Refine search

Reports

18 December 2020

Published

Service NSW's handling of personal information

Premier and Cabinet

Finance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Risk

Service delivery

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

Conclusion

Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.

Service NSW identifies privacy as a strategic risk in both its Risk Management Guideline and enterprise risk register and sets out a zero level appetite for privacy risk in its risk appetite statement. That said, the governance, policies, and processes established by Service NSW to mitigate privacy risk are not effective in ensuring the privacy of personal customer and business information. While Service NSW had risk identification and management processes in place at the time of the March 2020 data breach, these did not prevent the breach occurring.

Some of the practices that contributed to the data breach are still being followed by Service NSW staff. For example, business processes still require Service NSW staff to scan and email personal information to some client agencies.

The lack of multi factor authentication has been identified as another key contributing factor to the March 2020 data breach as this enabled the external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise. Service NSW had identified the lack of multi factor authentication on its webmail platform as a risk more than a year prior to the breach and had committed to addressing this by June 2019. It was not implemented until after the breach occurred.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Internal audits carried out by Service NSW, including one completed in August 2020, have identified significant weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These include deficiencies in the management of role based access, monitoring and audit of user access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW has agreements in place with client agencies. However, the agreements lack detail and clarity about the roles and responsibilities of the agencies in relation to the collection, storage and security of customer's personal information. This lack of clarity raises the risk that privacy obligations will become confused and missed between the agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

Service NSW carries out privacy impact assessments as part of its routine processes for implementing major new projects, ensuring that privacy management is considered as part of project design. Service NSW does not regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems, which has resulted in some processes continuing despite posing significant risks to the privacy of personal information, such as the scanning, emailing, and storing of identification documents.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
to better reflect the full scope and complexity of personal information handled by Service NSW
to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
enable partitioning and role based access restrictions to personal information collected for different programs
provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

the content and provision of privacy collection notices
the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
steps that will be taken by each agency to ensure that personal information is kept secure
the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

are identified as high risk and have not previously had a privacy impact assessment
have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

10 December 2020

Published

Transport 2020

Transport

Asset valuation

Cyber security

Financial reporting

Information technology

Infrastructure

Project management

1. Financial Reporting
Audit opinion	Unmodified audit opinions issued for the financial statements of all Transport cluster entities.
Quality and timeliness of financial reporting	All cluster agencies met the statutory deadlines for completing the early close and submitting the financial statements. Transport cluster agencies continued to experience some challenges with accounting for land and infrastructure assets. The former Roads and Maritime Services and Sydney Metro recorded prior period corrections to property, plant and equipment balances.
Impact of COVID-19 on passenger revenue and patronage	Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19. The Transport cluster received additional funding from NSW Treasury during the year to support the reduced revenue and additional costs incurred such as cleaning on all modes of public transport and additional staff to manage physical distancing.
Completion of the CBD and South East Light Rail	The CBD and South East Light Rail project was completed and commenced operations in this financial year. At 30 June 2020, the total cost of the project related to the CBD and South East Light Rail was $3.3 billion. Of this total cost, $2.6 billion was recorded as assets, whilst $700 million was expensed.
2. Audit Observations
Internal control	While internal controls issues raised in management letters in the Transport cluster have decreased compared to the prior year, control weaknesses continue to exist in access security for financial systems. We identified 56 management letter findings across the cluster and 43 per cent of all issues were repeat issues. The majority of the repeat issues relate to information technology controls around user access management. There were three high risk issues identified - two related to financial reporting of assets and one for implementation of TAHE (see below).
Agency responses to emergency events	Transport for NSW established the COVID-19 Taskforce in March 2020 to take responsibility for the overall response of planning and coordination for the Transport cluster. It also implemented the COVIDSafe Transport Plan which incorporates guidance on physical distancing, increasing services to support social distancing and cleaning.
RailCorp transition to TAHE	On 1 July 2020, RailCorp was renamed Transport Asset Holding Entity of New South Wales (TAHE) and converted to a for-profit statutory State-Owned Corporation. TAHE is a commercial for-profit Public Trading Entity with the intent to provide a commercial return to its shareholders. A plan was established by NSW Treasury to transition RailCorp to TAHE which covered the period 1 July 2015 to 1 July 2019. A large portion of the planned arrangements were not implemented by 1 July 2020. As at the time of this report, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements are not finalised. The State Owned Corporations Act 1989 generally requires finalisation of an SCI three months after the commencement of each financial year. However, under the Transport Administration Act 1988, TAHE received an extension from the voting shareholders, the Treasurer and Minister for Finance and Small Business, to submit its first SCI by 31 December 2020. In accordance with the original plan, interim commercial access arrangements were supposed to be in place with RailCorp prior to commencement of TAHE. Under the transitional arrangements, TAHE is continuing to operate in accordance with the asset and safety management plans of RailCorp. The final operating model is expected to include considerations of safety, operational, financial and fiscal risks. This should include a consideration of the potential conflicting objectives of a commercial return, and maintenance and safety measures. This matter has been included as a high risk finding in our management letter due to the significance of the financial reporting impacts and business risks for TAHE. Recommendation: TAHE management should: establish an operating model in line with the original intent of a commercial return finalise commercial agreements with the public rail operators confirm forecast financial information to assess valuation of TAHE infrastructure finalise asset and safety management plans. Resolution of the above matters are critical as they may significantly impact the financial reporting arrangements for TAHE for 2020–21, in particular, accounting policies adopted as well as measurement principles of its significant infrastructure asset base.
Completeness and accuracy of contracts registers	Across the Transport cluster, contracts and agreements are maintained by the transport agencies using disparate registers. Recommendation (repeat): Transport agencies should continue to implement a process to centrally capture all contracts and agreements entered. This will ensure: agencies are fully aware of contractual and other obligations appropriate assessment of financial reporting implications ongoing assessments of accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities' and new accounting standard AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations
the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Section highlights

Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19.
Unqualified audit opinions were issued on all Transport agencies' financial statements.
Transport cluster agencies continued to experience challenges with accounting of land and infrastructure assets.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

observations and insights from our financial statement audits of agencies in the Transport cluster
assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Section highlights

While there was a decrease in findings on internal controls across the Transport cluster, 43 per cent of all issues were repeat issues. Many repeat issues related to information technology controls around user access management.
RailCorp transitioned to TAHE on 1 July 2020. TAHE's operating model and commercial arrangements with public rail operators has not been finalised despite government original plans to be operating from 1 July 2019. TAHE management should finalise its operating model and commercial agreements with public rail operators as they may significantly impact the financial reporting arrangements for TAHE for 2020–21.
Completeness and accuracy of contracts registers remains an ongoing issue for the Transport cluster.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

11 June 2020

Published

CBD South East Sydney Light Rail: follow-up performance audit

Transport

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Risk

Service delivery

This is a follow-up to the Auditor-General's November 2016 report on the CBD South East Sydney Light Rail project. This follow-up report assessed whether Transport for NSW has updated and consolidated information about project costs and benefits.

The audit found that Transport for NSW has not consistently and accurately updated project costs, limiting the transparency of reporting to the public.

The Auditor-General reports that the total cost of the project will exceed $3.1 billion, which is above the revised cost of $2.9 billion published in November 2019. $153.84 million of additional costs are due to omitted costs for early enabling works, the small business assistance package and financing costs attributable to project delays.

The report makes four recommendations to Transport for NSW to publicly report on the final project cost, the updated expected project benefits, the benefits achieved in the first year of operations and the average weekly journey times.

Read full report (PDF)

The CBD and South East Light Rail is a 12 km light rail network for Sydney. It extends from Circular Quay along George Street to Central Station, through Surry Hills to Moore Park, then to Kensington and Kingsford via Anzac Parade and Randwick via Alison Road and High Street.

Transport for NSW (TfNSW) is responsible for planning, procuring and delivering the Central Business District and South East Light Rail (CSELR) project. In December 2014, TfNSW entered into a public private partnership with ALTRAC Light Rail as the operating company (OpCo) responsible for delivering, operating and maintaining the CSELR. OpCo engaged Alstom and Acciona, who together form its Design and Construct Contractor (D&C).

On 14 December 2019, passenger services started on the line between Circular Quay and Randwick. Passenger services on the line between Circular Quay and Kingsford commenced on 3 April 2020.

In November 2016, the Auditor-General published a performance audit report on the CSELR project. The audit found that TfNSW would deliver the CSELR at a higher cost with lower benefits than in the approved business case, and recommended that TfNSW update and consolidate information about project costs and benefits and ensure the information is readily accessible to the public.

In November 2018, the Public Accounts Committee (PAC) examined TfNSW's actions taken in response to our 2016 performance audit report on the CSELR project. The PAC recommended that the Auditor-General consider undertaking a follow-up audit on the CSELR project. The purpose of this follow-up performance audit is to assess whether TfNSW has effectively updated and consolidated information about project costs and benefits for the CSELR project.

