Reports
Planning, Industry and Environment 2021
This report analyses the results of our audits of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2021.
Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.
As there are no outstanding matters relating to audits in the Planning, Industry and Environment cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.
What the report is about
The results of the Planning, Industry and Environment cluster agencies' financial statements audits for the year ended 30 June 2021.
What we found
Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.
An 'Other Matter' paragraph was included in the Independent Planning Commission's (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983 (PF&A Act). The financial reporting provisions of the Government Sector Finance Act 2018 now require the IPC to prepare financial statements.
The number of identified misstatements increased from 51 in 2019–20 to 54 in 2020–21.
The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements are incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. Management has commenced actions to improve the governance and financial management of the Corporation. These audits are currently in progress and the 2020–21 audit will commence shortly.
There are 609 State controlled Crown land managers (CLMs) across New South Wales that predominantly manage small parcels of Crown land.
Eight CLMs prepared and submitted 2019–20 financial statements by the revised deadline of 30 June 2021. A further 24 CLMs did not prepare financial statements in accordance with the PF&A Act. The remaining CLMs were not required to prepare 2019–20 financial statements as they met NSW Treasury's financial reporting exemption criteria.
The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 CLMs are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21.
There are also 120 common trusts that have never submitted financial statements for audit. Common trusts are responsible for the care, control and management of land that has been set aside for specific use in a certain locality, such as grazing, camping or bushwalking.
What the key issues were
The number of matters we reported to management increased from 135 in 2019–20 to 180 in 2020–21, of which 40 per cent were repeat findings.
Seven high-risk issues were identified in 2020–21:
- system control deficiencies at the department relating to user access to HR and payroll management systems, vendor master data management and journal processing, which require manual reviews to mitigate risks
- deficiencies related to the Centennial Park and Moore Park Trust's tree assets valuation methodology
- the Lord Howe Island Board did not regularly review and monitor privileged user access rights to key information systems
- the Natural Resources Access Regulator identified and adjusted three prior period errors retrospectively, which indicate deficiencies within the financial reporting processes
- deficiencies relating to the Parramatta Park Trust's tree assets valuation methodology
- lease arrangements have not been confirmed between the Planning Ministerial Corporation and Office of Sport regarding the Sydney International Regatta Centre
- the Wentworth Park Sporting Complex land manager (the land manager) has a $6.5 million loan with Greyhound Racing NSW (GRNSW). GRNSW requested the land manager to repay the loan. However, the land manager subsequently requested GRNSW to convert the loan to a grant. Should this request be denied, the land manager would not be able to continue as a going concern without financial support. This matter remains unresolved for many years.
There continues to be significant deficiencies in Crown land records. The department uses the Crown Land Information Database (CLID) to record key information relating to Crown land in New South Wales that are managed and controlled by the department and land managers (including councils and land managers controlled by the state). The CLID system was not designed to facilitate financial reporting and the department is required to conduct extensive adjustments and reconciliations to produce accurate information for the financial statements.
The department is implementing a new system to record Crown land (the CrownTracker project). The department advised that the project completion date will be confirmed by June 2022.
What we recommended
The department should ensure CLMs and common trusts meet their statutory reporting obligations.
Cluster agencies should prioritise and action recommendations to address internal control deficiencies, with a focus on addressing high-risk and repeat issues.
The department should prioritise action to ensure the Crown land database is complete and accurate. This will allow the department and CLMs to be better informed about the Crown land they control.
Fast facts
The Planning, Industry and Environment cluster aims to make the lives of people in New South Wales better by developing well-connected communities, preserving the environment, supporting industries and contributing to a strong economy.
There are 54 agencies, 609 State controlled Crown land managers that predominantly manage small parcels of Crown land and 120 common trusts in the cluster.
- 42% of the area of NSW is Crown land
- $33.2b water and electricity infrastructure as at 30 June 2021
- 100% unqualified audit opinions were issued for all completed 30 June 2021 financial statements audits
- 7 high-risk management letter findings were identified
- 54 monetary misstatements were reported in 2020–21
- 40% of reported issues were repeat issues
This report provides parliament and other users of the Planning, Industry and Environment cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster (the cluster) for 2021.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.
