Section highlights

• We identified nine high risk findings, compared to eight last year, with two findings repeated from last year. Six of the nine findings related to financial controls and three related to IT controls.
• The proportion of repeat deficiencies has increased from 44 per cent in 2019–20 to 50 per cent in 2020–21. The longer these weaknesses in internal control systems exist, the higher the risk that they may be exploited and consequential impact.

Section highlights

• We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration and privileged user access.
• Agencies are increasingly contracting out key IT services to third parties, however, weaknesses in IT service providers' controls can expose an agency to cyber security risks.

Section highlights

• Agencies' self‑assessed cyber maturity levels against the NSW Cyber Security Policy mandatory requirements are low and have not met their target levels. Forty per cent of agencies have not formally accepted the residual risk from gaps between their target and current maturity levels.
• Most agencies have conducted cyber awareness training to staff during 2020–21. Some have further enhanced this training through awareness exercises such as simulated phishing emails to test staff knowledge.
• Registers of security incidents and breaches are not consistent across agencies. Four agencies recorded nil breaches during 2020–21, however, their definition of incidents and breaches was not consistent with other agencies. For instance, they did not include account compromises or denial of service attacks. Only seven agencies' registers included details of actions taken to resolve issues.

Section highlights

• Most agencies have established conflicts of interest policies consistent with the mandatory requirements of the Code of Ethics and Conduct for NSW Government sector employees. Agencies' policies could be strengthened to apply the standard they apply to senior executives to all employees and contractors. Currently, only senior employees are required to make annual declarations of interests, yet the ability to make or influence decisions is delegated to others in the organisation.
• Half of agencies' policies specify units or divisions that are at higher risk of conflicts of interest arising due to the nature of their business. Policies should identify additional measures at the unit/division level to mitigate these risks.
• On average, less than 75 per cent of staff completed annual declarations of interest where required. This could be improved with ongoing staff training and awareness, and follow up on incomplete conflicts of interest.

Section highlights

• Most agencies have established policies or procedures on supplier masterfile management, however, only 56 per cent do for employee masterfile management.
• Less than half of agencies review user access rights to supplier or employee masterfiles which contain sensitive information and are susceptible to fraud. Access to edit the masterfiles should be limited to authorised personnel for whom it is required to perform their duties.

Section highlights

• Less than half of all agencies have a formal policy on monitoring recommendations from performance audits or public inquiries. Agencies should formalise and implement policies on tracking and monitoring the progress of those recommendations.
• 56 per cent of agencies maintain a register of recommendations from performance audits or public inquiries. Registers could be improved to include features such as risk/priority rating, milestone due dates, record of revisions to due dates and explanatory comments.
• Recommendations can take several years to address, with the oldest unactioned items we noted dating back to 2016. Agencies reported completion of a third of recommendations that were raised within the last year.

Section highlights

• Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.
• An 'Other Matter' paragraph was included in the Independent Planning Commission’s (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983. From 2020–21, the IPC is required to prepare financial statements under the Government Sector Finance Act 2018.
• The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements were incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. These audits are currently underway, and the 2020–21 audit will commence shortly.
• The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 State controlled Crown land managers (CLMs) are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21. All 120 common trusts have never submitted their financial statements for audit. The department needs to do more to ensure that the CLMs and common trusts meet their statutory reporting obligations.
• Nine agencies that were required to perform early close procedures did not complete a total of 20 mandatory procedures. The most common incomplete early close procedures include the revaluation of property, plant and equipment, documenting all significant management judgments and assumptions, and the implementation of new and updated accounting standards.

Section highlights

• The number of findings reported to management has increased from 135 in 2019–20 to 180 in 2020–21, and 40 per cent were repeat issues.
• Seven high-risk issues were identified in 2020–21, and three high-risk findings were repeat issues.
• There continues to be significant deficiencies in Crown land records. The department should prioritise action to ensure the Crown land database is complete and accurate.