Conclusion

Transport for NSW has not consistently and accurately updated CSLER project costs, limiting the transparency of reporting to the public. In line with the NSW Government Benefits Realisation Management Framework, TfNSW intends to measure benefits after the project is completed and has not updated the expected project benefits since April 2015.

Between February 2015 and December 2019, Transport for NSW (TfNSW) regularly updated capital expenditure costs for the CSELR in internal monthly financial performance and risk reports. These reports did not include all the costs incurred by TfNSW to manage and commission the CSELR project.

Omitted costs of $153.84 million for early enabling works, the small business assistance package and financing costs attributable to project delays will bring the current estimated total cost of the CSELR project to $3.147 billion.

From February 2015, TfNSW did not regularly provide the financial performance and risk reports to key CSELR project governance bodies. TfNSW publishes information on project costs and benefits on the Sydney Light Rail website. However, the information on project costs has not always been accurate or current.

TfNSW is working with OpCo partners to deliver the expected journey time benefits. A key benefit defined in the business plan was that bus services would be reduced owing to transfer of demand to the light rail - entailing a saving. However, TfNSW reports that the full expected benefit of changes to bus services will not be realised due to bus patronage increasing above forecasted levels.

Appendix one – Response from agency

Appendix two – Governance and reporting arrangements for the CSELR

Appendix three – 2018 CSELR governance changes

Appendix four – About the audit

Appendix five – Performance auditing

Copyright notice

Parliamentary reference - Report number #335 - released 11 June 2020

7 April 2020

Published

Integrity of data in the Births, Deaths and Marriages Register

Justice

Premier and Cabinet

Whole of Government

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Conclusion

BD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register.

BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required.

BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected.

BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #330 - released 7 April 2020.

28 November 2019

Published

Transport 2019

Transport

Asset valuation

Financial reporting

Infrastructure

Internal controls and governance

Management and administration

Service delivery

Workforce and capability

This report details the results of the financial audits of NSW Government's Transport cluster for the financial year ended 30 June 2019. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Transport cluster.

Unqualified audit opinions were issued for all agencies' financial statements. However, valuations of assets continue to create challenges across the cluster. The Audit Office identified some deficiencies in relation to asset valuations at Transport for NSW, Roads and Maritime Services, Rail Corporation New South Wales and Sydney Metro.

The Audit Office noted an increase in findings on internal controls across the Transport cluster. Key themes related to information technology, asset management and employee leave entitlements. The report also highlights the status of significant infrastructure projects across the Transport cluster.

The report makes several recommendations including:

agency finance teams need to be consulted on major business decisions and commercial transactions at the time of their execution to assess the financial reporting impacts
the Department of Transport should ensure consistent accounting policies are applied across its controlled entities.

Download the Transport 2019 report (PDF)

This report analyses the results of our audits of financial statements of the Transport cluster for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

Transport for NSW, as the
lead agency, will absorb the
functions of Roads and
Maritime Services

The NSW Government announced its intention to integrate Roads and Maritime Services (RMS) into Transport for NSW (TfNSW) as part of the Machinery of Government changes.

This change was not included in the Administrative Orders as the Transport Administration Act 1988 No. 109 governs the composition of the Transport cluster. The Transport Administration Amendment (RMS Dissolution) Act 2019 (the Act) received assent on 22 November 2019. The Act dissolves RMS and transfers the assets, rights and liabilities of RMS to TfNSW. As at the date of this Report, the Act is not yet in force.

Transport is considering the impact of the changes on its operating model and financial reporting.