This chapter outlines our observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster.
Section highlights
|
Appendix one - Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Grants administration for disaster relief
What the report is about
The report examined whether NSW Treasury, Service NSW and the Department of Customer Service effectively administered grants programs funded under the $750 million Small Business Support Fund, including:
- $10,000 Small Business Support Grant
- $3,000 Small Business Recovery Grant.
What we found
The agencies effectively implemented the grants within required timeframes, reflecting the NSW Government’s decision to deliver urgent financial support to small businesses impacted by the COVID-19 pandemic.
NSW Treasury met urgent timeframes to design the grants and Service NSW made timely payments in line with the grants' objectives and eligibility criteria.
Service NSW and the Department of Customer Service strengthened processes to detect and minimise fraud in response to identified external fraud risks, and to investigate suspected fraudulent applications.
Fraud security checks and investigations are ongoing, and the agencies will not know the full extent of fraud across the grants until these processes have been completed.
The agencies regularly monitored and reported on the timeliness of payments to small business applicants but have not yet measured all benefits of the grants programs.
The $10,000 Support Grant and the $3,000 Recovery Grant have provided around $630 million in one off grant payments to eligible small businesses.
What we recommended
NSW Treasury should finalise and implement an evaluation of both grants programs, including obtaining feedback from businesses.
Service NSW should develop a framework that documents expected controls for how it administers grants, including business processes, fraud control and governance and probity requirements.
Service NSW should publish information on all grants programs, including grants distribution and uptake.
The Department of Customer Service should ensure its processes for managing conflicts of interest meets its policy requirements.
Upcoming performance audit
The Audit Office is conducting a further performance audit into grants administration for disaster relief focussing on bushfire grants. This is planned to complete in 2021-22.
Fast factsSmall Business Support Fund
Grant program administration
|
Further information
Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.
The NSW Government responded to the partial shutdown of the NSW economy caused by the COVID-19 pandemic in 2020 by, among other measures, announcing on 3 April 2020 that it would place $750 million into the Small Business Support Fund (the Fund).
Under the Fund, the NSW Government would pay one-off grants of up to $10,000 to small business impacted by the shutdown. The objectives of the $10,000 Small Business Support Grant ($10,000 Support Grant) were to:
- ease the pressure on small businesses that have been affected by the COVID-19 pandemic
- support the ongoing operations of small businesses highly impacted by the COVID-19 restrictions
- deliver cash-flow into small businesses as soon as possible so that small businesses could meet pressing financial needs.
Grant applications were assessed against eligibility criteria that were determined by the NSW Government. The eligibility criteria for the $10,000 Support Grant required an employing small business to demonstrate it was significantly impacted by the COVID-19 pandemic by self-declaring or demonstrating a significant decline of 75 per cent or more in turnover compared to 2019. Documentation requirements were relaxed for small businesses within highly impacted industries.
In June 2020, the NSW Government announced a second round of one-off grants of up to $3,000 to small businesses that were highly impacted by the COVID-19 pandemic ($3,000 Recovery Grant). The objective of the $3,000 Recovery Grant was to help small businesses in 'highly impacted industries' — those directly impacted by the restrictions and closures put in place under the Public Health Orders — to meet the costs of safely reopening or scaling up operations.
The eligibility criteria for the $3,000 Recovery Grant required that a small business be in a highly impacted industry, demonstrate that it was significantly impacted by the COVID-19 pandemic by declaring a significant decline in turnover, and had costs associated with reopening under the 'COVID-Safe' requirements.
NSW Treasury and Service NSW implemented both grants on behalf of the NSW Government. The process of applying for a grant was intended to be quick and easy, with Service NSW using automated assessments and simple online application forms to process applications. Applicants applied for the $10,000 Support Grant through the Service NSW website between 14 April 2020 to 30 June 2020 and applied for the $3,000 Small Business Recovery Grant between 1 July 2020 and 31 August 2020.
At May 2021, around $520 million has been paid to over 52,500 grant applicants under the $10,000 Support Grant and around $109 million had been paid to around 36,700 grant applicants under the $3,000 Recovery Grant.