Section highlights

• Unqualified audit opinions were issued for all 30 June 2021 financial statements of cluster agencies including the acquittal and compliance audits for the Legal Aid Commission of New South Wales and Crown Solicitor's Office.
• An 'Other Matter' paragraph was included within the Multicultural NSW and Office of the Ageing and Disability Commissioner’s Independent Auditor's Report. While the paragraph did not modify the audit opinion, it noted the agencies did not have a signed instrument of delegation from their responsible Minister(s) to incur expenditure for the 2020–21 financial year and therefore were non‑compliant with section 5.5 of the Government Sector Finance Act 2018 .
• 11 of the 15 cluster agencies required to submit 2020–21 early close financial statements and all other mandatory procedures did not meet the statutory deadlines. The agencies cited changes in key staff, delays in finalising actuarial and valuation work and the timing of Audit and Risk Committee meetings as the main reasons for not meeting the deadlines. Five agencies did not complete all mandatory procedures.
• The Department of Communities and Justice (the department) was, for the first time, able to reliably measure and record a liability of $200 million at 30 June 2021 for Incurred But Not Reported (IBNR) claims relating to its Victims Support Scheme. Child Sexual Assault IBNR claim liabilities continue to be not recorded on the basis they are still unable to be reliably measured.
• The International Financial Reporting Standards Interpretations Committee released an agenda decision on 'Configuration or customisation costs in a cloud computing arrangement' (the IFRIC agenda decision). The department treated the financial impacts of the IFRIC agenda decision as a change in accounting policy and retrospectively recorded prepaid assets and expenses of $52.3 million and $90.5 million respectively relating to intangible assets they had previously capitalised.
• The implementation of AASB 1059 'Service Concession Arrangements: Grantors' had a significant impact on the department's 2020–21 financial statements. The department applied a modified retrospective approach upon initial adoption at 1 July 2020 and recognised service concession assets and liabilities of $1.0 billion and $1.2 billion respectively in relation to three correctional centres with private sector operators.

Section highlights

• The number of issues reported to management has decreased from 191 in 2019–20 to 172 in 2020–21, and 45 per cent were repeat issues. Many repeat issues related to information technology, governance and oversight controls.
• Seven high risk issues were identified in 2020–21, an increase of five compared to last year.
• The two high risk issues identified in 2019–20 relating to New South Wales Institute of Sport were resolved.

Section highlights

• Unqualified audit opinions were issued on all completed cluster agencies' 2020–21 financial statements.
• Monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.
• Thirteen agencies were exempt from financial reporting in 2020–21. 

Section highlights

• The 2020–21 audits identified 47 moderate risk issues across the cluster. Sixteen of the moderate risk issues were repeat issues. Many repeat issues related to governance and oversight and information technology.
• The number of moderate risk findings increased by 42 per cent in 2020–21.
• The moderate risk issues included information technology improvements, lack of service level agreements, risk management, contract and procurement and asset management improvements.

Two universities reported retrospective corrections of prior period errors. The University of Sydney reported errors relating to the underpayment of staff entitlements and the fair value of buildings. Charles Sturt University reported an error relating to how it had calculated right‑of‑use assets and lease liabilities on initial application of the new leasing standard in the previous year.

Student enrolments decreased in 2020 compared to 2019 by 10,032 (3.3 per cent). Of this decrease, 8,310 students were from overseas.

The ongoing impact of COVID‑19 in the short‑term, on semester one enrolments for 2021 compared to semester one of 2020, has been mixed:

• all universities in NSW experienced a growth in their domestic student enrolments
• eight universities experienced decreases in overseas student enrolments.

During 2020, universities provided welfare support to students, created student hardship funds, provided accommodation, and flexibility on payment of course fees.

State and Commonwealth governments provided additional support to the sector:

• those university controlled entities eligible to receive JobKeeper payments received a combined amount under the Commonwealth scheme totalling $47.6 million in 2020
• the NSW Government launched a University Loan Guarantee scheme.

Six universities recorded negative net operating results in 2020 (two in 2019). While most universities experienced decreased revenue in 2020, only four had reduced their expenses to a level that was less than revenue.

Universities' revenue streams were impacted in 2020 by the COVID‑19 pandemic, with fees and charges decreasing by $361 million (5.8 per cent).

Government grants as a proportion of total revenue increased for the first time in five years to 34 per cent in 2020.

Nearly 40 per cent of universities' total revenue from course fees in 2020 (40.9 per cent in 2019) came from overseas students from three countries: China, India and Nepal (same in 2019). Students from these countries of origin contributed $2.2 billion ($2.4 billion in 2019) in fees. Some universities continue to be dependent on revenues from students from these destinations and their results are more sensitive to fluctuations in demand as a result.

Overall philanthropic contributions to universities increased by 32.2 per cent in 2020 to $222 million ($167.9 million in 2019). The University of Sydney and the University of New South Wales attracted 75.2 per cent of the total philanthropic contributions in 2020 (69.5 per cent in 2019).

Total research income for universities was $1.4 billion in 2019¹, with the University of Sydney and the University of New South Wales attracting 66.5 per cent of the total research income of all universities in NSW (65.2 per cent in 2018).

