Section highlights

• $1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters during 2021–22.
• Budget underspent for temporary housing and small business support as lower than expected need.

Section highlights

• 83 local council areas were impacted by natural disasters during 2021–22, with 58 being impacted by more than one type of natural disaster.
• $349 million damage to council infrastructure assets at 30 June 2022.

Section highlights

• Unqualified audit opinions were issued on all Transport and Infrastructure cluster agencies' financial statements.
• An 'Other Matter' paragraph was included in the Transport Asset Holding Entity of New South Wales' (TAHE) Independent Auditor's Report to draw attention to TAHE's reliance on government-funded customers.
•  An 'Emphasis of Matter' paragraph was included in the State Transit Authority of New South Wales' (the authority) Independent Auditor's Report to draw attention to management’s disclosures that State Transit Authority of New South Wales' financial statements for the year ended 30 June 2022 were prepared on a liquidation basis as the authority’s principal activities ceased operations on 3 April 2022.
• While TAHE's valuation of assets at 30 June 2022 was within an acceptable range of valuation outcomes, there remained significant differences in assumptions used when compared with relevant market benchmarks.
• Sydney Metro corrected two prior period errors of $1.5 billion and $51 million in accounting and valuation of assets, and double counting of assets capitalised in infrastructure as well as assets under construction respectively.

Section highlights

• The number of findings reported to management decreased from 87 in 2020–21 to 59 in 2021–22.
• Repeat findings accounted for 54.2% of management letter points. Many repeat findings related to controls over payroll, including management of annual leave and processing of timesheets, management of conflicts of interests, weaknesses in controls over information technology user access administration and password management.
• One new high-risk issue was identified in 2020–21, and four high-risk repeat issues remained.
• The five high-risk issues arose from the audit in the cluster, with respect to:
  • control over TAHE assets and operations (repeat)
  • TAHE detailed business modelling to support returns (repeat)
  • valuation of trees (repeat for Parramatta Park Trust and Centennial Park and Moore Park Trust)
  • TAHE asset valuations.

Section highlights

• Unqualified audit opinions were issued on all completed 30 June 2022 financial statement audits of cluster agencies, including the acquittal and compliance audits for the Legal Aid Commission of New South Wales and Crown Solicitor's Office. One audit is ongoing.

• Reported corrected misstatements decreased from 30 in 2020–21 to 23 with a gross value of $187 million in 2021–22 ($101 million in 2020–21). Reported uncorrected misstatements increased from 20 in 2020–21 to 25 with a gross value of $92.3 million in 2021–22 ($107 million in 2020–21).

• Six of the 15 cluster agencies required to submit 2021–22 early close financial statements and all other mandatory procedures did not meet the statutory deadlines. One agency did not complete all mandatory procedures.

• All 13 cluster agencies that have accommodation arrangements with Property NSW accepted the changes in the Client Acceptance Letters, resulting in the derecognition of right-of-use assets and lease liabilities of $917 million and $1 billion respectively. The agencies also collectively recorded a gain on derecognition of $136 million.

• The Department of Communities and Justice (the department) assumed the responsibility to deliver the Process and Technology Harmonisation program from the Department of Customer Service. In 2021–22, the department incurred costs of $42.8 million in relation to the project.

• In 2021–22, the department continued to implement the International Financial Reporting Standards Interpretations Committee's agenda decision on 'Configuration or customisation costs in a cloud computing arrangement'. The department's review of the remaining arrangements, with a net book value of $233 million at 30 June 2021, resulted in the recognition as an expense (through accumulated funds at 1 July 2020) of previously capitalised intangible assets totalling $106 million.

Section highlights

• The number of issues reported to management has decreased from 130 in 2020–21, to 110 in 2021–22, and 43% were repeat issues (51% in 2020–21). Many repeat issues related to information technology, governance and oversight controls, and non-compliance with key legislation and/or agency policies.

• Five high-risk issues were identified in 2021–22, all of which are repeat issues and related to user access administration and segregation of duties.

• Of the 24 newly identified moderate risk issues, 11 related to information technology. The rest related to governance and oversight controls and internal control deficiencies or improvements in payroll, asset management and other processes.

Section highlights

• Up to 30 June 2021, $7.5 billion has been spent by state government agencies for health and economic stimulus.
• Revenue increased for most agencies as falling revenue from providing goods and services was offset by additional funding from appropriations, grants and contributions.
• Expenses increased as most agencies incurred additional costs to manage and respond to the pandemic along with delivering stimulus and support programs.
• Borrowings of $7.5 billion over the last two years helped to fund the response to COVID-19.

Section highlights

• NSW Government unlikely to meet targets in Fiscal Responsibility Act 2012.