2. Financial reporting

Audit opinions	Unqualified audit opinions were issued on the 2018–19 financial statements of all agencies in the Transport cluster. TfNSW and Sydney Metro obtained a three-week extension from NSW Treasury to submit their financial statements for audit to resolve accounting issues surrounding the valuation of property, plant and equipment. The Department of Transport reported total consolidated property, plant and equipment of $158 billion at 30 June 2019. In 2018–19, there were issues with asset valuations at TfNSW, RMS, Sydney Metro and Rail Corporation New South Wales (RailCorp), resulting in adjustments after the submission of financial statements for audit and the correction of a prior period error. There was also a prior period error resulting from an agreement between TfNSW and the former UrbanGrowth Development Corporation due to a lack of assessment of the financial reporting implications at the time of signing the agreement. Recommendation: Agency finance teams need to be consulted on major business decisions and commercial transactions to assess their accounting impacts at the time of their execution, rather than at the end of a financial year. Agencies also need to resolve all key accounting issues such as valuations as part of the early close procedures. This would improve the quality of financial reporting and avoid the need for extensions for agencies to submit their financial statements for audit.
Preparedness for new accounting standards	Agencies across the cluster are progressing in their implementation of the new accounting standards. Transport cluster agencies need to improve their contracts registers to ensure they have a complete list of contracts and agreements to assess the impact of the new accounting standards.
Valuation of assets remains a challenge in the Transport cluster	Whilst agencies complied with the requirements of the accounting standards and NSW Treasury policies on valuations, the Audit Office identified some deficiencies in relation to asset valuations across the cluster. TfNSW reported a retrospective correction of a prior period error at 1 July 2017 which resulted in a reduction in the valuation of its Country Rail Network earthworks by $2.1 billion. This was due to survey results which identified the earthworks were flatter and lower than estimated in the valuation at 30 June 2017. RMS made several adjustments during the year to correct asset values due to changes to valuation assumptions or data improvements. This included: reduction of $318 million in the value of land under roads decrease of $84.9 million to the value of land and buildings changes to the value of traffic control and traffic signal network assets, due to data improvements. Sydney Metro North West officially opened in May 2019 and reported total assets of $9.1 billion. Sydney Metro derecognised $322 million in assets constructed to facilitate its operation but transferred to councils and utilities.
Inconsistent accounting policies across the Transport cluster	There was an inconsistency identified in the cluster relating to the valuation of substratum land. In 2018–19, RailCorp derecognised $109 million of substratum land to ensure consistency in its approach with other Transport agencies. As the parent entity, the Department of Transport needs to ensure accounting policies are consistently applied across all controlled entities for consolidation purposes. Inconsistencies in the application of accounting standards across agencies will impact comparability of financial reporting and decision making across the Transport cluster. Recommendation: The Department of Transport should ensure consistent accounting policies are applied across its controlled entities.
Revenue growth	Public transport passenger revenue increased by $89.0 million (5.9 per cent) in 2018–19, and patronage increased by 37.8 million (4.9 per cent) across all modes of transport based on data provided by TfNSW. The increase in revenue is mainly due to an increase in patronage as well as the annual increase in fares.
Negative Opal cards	Negative balance Opal cards resulted in $2.9 million in revenue not collected in 2018–19 ($10.4 million since the introduction of Opal). In January 2019, Transport made a change to the Sydney Airport stations to prevent customers with high negative balances exiting the station. In addition, in late 2018, Transport increased the minimum top up values for new cards at the airport stations. Recommendation (repeat): TfNSW should implement further measures to prevent the loss of revenue from passengers tapping off with negative balance Opal cards.

3. Audit observations

Internal controls	There was an increase in findings on internal controls across the Transport cluster. Key themes relate to information technology, employee leave entitlements and asset management. Twenty-nine per cent of all issues were repeat issues. The majority of the repeat issues related to information technology controls.
Write-off of assets	In addition to a $322 million derecognition of assets transferred to councils and utilities by Sydney Metro and a $109 million derecognition of substratum land at RailCorp, the Transport cluster wrote-off $278 million of assets related to roads, bridges, maritime assets, traffic signals and controls network. These mainly related to roads, bridges, maritime assets, traffic signals and the control network where new infrastructure assets substantially replaced an existing asset as part of construction activities.
Transport Asset Holding Entity (TAHE)	TAHE was established to be a dedicated asset manager for the delivery of public transport asset management. The Transport Administration Amendment (Transport Entities) Act 2017 will transition RailCorp into TAHE. RailCorp is now expected to transition to TAHE from 1 July 2020 (previously 1 July 2019). Several working groups have been considering various aspects of the TAHE transition including its status as a for profit Public Trading Enterprise, the operating model and the impact of the new accounting standards AASB 16 'Leases' and AASB 1059 'Service Concession Arrangements: Grantors'. The considerations of these aspects identified several challenges in the implementation of TAHE which has led to the revised transition date. Given the delays in implementation, it is important to clarify the intent of the TAHE model.
Excess annual leave	Twenty-six per cent of Transport employees have annual leave balances exceeding 30 days. Of the employees with excess leave balances, 732 (10.3 per cent) did not take any annual leave in 2018–19. Recommendation (repeat): Transport entities should further review the approach to managing excess annual leave in 2019–20. They should: monitor current and projected leave balances to the end of the financial year each month agree formal leave plans with employees to reduce leave balances over an acceptable timeframe ensure leave plans are actioned appropriately encourage all staff with excess leave balances take a minimum two-week period of leave per year.
Completeness and accuracy of contracts registers	There are no centralised processes to record all significant contracts and agreements in a register across the Transport cluster. Across the Transport cluster, contracts and agreements are maintained by the individual agencies using disparate registers. Agencies must perform detailed assessments of their existing contracts and agreements to quantify the impact of the new accounting standards (AASB 16 ‘Leases’, AASB 15 ‘Revenue from Contracts with Customers’, AASB 1058 ‘Income of Not-for-Profit Entities’ and AASB 1059 'Service Concession Arrangements: Grantors'). In 2018–19, there was also a prior period error resulting from an agreement between TfNSW and another government agency due to a lack of assessment of the financial reporting implications at the time of signing the agreement. A lack of a complete register of all contracts and agreements increases the risk that agencies may not be able to assess the full impact of the new accounting standards, as well as perform a complete assessment of the financial reporting implications of contracts and agreements. Recommendation: Transport agencies should implement a process to centrally capture all significant contracts and agreements entered. This will ensure: agencies are fully aware of contractual and other obligations appropriate assessment of financial reporting implications assessment of new accounting standards, in particular AASB 16 ‘Leases’, AASB 15 'Revenue from Contract with Customers', AASB 1058 'Income of Not-for-Profit Entities ' and AASB 1059 'Service Concession Arrangements: Grantors' are accurate and complete.