Recommendation: Universities should prioritise actions to address repeat findings on internal control deficiencies in a timely manner. Risks associated with unmitigated control deficiencies may increase over time.

Three high risk internal control deficiencies were identified, namely:

• The University of New South Wales should continue work to assess its liability for the underpayment of casual staff entitlements. This issue was also reported last year.
• Two high risk deficiencies were identified at Charles Sturt University. One related to misunderstanding the requirements of the new accounting standard in relation to recognising grant funding revenue for construction work. The second related to resolving issues identified by an ongoing internal review of its employment contracts to enable a reliable quantification as to the university's liability to its employees.

Gaps in information technology (IT) controls comprised the majority of the remaining deficiencies. Deficiencies included a lack of sufficient privileged user access reviews and monitoring, payment files being held in editable formats and accessible by unauthorised persons, and password settings not aligning with the requirements of information security policies.

Except for Macquarie University, all other universities had disaster recovery plans prepared for all of the IT systems that support critical business functions. Macquarie University’s disaster recovery plans were still in progress at 31 December 2020.

Only half of the universities' policies require regular testing of their business continuity plans and six universities' plans do not specify staff must capture, asses and report disruptive incidents.

Six universities were reported as having full‑time employment rates of their postgraduates in 2020 that were greater than the national average.

Seven universities were reported to have increased their enrolments of students from Aboriginal and Torres Strait Islander backgrounds in 2019. The target growth rate for increases in enrolments of Aboriginal and Torres Strait Islander students (to exceed the growth rate of enrolments of non‑indigenous students by at least 50 per cent) was achieved in 2019.

The Treasury extended the statutory deadline for the submission of the 2019–20 financial statements. For agencies subject to Treasurer's Directions, Treasury required agencies to submit their 30 June 2020 financial statements by 5 August 2020. For other agencies, the deadline was extended to 31 October 2020. All agencies in the cluster met the revised statutory deadlines.

Cluster agencies substantially completed the mandatory early close procedures set by NSW Treasury. However, nine agencies including the Department of Communities and Justice (the department) did not complete one or more mandatory requirements, such as assessing the impact of new and updated accounting standards.

Emergency events significantly impacted cluster agencies in 2019–20. Our review of seven cluster agencies most affected highlighted some had incurred additional expenditure because of the bushfires and floods. Others lost revenue due to the COVID-19 pandemic.

During the year these agencies collectively received additional funding of $1.1 billion from the State to respond to:

• increased demand for homeless people seeking temporary accommodation
• additional cleaning requirements
• bushfire recovery efforts
• emergency support for eligible small businesses.

The Sydney Cricket Ground Trust, Venues NSW and Office of Sport lodged insurance claims of $51.3 million with the Treasury Managed Fund with respect to lost revenues from the pandemic. The losses were mainly due to event cancellations and covered various periods ranging from mid-March to 31 December 2020.

The change in economic conditions caused by the COVID-19 pandemic resulted in the NSW Government cancelling the refurbishment of Stadium Australia it had previously approved in August 2019. Venues NSW wrote off $16.8 million of redevelopment costs during 2019–20.

The department continues to address significant data quality issues resulting from its implementation of the VS Connect system (the System) in 2019. The issues relate to the completeness and accuracy of the data transferred from the legacy system. The System is used by the department to manage its Victims Support Services (VSS) and for financial reporting purposes.

An independent actuary helps the department estimate its liability for VSS claims. The actuary's valuation at 30 June 2020 was again impacted by the data quality issues. Consequently, the actuary adopted a revised valuation methodology compared to previous years.

Recommendation (repeat issue):

The department should resolve the data quality issues in the VS Connect System before 31 March 2021.

Cluster agencies implemented three new accounting standards for the first time in 2019–20. Adoption of AASB 16 'Leases' resulted in cluster agencies collectively recognising right-of-use assets and lease liabilities of $1.7 billion and $1.1 billion respectively on 1 July 2019.

Significant misstatements in how lease related balances had been calculated were found in 17 of the 29 cluster agencies. The cluster outsources the management of most of its owned and leased property portfolio to Property NSW, but cluster agencies remain responsible for any deliverables under that arrangement. The misstatements were mainly caused by late revisions of key assumptions and issues with the accuracy and completeness of Property NSW's lease information.

Our 2019–20 financial audits identified 191 internal control issues. Of these, two were high risk and almost one-third were repeat findings from previous audits. While repeat findings reduced by 5.7 percentage points in 2019–20, the number remains high.