Section highlights

• Unqualified audit opinions were issued on all Transport agencies' financial statements.
• An 'Emphasis of Matter' paragraph was included in the Transport Asset Holding Entity of New South Wales' (TAHE) Independent Auditor's Report to draw attention to significant uncertainty associated with the judgements, estimates and assumptions supporting the valuation of TAHE’s property, plant and equipment (PPE) and intangible assets.
• In 2020–21, the former RailCorp transitioned to TAHE, a for-profit state-owned corporation. When TAHE became a for-profit entity, it was required to change its valuation approach. The value of a for-profit entity's assets cannot exceed the cash flows they might realise either through their sale or continued use. This change in the basis of valuation resulted in a decrease of $20.3 billion in the fair value of the assets. The decrease in fair value was because the cash flows, which support measurement under the income approach, were insufficient to support the previous valuation based on the current replacement cost of those assets.
• TAHE also corrected a misstatement of $1.2 billion relating to the valuation of its assets after significant deliberation on key judgements and assumptions, with TAHE adopting higher risk assumptions in its valuation when compared to the relevant market benchmarks.
• On 18 December 2021, a Heads of Agreement (HoA) was signed between TAHE, Transport for NSW, Sydney Trains and NSW Trains. This HoA reflected TAHE's intention to negotiate higher access and licence fees in order to meet the shareholding ministers' revised expectation of a higher rate of return. This matter resolved the treatment of a significant accounting issue in the State’s consolidated (whole-of-government) financial statements. Refer to the Report on State Finances tabled on 9 February 2022. The expectation of an additional $5.2 billion in fees added to the valuation of TAHE's PPE and intangibles, with a final value of $17.15 billion.
• The implementation of AASB 1059 ‘Service Concession Arrangements: Grantors’ resulted in a net increase in assets of $23.5 billion across the cluster. AASB 1059 had a significant impact on Transport for NSW, Sydney Metro, Sydney Ferries and TAHE's 2020–21 financial statements.
• TAHE corrected a misstatement of $97.2 million relating to the application of AASB 1059 'Service Concession Arrangements: Grantors' for the Airport Link Company Contract. 

Section highlights

• The number of findings reported to management increased from 56 in 2019–20 to 73 in 2020–21.
• Thirty-seven per cent were repeat findings. Many repeat issues related to information technology controls around user access management and payroll processes. These included deficiencies in the monitoring of privileged user access to key financial systems, review of user access to key financial systems and segregation of duties between preparer and reviewer for new employee hires.
• Six new high-risk issues were identified in 2020–21, an increase of three compared to last year.
• One high-risk issue related to conflicts of interests not being declared by all officers involved in the land acquisition process at Transport for NSW.
• Five high-risk issues arose from the audit of TAHE, with respect to:
  • control over TAHE assets and operations
  • asset valuations
  • access price build up
  • detailed business modelling to support returns
  • conflict of interest management.
• Based on the access and licence agreements signed at 30 June 2021 between TAHE, Sydney Trains and NSW Trains, our review of the expected returns calculated by NSW Treasury did not support the assumption that there was a reasonable expectation that a sufficient rate of return could be achieved from the NSW Government's investment in TAHE.
• On 14 December 2021 the shareholding ministers' increased their expectations as to TAHE's target average return from 1.5 per cent to the expected long-term inflation rate of 2.5 per cent.
• On 18 December 2021 the revised shareholder expectations were confirmed in a signed Heads of Agreement. The Heads of Agreement will increase access fees paid by rail operators to TAHE by $5.2 billion.
• TAHE's access and licence agreements specified fees that were well short of the IPART regulated maximum (ceiling price).
• The finalisation of the access and licence agreements with Sydney Trains and NSW Trains resulted in a significant write-down of TAHE's asset value by $20.3 billion. The revaluation loss will need to be recovered as part of the shareholders’ rate of return of 2.5 per cent in order to sustain the whole-of-government accounting treatment of cash contributions recorded as an equity contribution and not a grant expense.
• There was a significant adjustment to TAHE’s valuation between the financial statements originally submitted for the audit and the final, signed financial statements due to differences in risk assumptions resulting in a correction of a $1.2 billion misstatement. 

