Refine search Expand filter

Reports

Published

Actions for Internal controls and governance 2024

Internal controls and governance 2024

Whole of Government
Gift and benefit
Compliance
Cyber security
Financial reporting
Information technology
Internal controls and governance
Management and administration
Regulation
Risk
Service delivery
Shared services and collaboration

About this report

Internal controls are key to the accuracy and reliability of agencies’ financial reporting processes. This report analyses the internal controls and governance of 26 of the NSW public sector’s largest agencies for the 2023–24 financial year.

Findings

There are gaps in key business processes, which expose agencies to risks. These gaps are identified in 121 findings across the 26 agencies—including 4 high risk, 73 moderate risk and 44 low risk findings. All four high-risk issues related to IT controls and 19% of control deficiencies were repeat issues. Thirty-five per cent of agencies had deficiencies in control over privileged access.

Shared IT services

Six agencies provide IT shared services to 120 other customer agencies. All six had control deficiencies—three of these were high risk. Four agencies provide no independent assurance to their customers about the effectiveness of their own IT controls.

Cyber security

Eighteen agencies assessed cyber risk as being above their risk appetite. Fourteen of these agencies had not set a timeframe to resolve these risks and two agencies have not funded plans to improve cyber security.

Fraud and corruption control

Agencies need to improve fraud and corruption control. Instances of non-compliance with TC18-02 NSW Fraud and Corruption Policy were identified, including gaps such as a lack of comprehensive employment screening policies and not reporting matters to the audit and risk committee.

Gifts and benefits

Management of gifts and benefits requires better governance and transparency. All agencies had policy and guidance but all had gaps in management and implementation—such as not publishing registers nor providing ongoing training.

Information Technology

Nine agencies did not effectively restrict or monitor user access to privileged accounts.

Recommendations

The report makes recommendations to agencies to implement proper controls and improve processes in relation to:

  • organisational processes
  • information technology
  • cyber security
  • fraud and corruption, and
  • gifts and benefits.

 

Read the PDF report

Internal controls are processes, policies and procedures that help agencies to:

  • operate effectively and efficiently
  • produce reliable financial reports
  • comply with laws and regulations
  • support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies found across agencies.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security.

This chapter outlines our audit observations, conclusions and recommendations from our review of agencies' fraud and corruption control framework, policies and practices. Our Internal Controls and Governance 2018 found a number of fraud and corruption control gaps in NSW Government.

The NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy (the Circular) requires NSW government agencies to develop, implement and maintain a fraud and corruption control framework. The Circular sets out minimum standards for a NSW Government agency’s fraud and corruption control framework.

Previous Audit Office report on agency fraud and corruption control

Report on Internal Controls and Governance 2018 (published October 2018)

The report found there were gaps in the fraud and corruption controls by some agencies, which increased the risk of reputational damage and financial loss.

Where relevant, we have included the results from our 2018 report on Internal Controls and Governance below for comparison purposes.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' managing of gifts and benefits.

Published

Actions for Universities 2023

Universities 2023

Universities
Compliance
Cyber security
Financial reporting
Information technology
Internal controls and governance
Risk
Service delivery

About this report

Financial audit results of the NSW public universities’ financial statements for the year ended 31 December 2023.

Audit findings

Unmodified audit opinions were issued for all ten universities.

Eight universities reported net deficits. Three of these improved on their 2022 results.

Total fees and charges returned to pre-pandemic levels, with 40.5% earned from overseas students from three countries.

Employee related expenses increased 10.2% in 2023 mainly due to an additional 2,830 full time equivalent staff, in response to increased teaching and research activities.

Key issues

The number of findings reported to management has increased to 111 matters in 2023 up from 88 in 2022.

These included one high risk finding and 62 moderate risk findings, a 72% increase from last year.

Gaps identified in universities governance processes included delays in responding to findings and recommendations; staff not attesting compliance with codes of conduct annually; and not capturing and recording staff conflicts of interests within central registers.

Seven of the ten universities have cyber security risks above what they determine as an acceptable risk. Four universities did not have a cyber security uplift program.

Recommendations

Universities should address all recommendations made in the report (see Appendix one for a summary of these).

In particular, there should be a focus on prioritising remediation of wage underpayments to affected employees; ensuring a centralised conflict of interest register is maintained for all staff; considering emerging risks in university risk registers; ensuring controlled entities are considered when determining internal audit plans; and focusing efforts to improve cyber security risk management and cyber resilience capability.