financial reporting
audit observations.

This cluster was impacted by the Machinery of Government changes on 1 July 2019. The NSW Government announced its intention to integrate Roads and Maritime Services (RMS) into Transport for NSW (TfNSW). This report is focused on the Transport cluster prior to these changes. Please refer to the section on Machinery of Government changes for more details.

Machinery of Government refers to how the government organises the structures and functions of the public service. Machinery of Government changes are where the government reorganises these structures and functions, and are given effect by Administrative orders.

The Transport cluster was impacted by recent Machinery of Government changes. These changes were announced by the Department of Premier and Cabinet but were not included in the Administrative Orders as the Transport Administration Act 1988 No. 109 governs the composition of the Transport cluster. It was the intention of government to transfer the functions of the RMS into TfNSW. This requires legislative changes to the Transport Administration Act 1988 No. 109.

Section highlights

Under the Machinery of Government changes, the NSW Government will transfer the functions of RMS into TfNSW.

The Transport Administration Amendment (RMS Dissolution) Act 2019 (the Act) received assent on 22 November 2019.
The Act will dissolve RMS and transfer its functions, assets, rights and liabilities to TfNSW.
As at the date of this report, the Act is not yet in force.
There are risks and challenges for asset and liability transfers, governance and retention of knowledge.
As of 1 July 2019, administrative arrangements (delegations and reporting line changes) were put in place to enable TfNSW and RMS to operate within a single management structure, while still remaining as separate legal entities.
Transport is working on a number of options as to how to implement the changes.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2019.

Section highlights

Unqualified audit opinions were issued on all agencies' financial statements.
RMS required an extension from NSW Treasury for their early close procedures.
TfNSW and Sydney Metro required extensions to submit their year-end financial statements.
Valuation of assets remains a challenge across the cluster.
There remains Opal cards with negative balances.
Sydney Metro derecognised assets of $322 million in relation to assets constructed for third parties.
Inconsistencies in the application of accounting policies across cluster agencies impact comparability of financial reporting across the Transport cluster.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Transport cluster.

Section highlights

There was an increase in findings on internal controls across the Transport cluster. Twenty-nine per cent of all issues were repeat issues.
Transport entities wrote-off over $278 million of assets which were replaced by new assets or technology.
Twenty-six per cent of Transport employees have excess annual leave.
There are no processes to ensure all significant contracts and agreements are captured by agencies in a centralised register.