Section highlights

• Unqualified audit opinions were issued for all 30 June 2021 financial statements of cluster agencies including the acquittal and compliance audits for the Legal Aid Commission of New South Wales and Crown Solicitor's Office.
• An 'Other Matter' paragraph was included within the Multicultural NSW and Office of the Ageing and Disability Commissioner’s Independent Auditor's Report. While the paragraph did not modify the audit opinion, it noted the agencies did not have a signed instrument of delegation from their responsible Minister(s) to incur expenditure for the 2020–21 financial year and therefore were non‑compliant with section 5.5 of the Government Sector Finance Act 2018 .
• 11 of the 15 cluster agencies required to submit 2020–21 early close financial statements and all other mandatory procedures did not meet the statutory deadlines. The agencies cited changes in key staff, delays in finalising actuarial and valuation work and the timing of Audit and Risk Committee meetings as the main reasons for not meeting the deadlines. Five agencies did not complete all mandatory procedures.
• The Department of Communities and Justice (the department) was, for the first time, able to reliably measure and record a liability of $200 million at 30 June 2021 for Incurred But Not Reported (IBNR) claims relating to its Victims Support Scheme. Child Sexual Assault IBNR claim liabilities continue to be not recorded on the basis they are still unable to be reliably measured.
• The International Financial Reporting Standards Interpretations Committee released an agenda decision on 'Configuration or customisation costs in a cloud computing arrangement' (the IFRIC agenda decision). The department treated the financial impacts of the IFRIC agenda decision as a change in accounting policy and retrospectively recorded prepaid assets and expenses of $52.3 million and $90.5 million respectively relating to intangible assets they had previously capitalised.
• The implementation of AASB 1059 'Service Concession Arrangements: Grantors' had a significant impact on the department's 2020–21 financial statements. The department applied a modified retrospective approach upon initial adoption at 1 July 2020 and recognised service concession assets and liabilities of $1.0 billion and $1.2 billion respectively in relation to three correctional centres with private sector operators.

Section highlights

• The number of issues reported to management has decreased from 191 in 2019–20 to 172 in 2020–21, and 45 per cent were repeat issues. Many repeat issues related to information technology, governance and oversight controls.
• Seven high risk issues were identified in 2020–21, an increase of five compared to last year.
• The two high risk issues identified in 2019–20 relating to New South Wales Institute of Sport were resolved.

• establish an operating model in line with the original intent of a commercial return
• finalise commercial agreements with the public rail operators
• confirm forecast financial information to assess valuation of TAHE infrastructure
• finalise asset and safety management plans.

Resolution of the above matters are critical as they may significantly impact the financial reporting arrangements for TAHE for 2020–21, in particular, accounting policies adopted as well as measurement principles of its significant infrastructure asset base.

• agencies are fully aware of contractual and other obligations
• appropriate assessment of financial reporting implications
• ongoing assessments of accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities' and new accounting standard AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

Section highlights

• Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19.
• Unqualified audit opinions were issued on all Transport agencies' financial statements.
• Transport cluster agencies continued to experience challenges with accounting of land and infrastructure assets.

Section highlights

• While there was a decrease in findings on internal controls across the Transport cluster, 43 per cent of all issues were repeat issues. Many repeat issues related to information technology controls around user access management.
• RailCorp transitioned to TAHE on 1 July 2020. TAHE's operating model and commercial arrangements with public rail operators has not been finalised despite government original plans to be operating from 1 July 2019. TAHE management should finalise its operating model and commercial agreements with public rail operators as they may significantly impact the financial reporting arrangements for TAHE for 2020–21.
• Completeness and accuracy of contracts registers remains an ongoing issue for the Transport cluster.

The Treasury extended the statutory deadline for the submission of the 2019–20 financial statements. For agencies subject to Treasurer's Directions, Treasury required agencies to submit their 30 June 2020 financial statements by 5 August 2020. For other agencies, the deadline was extended to 31 October 2020. All agencies in the cluster met the revised statutory deadlines.

Cluster agencies substantially completed the mandatory early close procedures set by NSW Treasury. However, nine agencies including the Department of Communities and Justice (the department) did not complete one or more mandatory requirements, such as assessing the impact of new and updated accounting standards.

Emergency events significantly impacted cluster agencies in 2019–20. Our review of seven cluster agencies most affected highlighted some had incurred additional expenditure because of the bushfires and floods. Others lost revenue due to the COVID-19 pandemic.

During the year these agencies collectively received additional funding of $1.1 billion from the State to respond to:

• increased demand for homeless people seeking temporary accommodation
• additional cleaning requirements
• bushfire recovery efforts
• emergency support for eligible small businesses.

The Sydney Cricket Ground Trust, Venues NSW and Office of Sport lodged insurance claims of $51.3 million with the Treasury Managed Fund with respect to lost revenues from the pandemic. The losses were mainly due to event cancellations and covered various periods ranging from mid-March to 31 December 2020.

The change in economic conditions caused by the COVID-19 pandemic resulted in the NSW Government cancelling the refurbishment of Stadium Australia it had previously approved in August 2019. Venues NSW wrote off $16.8 million of redevelopment costs during 2019–20.