The Audit Office plans to undertake a performance audit into grants administration for disaster relief focussing on bushfire grants in 2021–22.
This audit assessed whether the grants funded under the $750 million Small Business Support Fund were effectively administered and implemented to provide disaster relief. It addressed the following questions:
- Were funded grants programs planned, designed and targeted effectively?
- Were funded grants programs implemented in line with the objectives and criteria and delivery requirements?
- Have agencies established measures to monitor intended benefits and outcomes?
This audit did not seek to assess the effectiveness of any other grant programs or stimulus measures. It also did not seek to assess the impact of the funding on applicants, or the future prospects of small businesses that received support.
ConclusionNSW Treasury and Service NSW effectively implemented two grants within required timeframes reflecting the NSW Government's decision to deliver urgent financial support to small businesses impacted by the COVID-19 pandemic in 2020. The $10,000 Support Grant and the $3,000 Recovery Grant have provided around $630 million in one-off grant payments to eligible small businesses.NSW Treasury met urgent timeframes to design the grants and Service NSW made timely payments in line with the grants' objectives and eligibility criteria.NSW Treasury met urgent timeframes to provide advice to the NSW Government on the grant design, proposed delivery partner, expected numbers of eligible businesses and the suitability of the proposed grant payment amount within the required timeframes. This was achieved within one day for the $10,000 Support Grant and within four days for the $3,000 Support Grant. In the context of the complex and changing pandemic and economic conditions between March and July 2020, NSW Treasury's advice to government outlined the risk, feasibility, expected demand estimates and assumptions for the grants. NSW Treasury's demand projections were limited by uncertainty as to the pandemic's economic impact. Estimated demand for the grants was not met, resulting in around $120 million from the Small Business Support Fund remaining unspent. Service NSW met urgent timeframes to stand-up both grants: 11 days for the $10,000 Support Grant and 26 days for the $3,000 Recovery Grant. It met agreed delivery requirements and made timely payments to small businesses in line with the grants' objectives and eligibility criteria. Over 65,000 businesses have received a payment under either grant, and over 23,000 businesses received both grants. Gaps in project and risk management processes were expected given the tight timeframe to implement the grants.The tight timeframe in which the agencies had to implement the grants contributed to gaps in project and risk management. The agencies advised that compromises were understood by both parties and were a necessary trade-off to ensure payments were made quickly. Service NSW and the Department of Customer Service have acted to strengthen their processes to detect and minimise fraud in response to identified external fraud risks and to investigate suspected fraudulent applications since the grants commenced. Service NSW intends to further enhance fraud controls for grants applications and payments for future grants by implementing a fraud control framework by December 2021. The agencies regularly monitored and reported on the timeliness of payments to small business applicants but have not yet measured all benefits of the grants programs.Service NSW and NSW Treasury established processes to monitor and report on the timeliness of payments to grant applicants. NSW Treasury has not yet measured all intended impacts of the grants, nor undertaken processes to obtain detailed feedback from grant recipients. Without these measures, there is limited insight into the extent to which the grants helped to support small businesses or ability to capture lessons which could be applied in future grants programs. NSW Treasury advises that an evaluation will commence from mid-2021. |
1. Key findings
Around $630 million in timely one-off grant payments have been made to small businesses
Service NSW and NSW Treasury have paid around $630 million in one-off grant payments to small businesses via two grants administered under the $750 million Small Business Support Fund. At May 2021:
- around $520 million has been paid to over 52,500 grant applications received for the $10,000 Small Business Support Grant ($10,000 Support Grant)
- around $109 million has been paid to 36,700 grant applications received for the $3,000 Small Business Recovery Grant ($3,000 Recovery Grant).
Across both grants, over 65,000 small businesses received a payment across either grant, and over 23,000 businesses received payments under both grants.
NSW Treasury advise that, while no data was collected on the time to pay applicants for the $10,000 Support Grant, from its monitoring of the grants' outputs it was satisfied that payment timeframes met its expectations. Service NSW met its targeted time to pay applicants with payments made within ten days for the $3,000 Recovery Grant.