This report provides NSW Parliament with the results of our 2023 financial audits of universities in New South Wales and their controlled entities, including analysis, observations and recommendations in the following areas:

  • financial reporting
  • internal controls and governance
  • teaching and enrolments
  • cyber security.

Financial reporting is an important element of good governance. Confidence and transparency in university sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines audit observations related to the financial reporting of universities in NSW for 2023.

Appropriate financial controls help to ensure the efficient and effective use of resources and administration of policies. They are essential for quality and timely decision-making. Effective governance is essential for the stability, sustainability and ethical operation of universities. It ensures accountability, transparency and promotes responsible decision making.

This chapter outlines our observations and insights from our financial statement audits of NSW universities.

Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These, along with the less significant matters, are reported to universities for management to address.

Section highlights

  • The 2023 audits identified one high risk finding which has been carried forward since 2018. There were 62 moderate risk issues also identified across NSW universities.
  • Seventeen of the moderate risk issues were repeat issues. Repeat issues mainly related to information technology controls around user access management, privileged user review, outdated policies and procedures, payroll and procurement processing improvements.
  • The number of findings reported to management has increased to 111 matters in 2023 up from 88 in 2022.
  • The number of overall repeat deficiencies has decreased with 32 reported in 2023 compared to 41 in 2022. 
  • Seven universities do not require staff to annually attest to the Code of Conduct.
  • Four universities did not capture and record conflicts of interests for all staff within a centralised register.
  • All universities have developed risk management frameworks, policies, appetite statements and registers however improvements are needed.

Universities' primary objectives are the functions of teaching and research. They invest most of their resources aiming to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.

This chapter outlines teaching and enrolment outcomes for universities in NSW for 2023.

Section highlights

  • Six universities were reported as having full-time employment rates of their domestic undergraduates in 2023 that were greater than the national average.
  • Overall student enrolments at NSW universities increased, with higher enrolments in Health, Information Technology and Engineering related courses.
  • On average, universities delivered 52% of courses face to face, an increase from 45% reported in 2022.
  • Five universities in 2023 were reported as meeting the target enrolment rate for students from low socio-economic status (SES) backgrounds.
  • Only one metropolitan based university reported increased enrolments of Aboriginal and Torres Strait Islander students in 2022.

This chapter of the report focuses on the cyber risk environment for universities, how universities have assessed that risk, what frameworks they use to strategically identify controls that respond to those risks, and the extent to which they have implemented or have plans to implement those controls. We also address some specific controls in respect of cyber resilience.

Section highlights

  • Seven of the ten universities have cyber security risks above what they have determined as an acceptable risk level.
  • One university did not assess its current cyber security maturity, which is a recommended practice to support prioritisation of cyber security improvements.
  • Four universities did not have a formal cyber security uplift program.
  • One university did not have a specific budget for improving its cyber security.

Appendix one – List of 2023 recommendations

Appendix two – Status of 2022 recommendations

Appendix three – Universities' controlled entities

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Planned

Actions for Security of student information

Security of student information

Education
Compliance
Cyber security
Information technology
Internal controls and governance
Risk

Schools collect and maintain detailed student data, including sensitive personal information. Schools can also require or encourage students, parents and carers to use third party software applications for learning and other school related activities. This audit will consider how effectively schools ensure student data is secure within their own systems and when provided to third or fourth parties.

Published

Actions for Cyber security in local government

Cyber security in local government

Local Government
Cyber security
Information technology
Internal controls and governance
Management and administration
Risk

What this report is about

NSW local councils provide a wide range of essential services and infrastructure to their communities and are increasingly reliant on digital technologies.

Councils need to manage cyber security risks to ensure their information, data and systems are appropriately safeguarded. Councils also need to be prepared to detect, respond and recover when a cyber security incident occurs.

The audit assessed how effectively three selected councils identified and managed cyber security risks.

The audit also included the Department of Planning, Housing and Infrastructure (Office of Local Government) and Department of Customer Service (Cyber Security NSW), due to their roles in providing guidance and support to local councils.

Audit findings

The audit found that the selected councils are not effectively identifying and managing cyber security risks. Each of the councils undertook activities to improve their cyber security during the audit period, but this audit found significant gaps in their cyber security risk management and cyber security processes.

