cluster agencies continue to provide financial assistance to communities affected by natural disasters.

Section highlights

• The 2021–22 audits identified five moderate issues across the cluster. One moderate risk issue was a repeat issue related to Local Land Services' annual fair value assessment of the asset improvements on land reserves used for moving stock.
• Of the four newly identified moderate rated issues, one related to internal control deficiencies and improvements and three related to financial reporting.
• The number of findings reported to management has decreased from 36 in 2020–21 to 14 in 2021–22.

Section highlights

• Unqualified audit opinions were issued for all cluster agencies required to prepare general purpose financial statements.

• The total gross value of corrected monetary misstatements for 2021–22 was $353.3 million, of which, $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests.

• A qualified audit opinion was issued on the ministry's Annual Prudential Compliance Statements.

Section highlights

• The total number of internal control deficiencies has decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised in 2021–22, four were high (2020–21: 3) and 37 were moderate (2020–21: 57); with nearly half of all control deficiencies reported in 2021–22 being repeat issues.

• The following four issues were reported in 2021–22 as high risk:

  • impairment of COVID-19 inventories

  • inadequate review over the appropriateness of asset capitalisation threshold

  • forced-finalisation of HealthRoster time records

  • COVID-19 vaccination inventories – data quality issue at 31 March 2022.

• Management of excessive leave balances and poor quality or lack of documentation supporting key agreements continued to be the key repeat issues observed in the 2021–22 financial reporting period.

Section highlights

• Unqualified audit opinions were issued on all the cluster agencies 2021–22 financial statements.
• There were two corrected misstatements greater than $5 million.
• Changes to accommodation arrangements managed by Property NSW on behalf of the department resulted in the collective derecognition of approximately $167.3 million in right of use assets and corresponding lease liabilities totalling $225.1 million from the balance sheets of these agencies.

Section highlights

• The 2021–22 audits identified four moderate risk issues across the cluster.
• Three out of the four moderate risk issues were repeat issues.
• The repeat issues related to password and security configuration and a lack of updated procurement policies and procedures.

Section highlights

• Up to 30 June 2021, $7.5 billion has been spent by state government agencies for health and economic stimulus.
• Revenue increased for most agencies as falling revenue from providing goods and services was offset by additional funding from appropriations, grants and contributions.
• Expenses increased as most agencies incurred additional costs to manage and respond to the pandemic along with delivering stimulus and support programs.
• Borrowings of $7.5 billion over the last two years helped to fund the response to COVID-19.

Section highlights

• NSW Government unlikely to meet targets in Fiscal Responsibility Act 2012.

Section highlights

• We identified nine high risk findings, compared to eight last year, with two findings repeated from last year. Six of the nine findings related to financial controls and three related to IT controls.
• The proportion of repeat deficiencies has increased from 44 per cent in 2019–20 to 50 per cent in 2020–21. The longer these weaknesses in internal control systems exist, the higher the risk that they may be exploited and consequential impact.

Section highlights

• We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration and privileged user access.
• Agencies are increasingly contracting out key IT services to third parties, however, weaknesses in IT service providers' controls can expose an agency to cyber security risks.

Section highlights

• Agencies' self‑assessed cyber maturity levels against the NSW Cyber Security Policy mandatory requirements are low and have not met their target levels. Forty per cent of agencies have not formally accepted the residual risk from gaps between their target and current maturity levels.
• Most agencies have conducted cyber awareness training to staff during 2020–21. Some have further enhanced this training through awareness exercises such as simulated phishing emails to test staff knowledge.
• Registers of security incidents and breaches are not consistent across agencies. Four agencies recorded nil breaches during 2020–21, however, their definition of incidents and breaches was not consistent with other agencies. For instance, they did not include account compromises or denial of service attacks. Only seven agencies' registers included details of actions taken to resolve issues.

Section highlights

• Most agencies have established conflicts of interest policies consistent with the mandatory requirements of the Code of Ethics and Conduct for NSW Government sector employees. Agencies' policies could be strengthened to apply the standard they apply to senior executives to all employees and contractors. Currently, only senior employees are required to make annual declarations of interests, yet the ability to make or influence decisions is delegated to others in the organisation.
• Half of agencies' policies specify units or divisions that are at higher risk of conflicts of interest arising due to the nature of their business. Policies should identify additional measures at the unit/division level to mitigate these risks.
• On average, less than 75 per cent of staff completed annual declarations of interest where required. This could be improved with ongoing staff training and awareness, and follow up on incomplete conflicts of interest.

Section highlights

• Most agencies have established policies or procedures on supplier masterfile management, however, only 56 per cent do for employee masterfile management.
• Less than half of agencies review user access rights to supplier or employee masterfiles which contain sensitive information and are susceptible to fraud. Access to edit the masterfiles should be limited to authorised personnel for whom it is required to perform their duties.