Funds for both grants were not fully spent due to limitations in data and uncertainty of the COVID-19 pandemic's impact. At May 2021, the final demand for the $10,000 Support Grant was around 30 per cent less than initially anticipated and the final demand for the $3,000 Recovery Grant was around 40 per cent less than initially anticipated.
NSW Treasury developed proposals establishing high level design and delivery expectations within rapid timeframes
NSW Treasury put forward proposals to the NSW Government for the two grants administered under the $750 million Small Business Support Fund. It met rapid timeframes for producing this advice: within one day for the $10,000 Support Grant and within four days for the $3,000 Recovery Grant. NSW Treasury's advice to the NSW Government on how to best target the total funding, eligibility criteria and the feasibility of delivering the grants through Service NSW was based on comparable grants programs – including the $10,000 Small Business Bushfire Support Grant – which at that time were ongoing.
The proposals established, at a high-level, the rationale for the grants, expected financial costs, risks and analysis on budget impacts, and confirmation that Service NSW could deliver the grants applications platform. NSW Treasury's demand projections were uncertain due to limited data in the early stages of the pandemic regarding potential economic impact.
Given the tight timeframes, the proposals did not fully consider all planning and design aspects for both grants. For example, there was minimal identification of the costs and benefits of the programs, and a lack of detailed design and delivery requirements. The proposals outlined that arrangements to finalise the risk management, controls, and auditing plan would be agreed by Service NSW and NSW Treasury before implementation.
In future circumstances where urgent advice on program design is required, NSW Treasury could set clearer expectations for the delivery agency, including fully considering costs, benefits and delivery requirements that could be carried through to project governance and implementation.
Service NSW implemented both grants in line with delivery expectations
Service NSW met urgent timeframes to stand-up both grants: 11 days for the $10,000 Support Grant and 26 days for the $3,000 Recovery Grant. Delivery expectations for each grant were established under a grant project agreement (grant agreement). Service NSW delivered the online application platform, assessment of applications, payments and reporting of the grants' uptake as per the grant agreements.
The urgent timeframes to deliver the grants contributed to gaps in Service NSW's project and risk management processes throughout the lifecycle of both grants. For example, the requirement to meet pressing timeframes for the $10,000 Support Grant launch meant agencies had reduced time to achieve sign-off on key documentation. As a result, important documents and processes – including the grant agreement, risk documentation and key business process and quality assurance processes – were not finalised ahead of launch.
Quality assurance and compliance processes for detecting fraud were not settled until after the conclusion of the applications for the $10,000 Support Grant, and were not completed until late 2020. Some project documents, including risk registers, communication plans and project briefs are still not finalised.
The longer timeframe to develop the $3,000 Recovery Grant meant that agencies were able to build on their understanding of the implementation requirements from the $10,000 Support Grant, and better document these expectations and understanding while ensuring that key documents and sign-offs were in place prior to launch.
Service NSW tightened its risk management and controls in response to evidence of fraudulent applications
In May 2020, Service NSW and the Department of Customer Service (DCS) were alerted to suspected fraudulent activity within grants administered by Service NSW. Initially, Service NSW anticipated that up to $8.8 million of the $10,000 Support Grant was at risk of exposure to fraudulent applications. However, Service NSW reported that, at April 2021, $1.9 million for the $10,000 Support Grant and $254,000 for the $3,000 Recovery Grant from paid applications were at risk of fraud exposure.
Following an internal review of the potential exposure to fraudulent or ineligible applications, Service NSW implemented additional automated security checks on applications, increased manual assessments of grant applications, established a dedicated taskforce for grants administration and engaged a unit within DCS to manage high-risk investigations.
Service NSW and DCS's increased governance and oversight has resulted in an established case management function, increased referrals to law enforcement, prioritised investigations of suspicious applications and the development of a 'Fraud Control Framework' aimed at addressing external fraud risks. Given Service NSW had limited experience in these processes in context of administering grant payments, such actions were an appropriate response.
Security checks and investigations of suspicious applications are ongoing. Service NSW will not know the full extent of fraud across the grants until these processes have been fully completed.