Appendix one – Timeliness of financial reporting by agency

Appendix two – Management letter findings by agency

Appendix three – List of 2019 recommendations

Appendix four – Status of 2017 and 2018 recommendations

Appendix five – Cluster agencies

5 November 2019

Published

Internal Controls and Governance 2019

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Compliance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

financial controls
information technology controls
gifts and benefits
internal audit
contingent labour
sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers
policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
an absence of privileged user activity reviews at 35 per cent of agencies
password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
providing on-going training, awareness activities and support to employees, not just at induction
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use and tenure to agency executive teams
strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

internal control trends
information technology controls, including access to agency systems
protecting sensitive information held within agencies
managing large and diverse workforces (controls around employing and managing contingent workers)
maintaining an ethical culture (management of gifts and benefits)
effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
providing on-going training, awareness activities and support to employees, not just at induction
regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:

documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
involving the CAE more extensively in executive forums as an observer
documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:

preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Key areas where agencies can improve their management of sensitive data include:

identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
developing comprehensive data breach management policies to ensure data breaches are appropriately managed
maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

19 February 2019

Published

Transport Access Program

Transport

Infrastructure

Project management

Service delivery

The following report is available in an Easy English version that is intended to meet the needs of some people with lower literacy skills, some people with an intellectual disability and some people from different cultural backgrounds.

View the Easy English version of the Transport Access Program report

Transport for NSW’s process for selecting and prioritising projects for the third stage of its Transport Access Program balanced compliance with national disability standards with broader customer outcomes. Demographics, deliverability and value for money were also considered. However, Transport for NSW does not know the complete scope of work required for full compliance, limiting its ability to demonstrate that its approach is effective, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford.

Access to transport is critical to ensuring that people can engage in all aspects of community life, including education, employment and recreation. People with disability can encounter barriers when accessing public transport services. In 2015, there were 1.37 million people living with disability in New South Wales.

Accessible public transport is about more than physical accessibility. It also means barrier-free access for people who have vision, hearing or cognitive impairments. All users, not just people with disability, benefit from improvements to the accessibility and inclusiveness of transport services.

Transport for NSW has an obligation under Australian Government legislation to provide accessible services to people with disabilities in a manner which is not discriminatory. Under the Disability Standards for Accessible Public Transport 2002 (the DSAPT - an instrument of the Disability Discrimination Act 1992 (the Act) (Commonwealth)), there is a requirement to modify and develop new infrastructure, means of transport and services to provide access for people with disabilities. All public transport operators are required to ensure that at least 90 per cent of their networks met DSAPT by December 2017 and the networks will need to be 100 per cent compliant with all parts of the standards by 31 December 2022. Trains are not required to be fully compliant with DSAPT until December 2032.

The Transport Access Program (TAP) is Transport for NSW's largest program with a specific focus on improving access to public transport for people with disability. The TAP is a series of projects to upgrade existing public transport infrastructure across four networks: Sydney Trains, Intercity Trains, Regional Trains and Sydney Ferries. Transport for NSW established the TAP as a rolling program and, to date, it has delivered the first tranche of TAP (TAP 1) and is completing the final projects for the second tranche (TAP 2). NSW budget papers estimate that by 30 June 2018, Transport for NSW had spent $1.2 billion in the TAP since its commencement in 2011-12.

After the completion of TAP 1 and TAP 2 (as well as through other transport infrastructure programs), Transport for NSW estimates that 58.5 per cent of the Sydney Trains, Regional Trains and Intercity Trains networks, and 66 per cent of the Sydney Ferries network, will be accessible. To close the significant gap in compliance with the DSAPT target, the objective for TAP 3 is ‘to contribute to Disability Discrimination Act 1992 related targets through DSAPT compliance upgrades’.

The audit assessed whether Transport for NSW has an effective process to select and prioritise projects as part of the TAP, with a specific focus on the third tranche of TAP funding.

In August 2018, at the commencement of this audit, Transport for NSW intended to complete the selection of projects for the TAP 3 final business case in December 2018. Transport for NSW advise that it now intends to complete the development stage and final business case in the first quarter of 2019, prior to the final investment decision of the TAP program. This report is based on the TAP 3 strategic business case and information provided by Transport for NSW up to December 2018.

Conclusion
Transport for NSW’s process for selecting and prioritising projects for TAP 3 balanced DSAPT compliance goals with broader customer outcomes. It also considered demographics, deliverability and value for money. However, Transport for NSW does not know the complete scope of work required for full DSAPT compliance, and this limits its ability to demonstrate that its approach is effective.

Transport for NSW has applied most of the external review recommendations from previous funding rounds to the implementation of the third round of TAP funding (TAP3), with positive results. Changes made include a clear objective for TAP 3 to focus on improving compliance, improved governance arrangements, and better consideration of deliverability and design during project planning.