The department continues to address significant data quality issues resulting from its implementation of the VS Connect system (the System) in 2019. The issues relate to the completeness and accuracy of the data transferred from the legacy system. The System is used by the department to manage its Victims Support Services (VSS) and for financial reporting purposes.

An independent actuary helps the department estimate its liability for VSS claims. The actuary's valuation at 30 June 2020 was again impacted by the data quality issues. Consequently, the actuary adopted a revised valuation methodology compared to previous years.

Recommendation (repeat issue):

The department should resolve the data quality issues in the VS Connect System before 31 March 2021.

Cluster agencies implemented three new accounting standards for the first time in 2019–20. Adoption of AASB 16 'Leases' resulted in cluster agencies collectively recognising right-of-use assets and lease liabilities of $1.7 billion and $1.1 billion respectively on 1 July 2019.

Significant misstatements in how lease related balances had been calculated were found in 17 of the 29 cluster agencies. The cluster outsources the management of most of its owned and leased property portfolio to Property NSW, but cluster agencies remain responsible for any deliverables under that arrangement. The misstatements were mainly caused by late revisions of key assumptions and issues with the accuracy and completeness of Property NSW's lease information.

Our 2019–20 financial audits identified 191 internal control issues. Of these, two were high risk and almost one-third were repeat findings from previous audits. While repeat findings reduced by 5.7 percentage points in 2019–20, the number remains high.

Recommendation (repeat issue):

Cluster agencies should action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues.

The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies rose from $67.4 million in 2018–19 to $497 million in 2019–20.

The COVID-19 pandemic presented unprecedented challenges for the cluster. Social distancing and other infection control measures disrupted the traditional means of delivering services. Agencies established committees or response teams to respond to these challenges.

The department introduced measures to minimise the risk of the spread of COVID-19 amongst inmates in custodial settings.

Managing excess annual leave was a challenge for cluster agencies directly involved in the government's response to the emergency events. Employees in frontline cluster agencies deferred leave plans and many have taken little or no annual leave during the reporting period.

Annual leave liabilities rose at the department, NSW Police Force, Fire and Rescue NSW, Office of the NSW Rural Fire Service, the Legal Aid Commission of New South Wales and the Office of the Director of Public Prosecutions. The combined liabilities increased from $620 million to $692 million or 11.6 per cent between 30 June 2019 and 30 June 2020.

Administrative Arrangement Orders effective from 1 July 2019, created the department of Communities and Justice and transferred functions and staff, together with associated assets and liabilities into the department from the former departments of Justice and Family and Community Services.

The department continues to establish its governance arrangements following the MoG changes.

Recommendation:

The department should finalise appropriate governance arrangements for its new organisational structure as soon as possible. This includes:

• harmonising policies and procedures to ensure a unified approach across the department
• finalising risk management and monitoring processes across the department
• updating its delegation instruments to reflect the current organisational structure, delegation limits and roles and responsibilities.

The department continued to expand prison system capacity through the NSW Government's $3.8 billion Prison Bed Capacity Program. The department reported it spent $480 million on the Program in 2019–20. Six prison expansion projects were completed during the year, which added 1,660 new and 395 refurbished beds to the NSW prison system.

Data from the department shows the number of adult inmates in the NSW prison system reached a maximum of 14,165 during the year. Operational capacity was 16,096 beds on 19 August 2020.

Section highlights

• Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements. All agencies met the revised statutory deadlines for completing early close procedures and submitting their financial statements.
• Emergency events significantly impacted cluster agencies in 2019–20. Agencies received additional funding of $1.1 billion to respond to the emergencies.
• Cluster agencies implemented three new accounting standards in 2019–20. Adoption of AASB 16 'Leases' resulted in significant changes to agencies' financial statements.

Section highlights

• Almost one-third of internal control issues reported were repeat findings. Cluster agencies should address these issues more promptly.
• The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies increased by $430 million in 2019–20.
• The department continues to establish its governance arrangements following Machinery of Government changes effective 1 July 2019.

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

• prioritise addressing high-risk findings
• address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

A number of findings remain common across multiple agencies over the last four years, including:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers.

We found deficiencies in information security controls over key financial systems including:

• user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
• privileged users were not appropriately monitored at 43 per cent of agencies
• deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

• involving key dependent or inter-dependent third parties who support or deliver critical business functions
• testing one or more high impact scenarios identified in their business continuity plan
• preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 

• 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract
• 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged
• 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework.

Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details.

Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.

Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:

• not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
• not obtaining approval from a delegated authority to commence the procurement process
• procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.

As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies.

The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:

• 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service
• 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019
• 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:

• updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
• using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
• having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

• 16 per cent of agencies had not updated their financial delegations to reflect the changes
• 16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

• 38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
• 56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
• 97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.