Service NSW and Department of Customer Service can improve how conflicts of interest are managed for future programs
Compliance with agency policies and processes to manage conflicts of interest and financial subdelegations demonstrates that investment decisions are being made by appropriately skilled and experienced staff, allowing agencies to operate efficiently, and reducing the risk of internal fraud.
DCS was unable to produce employee conflicts of interest declarations for the $10,000 Support Grant. Therefore, it is not known how many employees had completed conflicts of interest declarations for this round.
DCS provided information on conflicts of interest declarations for the $3,000 Recovery Grant. Twenty-nine per cent of declarations provided for employees undertaking grant assessments for the $3,000 Recovery Grant were incomplete at March 2021, and a further nine per cent were not finalised even though they indicated a real, potential or perceived conflict.
For future grants programs, ensuring compliance with conflicts of interest policies would help DCS and Service NSW to have greater confidence that conflicts of interest are appropriately identified and managed.
NSW Treasury has not yet measured all benefits or outcomes of the grants
In April 2021, NSW Treasury updated its evaluation plan for the $10,000 Support Grant and $3,000 Recovery Grant in support of an economic evaluation to commence from mid-2021. The updated evaluation plan outlines inputs, activities, and outputs as well as immediate, short term and medium term outcomes for both grants.
The evaluation will consider the extent to which both grants achieved their intended outcomes, and whether the economic benefits exceeded the costs to help inform decisions about the nature and design of any future small business support programs. This will complement, and feed into a broader review of all NSW Government COVID-19 stimulus measures.
Service NSW rapidly developed an approach to administer the grants
Over recent disasters, such as the 2019–20 bushfires and the COVID-19 pandemic, Service NSW has been responsible for administering grant programs on behalf of other government agencies.
Service NSW implemented both grants under its Project Management Framework and under each grant agreement with NSW Treasury as it does not have its own grants administration framework. To address the risks that emerged during delivery, Service NSW developed an approach to standardise and monitor the administration of the grants while they were being implemented.
Service NSW now has an opportunity to establish a grants administration framework, based on the processes, lessons and outcomes captured under the grants administration taskforce and in developing its fraud control framework. Embedding these processes into business as usual for grants administration will enable Service NSW to have a consistent set of expectations for controls, business processes and governance and probity requirements for future grants it implements.
2. Recommendations
By December 2021, NSW Treasury should:
1. finalise and implement an evaluation of the $10,000 Support Grant and $3,000 Recovery Grant, including obtaining direct feedback from businesses on how grant funds achieved the grant objectives.
By December 2021, Service NSW should:
2. develop a grants administration framework, which documents expected controls – including fraud controls – business processes and governance and probity requirements
3. publish information on all grants programs, including grants distribution and uptake.
By December 2021, the Department of Customer Service should:
4. ensure its process for managing conflicts of interest meets policy requirements by:
- ensuring employees promptly declare any real, potential or perceived conflicts of interest
- annually producing a list of conflicts of interest for records retention purposes
- requiring a separate register of conflicts of interest declarations where a grant program is deemed as high risk.
3. Lessons for grants administered within urgent timeframes
The two grants this audit examined were administered within a context of urgent timeframes, and increased complexity and uncertainty about the impact of the COVID-19 pandemic. The following lessons are shared to assist sponsor and delivery agencies in administering future grants where rapid implementation is required.
Sponsor agencies should consider the following lessons:
1. develop an approach to define and measure benefits for rapidly developed programs and projects where a full business case and cost-benefit analysis is not feasible
2. establish common processes and expectations for co-administered grants:
- periodically assure agencies' capability to deliver grants programs
- agree and establish risk appetite statements with administering agencies
- clearly establish expected performance levels and targets under any agreement
3. review the processes and outcomes of rapidly developed programs, capture lessons learned, and apply these in planning and delivering future programs.
Delivery agencies should consider the following lessons:
1. risk management and risk appetite:
- perform robust assessment procedures to ensure risks associated with delivery of the project are identified
- ensure the controls implemented adequately address identified risks
- agree and document the acceptable risk appetite at the outset
- review risk management processes after the grants are issued when unable to finalise risk management processes ahead of launch
2. grant agreements between NSW public sector agencies:
- ensure agreements are finalised in a timely manner
- ensure agreements clearly outline:
- roles and responsibilities of both parties,
- changes in scope of services provided
- fees and charges applicable
3. frameworks for grants administration:
- ensure that there is a common set of expectations in place to guide grants administration including standard controls and processes for managing risk, capturing lessons learned and reporting on outcomes.