Through TAP 3, Transport for NSW is also trying to better address disability access in a way that balances DSAPT compliance with other considerations - such as population demographics, access to services and value for money. Transport for NSW developed an objective prioritisation and selection methodology to assess projects for TAP 3 funding.

Transport for NSW cannot quantify the work needed to meet DSAPT compliance targets across the rail and ferry networks as it has not completed a comprehensive audit of compliance. This information is needed to ensure the effective targeting of funding, and to measure the contribution of TAP 3 work to meeting the DSAPT compliance targets. Instead, Transport for NSW has undertaken a phased approach to completing a comprehensive audit of compliance across the networks, with a focus on first assessing compliance at locations that are not wheelchair accessible. This creates two problems. First, Transport for NSW does not know the complete scope of work required to achieve DSAPT compliance. Second, not all wheelchair accessible locations fully meet DSAPT standards.

Transport for NSW's proposed communication plan for the schedule of TAP 3 funded works does not align with its Disability Inclusion Action Plan 2018-2022. The Disability Inclusion Action Plan commits Transport for NSW to providing a full list of stations and wharves to be upgraded with their estimated time of construction when the next round of funding, TAP 3, is announced. Given the long timeframes associated with improving transport infrastructure, this information is important as it allows people to make informed decisions about where they live, work or study. Instead, Transport for NSW plans to communicate information to customers on a project by project basis.

In 2015, there were 1.37 million people living with disability in New South Wales. Access to transport is critical to ensuring that people can engage in all aspects of community life, including education, employment and recreation. People with disability can encounter barriers when accessing public transport services.

The social model of disability, outlined in the United Nations Convention on the Rights of Persons with Disabilities, views people with disability as not disabled by their impairment but by the barriers in the community and environment that restrict their full and effective participation in society on an equal basis with others.

Accessible public transport is more than the provision of physical access to premises and conveyances, it provides barrier-free access for people who have vision, hearing or cognitive impairments. All users, not just people with disability, benefit from improvements to the accessibility and inclusiveness of transport services.

According to the Australian Bureau of Statistics, the main types of difficulties experienced by people with disability when using public transport relate to steps (39.9 per cent), difficulty getting to stops and stations (25 per cent), fear and anxiety (23.3 per cent) and lack of seating or difficulty standing (20.7 per cent).

Transport for NSW has a Disability Inclusion Action Plan (the Action Plan) 2018-2022 that sets an overall framework for planning, delivering and reporting on initiatives to increase accessibility of the transport network. It covers all elements of the journey experienced when using public transport, including journey planning, staff training, customer services and interaction between the physical environment and modes of transport. Appendix five outlines the guiding principles of the Action Plan.

Transport for NSW's Transport Social Policy branch developed the Action Plan in consultation with internal and external stakeholders. The director of the Transport Social Policy branch is a member of the TAP executive steering committee, which supports alignment between the Action Plan and TAP.

Transport for NSW's Disability Inclusion Action Plan describes a customer focussed approach to accessibility

One of the guiding principles of the Action Plan is ‘intelligent compliance’. Transport for NSW describes this as compliance that prioritises customer-focused outcomes over a narrow focus on legal compliance with accessibility standards. As well as being compliant, infrastructure should be practical, usable, fit for purpose and convenient.

The TAP prioritisation and selection methodology reflects Transport for NSW’s focus on intelligent compliance. We consider this a reasonable approach as had Transport for NSW focussed exclusively on achieving compliance with the DSAPT targets by upgrading the most affordable infrastructure, some locations, that are used by more customers, would remain inaccessible to people with disability. However, this approach should not be seen as an alternative to Transport for NSW meeting its DSAPT compliance obligations.

TAP program staff consult with the Accessible Transport Advisory Committee

The Accessible Transport Advisory Committee (ATAC) has representatives from disability and ageing organisations, who provide expert guidance to Transport for NSW on access and inclusion. The ATAC provide guidance and feedback on projects and project solutions, including user testing where appropriate. TAP program staff provide regular updates at ATAC meetings, which include briefings on progress. The ATAC also provides feedback and suggestions to TAP program staff, which is considered and sometimes included in current and future projects.For example, in March 2017 the TAP program team briefed the ATAC on the challenges with respect to a number of ferry wharves and sought support for DSAPT exemptions proposed in the TAP 3 strategic business case.