Recommendation (repeat issue):

Cluster agencies should action recommendations to address internal control weaknesses promptly. Focus should be given to addressing high risk and repeat issues.

The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies rose from $67.4 million in 2018–19 to $497 million in 2019–20.

The COVID-19 pandemic presented unprecedented challenges for the cluster. Social distancing and other infection control measures disrupted the traditional means of delivering services. Agencies established committees or response teams to respond to these challenges.

The department introduced measures to minimise the risk of the spread of COVID-19 amongst inmates in custodial settings.

Managing excess annual leave was a challenge for cluster agencies directly involved in the government's response to the emergency events. Employees in frontline cluster agencies deferred leave plans and many have taken little or no annual leave during the reporting period.

Annual leave liabilities rose at the department, NSW Police Force, Fire and Rescue NSW, Office of the NSW Rural Fire Service, the Legal Aid Commission of New South Wales and the Office of the Director of Public Prosecutions. The combined liabilities increased from $620 million to $692 million or 11.6 per cent between 30 June 2019 and 30 June 2020.

Administrative Arrangement Orders effective from 1 July 2019, created the department of Communities and Justice and transferred functions and staff, together with associated assets and liabilities into the department from the former departments of Justice and Family and Community Services.

The department continues to establish its governance arrangements following the MoG changes.

Recommendation:

The department should finalise appropriate governance arrangements for its new organisational structure as soon as possible. This includes:

• harmonising policies and procedures to ensure a unified approach across the department
• finalising risk management and monitoring processes across the department
• updating its delegation instruments to reflect the current organisational structure, delegation limits and roles and responsibilities.

The department continued to expand prison system capacity through the NSW Government's $3.8 billion Prison Bed Capacity Program. The department reported it spent $480 million on the Program in 2019–20. Six prison expansion projects were completed during the year, which added 1,660 new and 395 refurbished beds to the NSW prison system.

Data from the department shows the number of adult inmates in the NSW prison system reached a maximum of 14,165 during the year. Operational capacity was 16,096 beds on 19 August 2020.

Section highlights

• Unqualified audit opinions were issued for all agencies' 30 June 2020 financial statements. All agencies met the revised statutory deadlines for completing early close procedures and submitting their financial statements.
• Emergency events significantly impacted cluster agencies in 2019–20. Agencies received additional funding of $1.1 billion to respond to the emergencies.
• Cluster agencies implemented three new accounting standards in 2019–20. Adoption of AASB 16 'Leases' resulted in significant changes to agencies' financial statements.

Section highlights

• Almost one-third of internal control issues reported were repeat findings. Cluster agencies should address these issues more promptly.
• The severity of the recent bushfires and floods meant natural disaster expenses incurred by emergency services agencies increased by $430 million in 2019–20.
• The department continues to establish its governance arrangements following Machinery of Government changes effective 1 July 2019.

There are 45 separate entities in the cluster. Unqualified audit opinions were issued for 38 cluster agencies' 30 June 2020 financial statements audits. Four financial statements audits are still ongoing, and three agencies were not subject to audit due to NSW Treasury reporting exemptions.

The majority of cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting financial statements. Twenty‑four of the 26 cluster agencies required to submit early close financial statements met the revised timeframe.

Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions not issued by the statutory deadline.

Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations.

Recommendation (partially repeat):

Property NSW should:

• review and document the accounting implications for each lease
• ensure the accuracy and validity of lease data used for the lease calculations
• review user access to the leasing system, including privileged users.

Our audits of the cluster agencies identified there was a lack of thorough quality assurance over the accuracy of lease information provided by Property NSW.

Recommendation:

The Department and cluster agencies should:

• quality assure and validate the information provided by Property NSW
• ensure changes made by Property NSW on lease data are supported and that assumptions and judgements applied are appropriate
• document their review of the data supplied.

In 2019–20, the Department resolved an additional 468 Aboriginal land claims compared to the prior year. However, the total number of unprocessed Aboriginal land claims increased by 914 to 36,769 at 30 June 2020. The number of claims remaining unprocessed for more than ten years after lodgement increased by 10.9 per cent from last year. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land.

Auditor-General's Reports to Parliament since 2007 have recommended action to address the increasing number of unprocessed claims. To date, the Department has not been able to resolve this issue.

During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims.

The Department will need to provide additional support and guidance to help Crown land managers (CLMs) meet their financial reporting obligations.