Appendix one – Response from agencies
Appendix three – Public Health Orders
Appendix four – Highly impacted industries
Appendix five – About the audit
Appendix six – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #352 - released (24 June 2021).
Internal controls and governance 2020
The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.
The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:
- financial and information technology controls
- business continuity and disaster recovery planning arrangements
- procurement, including emergency procurement
- delegations that support timely and effective decision-making.
Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.
The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.
This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.
1. Internal control trends
| New, repeat and high risk findings |
Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. Agencies should:
|
| Common findings |
A number of findings remain common across multiple agencies over the last four years, including:
|
2. Information technology controls
| IT general controls |
We found deficiencies in information security controls over key financial systems including:
The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated. |
3. Business continuity and disaster recovery planning
| Assessing risks to business continuity and Scenario testing |
The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment. Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:
Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
| Responding to disruptions |
We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance: in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee. Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers. Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions. |
| Management review and oversight | Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established. |
4. Procurement, including emergency procurement
| Policy framework |
Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted:
Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions. |
| Managing contracts |
Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement. |
| Training and support |
Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:
Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions. |
| Procurement activities | While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences. |
| Emergency procurement |
As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:
Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:
|
5. Delegations
| Instruments of delegation |
We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:
Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets. Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities. |
| Compliance with delegations |
Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020. Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer. |
6. Status of 2019 recommendations
| Progress implementing last year's recommendations |
Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:
While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2. Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations. |
Internal controls are processes, policies and procedures that help agencies to:
- operate effectively and efficiently
- produce reliable financial reports
- comply with laws and regulations
- support ethical government.
This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.
|
Section highlights We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies. We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:
Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.
|
Section highlights Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse. IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems. Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.
|
Section highlights We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled. This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required. During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.
|
Section highlights We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness. Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'. We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year. |
This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Cluster agencies
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Planning and Environment 2016
Auditor-General, Margaret Crawford released a report on the planning and environment cluster today, concluding that the quality of financial reporting is improving. However, the cluster can improve its financial controls and governance framework.
Fraud Survey
In a report released today, the NSW Auditor-General, Margaret Crawford provides a snapshot of reported fraud in the NSW public sector and an analysis of NSW Government agencies’ fraud controls based on a survey of 102 agencies.
Volume Six 2011 focus on Environment, Water and Regional Infrastructure
The Environment Protection Authority’s expenditure for the financial year 2010/11 was $92 million - $76 million of this was for environment protection and regulation. The Office of Environment and Heritage and the Environment Protection Authority commenced 145 prosecutions for environmental offences and 106 were completed in the financial year 2010/11, down from the 134 prosecutions completed in 2009/10. Financial penalties for 2010/11 totalled $969,000 down from $1,403,000 in 2009/10. The average fine decreased from $10,468 in 2009/10 to $9,141 in 2010/11.
Volume Four 2011 focusing on Electricity
The sale of the State’s electricity retail and trading rights raised $5.3 billion. The electricity retail businesses sold for a $3.08 billion profit with the electricity generation output sold for a $1.85 billion loss, delivering a overall profit of $1.23 billion. One recommendation is that The Treasurer should consider releasing the Energy Reform Strategy relating to the development and ownership of the Cobbora Coal Project for public scrutiny to ensure transparency of the energy reform process. There should be a clearly articulated business plan to demonstrate to the people of New South Wales the benefits from the project.
Volume One 2011
The level of non compliance with the requirements of this Premier’s Memorandum is concerning, particularly considering the NSW Procurement Reforms were effective since 2006. The implementation strategy for procurement reform was announced as early as 2001. We recommend the governing bodies of agencies and management review, not only the processes their agencies have in place to comply with procurement reforms and requirements, but also more broadly how agencies identify and comply with laws, regulations, Treasury policy pronouncements, Premier’s memoranda and other obligations.