Case study: Feedback on Braille lettering for lift buttons
In June 2018, the Program team sought feedback on a variety of lift button options to improve accessibility on future TAP projects. In September 2018, during the ATAC meeting attended by the Audit Office, the program team sought feedback on the standard designs for TAP 3. Some ATAC members noted that the standard design included Braille lettering on the lift buttons, and that this was not good practice because people can accidently press the button while reading it. As a result, Transport for NSW are incorporating this feedback into design requirements for the lifts for TAP 3, which will consider larger buttons, clearer Braille and Braille signage adjacent to the button.

Transport for NSW has not briefed the Advisory Committee on the outcome of the prioritisation and selection process

TAP program staff briefed the Advisory Committee about the prioritisation and selection methodology, after the Minister approved it in 2016. However, Transport for NSW have not briefed or consulted the Advisory Committee on the outcome of the prioritisation process. Infrastructure NSW noted this issue during its review of the strategic business case.

Transport for NSW advised us that it established the ATAC as an advisory group, and that Transport for NSW does not disclose sensitive information to it. Transport for NSW intends to share the outcome of the prioritisation process following the completion of the TAP 3 development stage and final investment decision.

The TAP communication plan does not fully meet the requirements of the Disability Inclusion Action Plan

The Disability Inclusion Action Plan includes an action item to ‘provide a listing of stations and wharves to be upgraded with estimated time of construction as each new tranche of the Transport Access Program is announced’ The TAP Communication Plan that we reviewed does not include this provision instead focussing on communication on a per project basis. Given the long timeframes associated with improving transport infrastructure, this information is important as it allows people to make informed decisions about where they live, work or study.

Appendix one - Response from agency

Appendix two - Compliance requirements of Disability Standards for Accessible Public Transport

Appendix three - TAP 1 and TAP 2 sub-programs

Appendix four - Prioritisation Assessment for the TAP 3 Strategic Business Case

Appendix five - The guiding principles of Transport for NSW's Disability Inclusion Action Plan

Appendix six - Transport projects and programs that contribute to DSAPT compliance

Appendix seven - About the audit

Appendix eight - Performance auditing

Parliamentary Reference - Report number #314 - released 19 February 2019.

10 November 2010

Published

Volume Five 2010 focus on Public Financing Enterprises

Industry

Transport

Finance

Treasury

Planning

Financial reporting

Information technology

Internal controls and governance

Management and administration

Regulation

Risk

Workforce and capability

The report includes comments on NSW Treasury and agencies in the finance and superannuation sectors. The New South Wales public sector superannuation funds’ investments were $42.2 billion at 30 June 2010, up from $38.5 billion in 2009. Investment returns reached 14.5 per cent in 2009-10. This is a significant improvement on the investment returns of up to negative 18.4 per cent at the peak of the global financial crisis in 2008.

16 August 2006

Published

Condition of State Roads

Transport

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Service delivery

The Roads and Traffic Authority (RTA) has improved the overall surface condition of State Roads in the last decade. Country road surfaces are now generally much better. Ride quality has improved and cracking has been reduced. The RTA has also achieved a substantial reduction in the number of structurally deficient bridges over the same period.

Despite a significant increase in the State’s contribution to maintenance since 1999-2000, the RTA has deferred road rebuilding projects. The RTA is rebuilding at less than half its long term target, and has not met this target at any time this decade. The RTA has not identified how it will address deferred rebuilding, although it advises it is developing a new road network management plan which will address this.

Parliamentary reference - Report number #157 - released 16 August 2006

Audit progress

Sector

Year

Report type

Topic

Reports

Conclusion

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce Customer Relationship Management (CRM) system, which holds the personal information of over four million NSW residents.

Lines of responsibility for meeting privacy obligations are not clearly drawn between Service NSW and its client agencies.

Service NSW carries out privacy impact assessments for major new projects but does not routinely review existing processes and systems.

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

2. Recommendations

As a matter of urgency, Service NSW should:

By March 2021, Service NSW should:

By June 2021, Service NSW should:

By December 2021, Service NSW should:

1. Financial Reporting

2. Audit Observations

Section highlights

Section highlights

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Conclusion

Conclusion

1. Machinery of Government changes

2. Financial reporting

3. Audit observations

This report offers insights into internal controls and governance in the NSW public sector

Areas of specific focus of the report have changed since last year

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Transport for NSW's Disability Inclusion Action Plan describes a customer focussed approach to accessibility

TAP program staff consult with the Accessible Transport Advisory Committee

Transport for NSW has not briefed the Advisory Committee on the outcome of the prioritisation and selection process

The TAP communication plan does not fully meet the requirements of the Disability Inclusion Action Plan