Recommendation:

The Department should:

• in consultation with NSW Treasury, develop an appropriate statutory reporting framework for CLMs
• ensure sufficient resources are available to help CLMs meet their reporting obligations.

During 2019–20, NSW Treasury established the reporting exemption criteria for the CLMs. Based on available information, the Department determined 31 CLMs would not meet the exemption criteria and therefore are required to prepare annual financial statements.

Six high‑risk issues were identified across the cluster in 2019–20:

• 5 of those were related to financial reporting issues identified in Property NSW, Wentworth Park Sporting Complex Land Manager, Lord Howe Island Board, Planning Ministerial Corporation and Hunter and Central Coast Development Corporation
• 1 issue was related to Lord Howe Island Board's outdated business continuity plan.

One in three internal control issues identified and reported to management in 2019–20 were repeat issues.

Recommendation:

Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high‑risk and repeat issues.

The unprecedented bushfires and COVID‑19 pandemic presented challenges for the cluster. Agencies established taskforces or response teams to respond to these emergencies.

With more staff working from home, agencies implemented protocols and procedures to manage risks associated with the remote working arrangements, and also needed to address certain technology issues.

The Department is responsible for the new Planning System Acceleration Program, which aims to fast‑track planning assessments, boost the State's economy and keep people in jobs during COVID‑19 pandemic. Between April and October 2020, the Department announced and determined 101 major projects and planning proposals.

Crown land is an important asset of the State. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel.

Auditor-General's Reports to Parliament since 2017 have recommended that the Department should ensure the database of Crown land is complete and accurate. Whilst the Department has commenced actions to improve the database, this remained an issue in 2019–20.

Recommendation (repeat issue):

The Department should prioritise action to ensure the Crown land database is complete and accurate. This allows state agencies and local councils to be better informed about the Crown land they control.

Since its creation on 1 July 2019, the Department has largely established its governance arrangements, including setting up the Audit and Risk Committee and internal audit function for the Department and relevant cluster agencies.

The Department still operated three main financial reporting systems in 2019–20, and has commenced the process to consolidate some of the systems.

The recent Regional NSW MoG change led to the transfer of $446 million net assets and $284 million 2019–20 budget from the Department to the newly created Department of Regional NSW on 2 April 2020.

Section highlights

• Unqualified audit opinions were issued for all completed 30 June 2020 financial statements audits. Timeliness of financial reporting remains an issue for 13 agencies.
• Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations. Cluster agencies can also improve their management of lease information provided by Property NSW.
• The number of unprocessed Aboriginal land claims continued to increase. During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims.

The Department has not yet developed a statutory reporting framework for Crown land managers and will need to provide additional resources to help Crown land managers meet their financial reporting obligations.

Section highlights

• Six high risk issues were identified during 2019–20 audits. One in three issues identified and reported to management in 2019–20 were repeat issues.
• The Department has fast tracked the assessment and determination of 101 projects as a part of the Planning System Acceleration Program.
• There continues to be significant deficiencies in Crown land records. The Department should ensure the Crown land database is complete and accurate.

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

• prioritise addressing high-risk findings
• address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

A number of findings remain common across multiple agencies over the last four years, including:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers.

We found deficiencies in information security controls over key financial systems including:

• user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
• privileged users were not appropriately monitored at 43 per cent of agencies
• deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

• involving key dependent or inter-dependent third parties who support or deliver critical business functions
• testing one or more high impact scenarios identified in their business continuity plan
• preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 

• 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract
• 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged
• 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework.

Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details.

Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.

Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:

• not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
• not obtaining approval from a delegated authority to commence the procurement process
• procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.

As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies.

The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:

• 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service
• 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019
• 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:

• updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
• using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
• having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

• 16 per cent of agencies had not updated their financial delegations to reflect the changes
• 16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

• 38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
• 56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
• 97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

The 2019 financial statements of all ten NSW universities received unmodified audit opinions.

One controlled entity of the Western Sydney University received a qualified audit opinion.

Five NSW universities finalised their audited financial statements this year on or before the date they did last year.

New accounting standards, which changed how universities report income and treat operating leases, became effective from 1 January 2019.

Government grants as a proportion of the total income of NSW universities continued to decrease.

Fee revenue from overseas students continued to grow faster than fees from domestic students. Forty-one per cent of NSW universities' total student revenue came from overseas students from three countries.

Five NSW universities increased the proportion of revenue they receive from overseas students from a single country. Two universities sourced over 73 per cent of their total overseas student revenue from students from a single country of origin in 2019.

All six NSW universities with overseas controlled entities have devolved responsibility for governance and legislative compliance to their overseas controlled entities.