Section highlights

• Less than half of all agencies have a formal policy on monitoring recommendations from performance audits or public inquiries. Agencies should formalise and implement policies on tracking and monitoring the progress of those recommendations.
• 56 per cent of agencies maintain a register of recommendations from performance audits or public inquiries. Registers could be improved to include features such as risk/priority rating, milestone due dates, record of revisions to due dates and explanatory comments.
• Recommendations can take several years to address, with the oldest unactioned items we noted dating back to 2016. Agencies reported completion of a third of recommendations that were raised within the last year.

Section highlights

• Unqualified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Four audits are ongoing.
• The number of monetary misstatements identified during the audit decreased from 27 in 2019–20 to seven in 2020–21.
• Three cluster agencies could improve their early close process by completing all required procedures.
• Local Land Services disclosed a prior period error relating to the completeness of asset improvements on travelling stock reserves.

Section highlights

• The number of findings reported to management decreased from 36 in 2019–20 to 19 in 2020–21, and 47 per cent were repeat findings.
• The 2020–21 audits identified 12 moderate risk and seven low risk issues across the cluster.
• Four moderate risk issues and five low risk issues were repeat findings from
  2019–20.

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

• prioritise addressing high-risk findings
• address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

A number of findings remain common across multiple agencies over the last four years, including:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers.

We found deficiencies in information security controls over key financial systems including:

• user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
• privileged users were not appropriately monitored at 43 per cent of agencies
• deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

• involving key dependent or inter-dependent third parties who support or deliver critical business functions
• testing one or more high impact scenarios identified in their business continuity plan
• preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 

• 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract
• 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged
• 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework.

Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details.

Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.

Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:

• not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
• not obtaining approval from a delegated authority to commence the procurement process
• procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.

As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies.

The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:

• 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service
• 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019
• 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:

• updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
• using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
• having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

• 16 per cent of agencies had not updated their financial delegations to reflect the changes
• 16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

• 38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
• 56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
• 97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

The Machinery of Government (MoG) changes abolished the former Planning and Environment cluster and former Industry cluster, and created the Planning, Industry and Environment cluster on 1 July 2019.

The Department of Planning and Environment (DPE), the Department of Industry (DOI), the Office of Environment and Heritage, and the Office of Local Government were abolished and the majority of their functions were transferred to the new Department of Planning, Industry and Environment (DPIE).

The MoG changes bring risks and challenges to the cluster. A MoG Steering Committee, with the support of various project control groups and working groups, identified and developed responses to key risks arising from the changes.

However, the DPIE will take some time to fully integrate the policies, systems and processes of the abolished Departments and agencies.

Fifty-five of the 57 agencies subject to statutory deadlines submitted their financial statements on time.

Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions issued by the statutory deadline.

Agencies prepared and submitted their early close procedures in accordance with the mandatory timeframe set by NSW Treasury. However, 17 of the 49 agencies where we reviewed early close procedures were assessed as either partially addressing or not addressing one or more of the mandatory requirements. The cluster agencies could benefit from an increased focus on early close procedures.

We noted errors in the lease data used in Property NSW's AASB 16 impact calculations, which affect both Property NSW and other government agencies. These errors were significant enough to present a risk of material misstatements to the financial statements of Property NSW and other government agencies in future reporting periods.

We had similar findings in our recent performance audit on 'Property Asset Utilisation', which highlighted issues with the quality of Property NSW's records.

Recommendation: Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019.

Despite an increase in the number of claims resolved, the number of unprocessed Aboriginal land claims increased by 7.2 per cent from the prior year to 35,855 at 30 June 2019. Claims can be made over Crown land assets of the DPIE or other government agencies. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. We first recommended action to address unprocessed claims in 2007.

Recommendation (repeat issue): The DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

One in five internal control issues identified and reported to management in 2018–19 were repeat issues.

The lack of user access review was the most common IT general control issue in the cluster.

The NSW Government announced an emergency drought relief package of $500 million in 2018, in addition to other financial assistance measures already in place.

Limited documentation and written agreements between relevant delivery agencies resulted in a $31.0 million misstatement relating to grant revenue.

Crown land is an important asset of the state. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Last year we recommended the DOI should ensure the database of Crown land is complete and accurate. While the DOI has commenced actions to improve the database, this continued to be an issue in 2018–19.

Recommendation (repeat issue): The DPIE should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re prioritised, as the changes are implemented.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

• out of date policies or an absence of policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers
• policies, procedures or controls no longer suited to the current organisational structure or business activities.

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

• user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
• an absence of privileged user activity reviews at 35 per cent of agencies
• password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

• ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
• establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
• providing on-going training, awareness activities and support to employees, not just at induction
• publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

• the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
• the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

• preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
• involving agency human resources units in decisions about engaging contingent labour
• regularly reporting on contingent labour use and tenure to agency executive teams
• strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

• identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
• assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.