Recommendation (repeat issue): NSW universities should strengthen their governance arrangements to oversight their overseas controlled entities' legal and policy compliance functions.

The 2019 financial results for universities are reported as at 31 December. Consequently, the results for the 2019 year were unaffected by the impact of the COVID-19 pandemic.

NSW universities provided data on the COVID-19 impacted student enrolments for semester one 2020. Overall numbers of student enrolments were 5.8 per cent beneath projections. Overseas student enrolments were 13.8 per cent beneath expectations and domestic student enrolments were 2.4 per cent beneath expectations.

NSW universities are responding to the challenges presented by COVID-19 by moving course delivery online, expanding student support and introducing cost saving measures.

Our audits identified 108 internal control deficiencies in 2019 (99 in 2018).

Gaps in information technology (IT) controls comprised the majority of these deficiencies. Deficiencies included a lack of sufficient user access reviews, inadequate review and approval of change management processes, and issues with password settings.

We identified one high risk financial control deficiency at the University of New South Wales, which resulted in the University providing for a potential underpayment of casual staff salaries.

NSW universities continue to implement recommendations arising from 35 findings raised in previous years.

Five NSW universities still do not have formal processes to internally review and validate performance information published in their annual reports.

Recommendation (repeat issue): NSW universities should strengthen processes to review and validate published performance information.

Two universities have not yet implemented a cyber risk policy and three universities have not formally trained staff in cyber awareness.

Recommendation (repeat issue): NSW universities should strengthen cyber security frameworks and controls to protect sensitive data and prevent financial and reputational losses.

All universities have a procurement policy. Most universities have a documented procurement manual and contact management policy.

Recommendation: NSW universities should review their procurement and contract management policies and procedures to ensure that they are relevant and effective in reducing risk and improving purchasing outcomes.

Five universities in 2018 (five in 2017) met the target enrolment rate for students from low socio-economic status (SES) backgrounds.

Eight universities increased enrolments of students from Aboriginal and Torres Strait Islander backgrounds in 2018.

The Machinery of Government (MoG) changes abolished the former Planning and Environment cluster and former Industry cluster, and created the Planning, Industry and Environment cluster on 1 July 2019.

The Department of Planning and Environment (DPE), the Department of Industry (DOI), the Office of Environment and Heritage, and the Office of Local Government were abolished and the majority of their functions were transferred to the new Department of Planning, Industry and Environment (DPIE).

The MoG changes bring risks and challenges to the cluster. A MoG Steering Committee, with the support of various project control groups and working groups, identified and developed responses to key risks arising from the changes.

However, the DPIE will take some time to fully integrate the policies, systems and processes of the abolished Departments and agencies.

Fifty-five of the 57 agencies subject to statutory deadlines submitted their financial statements on time.

Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions issued by the statutory deadline.

Agencies prepared and submitted their early close procedures in accordance with the mandatory timeframe set by NSW Treasury. However, 17 of the 49 agencies where we reviewed early close procedures were assessed as either partially addressing or not addressing one or more of the mandatory requirements. The cluster agencies could benefit from an increased focus on early close procedures.

We noted errors in the lease data used in Property NSW's AASB 16 impact calculations, which affect both Property NSW and other government agencies. These errors were significant enough to present a risk of material misstatements to the financial statements of Property NSW and other government agencies in future reporting periods.

We had similar findings in our recent performance audit on 'Property Asset Utilisation', which highlighted issues with the quality of Property NSW's records.

Recommendation: Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019.

Despite an increase in the number of claims resolved, the number of unprocessed Aboriginal land claims increased by 7.2 per cent from the prior year to 35,855 at 30 June 2019. Claims can be made over Crown land assets of the DPIE or other government agencies. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. We first recommended action to address unprocessed claims in 2007.

Recommendation (repeat issue): The DPIE should prioritise action to reduce unprocessed Aboriginal land claims.

One in five internal control issues identified and reported to management in 2018–19 were repeat issues.

The lack of user access review was the most common IT general control issue in the cluster.

The NSW Government announced an emergency drought relief package of $500 million in 2018, in addition to other financial assistance measures already in place.

Limited documentation and written agreements between relevant delivery agencies resulted in a $31.0 million misstatement relating to grant revenue.

Crown land is an important asset of the state. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Last year we recommended the DOI should ensure the database of Crown land is complete and accurate. While the DOI has commenced actions to improve the database, this continued to be an issue in 2018–19.

Recommendation (repeat issue): The DPIE should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.