Such gaps result in unmitigated risks to the security of information and assets which, if compromised, could impact their local communities, service delivery and public infrastructure.

Cyber Security NSW and the Office of Local Government recommend that councils adopt requirements in the Cyber Security Guidelines for Local Government, but could do more to monitor whether the Guidelines are enabling better cyber security risk management in the sector.

Audit recommendations

In summary, the councils should:

  • integrate assessment and monitoring of cyber security risks into corporate governance processes
  • self-assess their performance against Cyber Security NSW's guidelines for local government
  • develop and implement a risk-based cyber security improvement plan and program of activities
  • develop, implement and test a cyber incident response plan.

Cyber Security NSW and the Office of Local Government should regularly consult on cyber security risks facing local government, and review the effectiveness of guidelines and related resources for the sector.

While this report focuses on the performance of the selected councils, the findings and recommendations should be considered by all councils to better understand their risks and challenges relevant to managing cyber security risks.

Local councils in New South Wales (NSW) provide a wide range of essential services and infrastructure to their communities and are increasingly reliant on digital technologies for this.

Councils use various information systems and software to manage significant amounts of information and data relevant to their corporate functions, infrastructure and service delivery. This may include sensitive information about residents, customers and staff.

Audit Office of New South Wales reports to Parliament have highlighted gaps in councils' cyber security risk management approaches since 2020. The Local Government 2023 report, tabled in March 2024, found that 50 councils were yet to implement cyber security governance frameworks and related internal controls.

The threat from cyber security incidents continues to rise. Such incidents can harm local government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.

It is important that councils are effectively identifying and managing cyber security risks to:

  • protect their information, data and systems
  • be prepared to detect, respond to and recover from cyber security incidents 
  • ensure confidence in the services they are providing for their communities.

This report outlines important findings and recommendations from a performance audit of three councils: City of Parramatta Council, Singleton Council and Warrumbungle Shire Council. This audit report has deidentified findings for each council, but the specific findings have been directly shared with each council to enable them to remediate and improve cyber safeguards. The findings and recommendations in this report are likely to be relevant to most local councils in NSW and councils are encouraged to ensure they have sufficient cyber safeguards.

This audit assessed how effectively the selected councils identified and managed cyber security risks. The audit considered whether the councils:

  • effectively identify and plan for cyber security risks
  • have controls in place to effectively manage identified cyber security risks
  • have processes in place to detect, respond to, and recover from cyber security incidents.

This audit also included the Department of Customer Service and the Office of Local Government (OLG) within the Department of Planning and Environment (DPE) due to their roles in providing guidance and support to local government.1

Cyber Security NSW, part of the Department of Customer Service, supports local councils to improve their cyber resilience through a range of services and guidance, including the Cyber Security Guidelines – Local Government issued in December 2022.

The OLG is responsible for strengthening the sustainability, performance, integrity, transparency and accountability of the local government sector.

Conclusion

The three councils are not effectively identifying and managing cyber security risks. As a result, councils' information and systems are exposed to significant risks, which could have consequences for their communities and infrastructure.

Ineffective cyber security risk management can result in unmitigated risks to the security of information and assets which, if compromised, could impact the councils' local communities, service delivery and public infrastructure.

Poor management of cyber security can lead to consequences including theft of information or money, service interruptions, costs of repairing affected systems, and reputational damage.

Each council undertook activities to improve their cyber security during the audit period, but there were significant gaps in the councils' risk management processes and controls meaning the councils are not effectively identifying and managing cyber security risks.

Key findings include:

  • None of the councils are effectively using risk management processes to identify and manage cyber security risks.
  • None of the councils have assessed the business value of their information and systems to inform cyber security risk identification and management, nor have they assigned cyber security responsibilities for all core systems.
  • Two of the three councils do not have a formal plan to improve their cyber security, resulting in an uncoordinated approach to cyber security activities and related expenditure. The council that does have a plan has not formally considered the resourcing required to fully implement the plan.
  • None of the councils have implemented effective governance arrangements to ensure accountability for managing cyber security risks, and their reporting to ARICs did not link activities to risk mitigation.
  • None of the councils have effective cyber security policies and procedures for managing cyber security risks and to support consistent cyber security practices.None of the councils have a clear and consistent approach to monitoring the effectiveness of controls to mitigate identified cyber security risks.
  • All three councils are not effectively identifying or managing third party cyber security risks.

None of the councils have up to date plans and processes to support effective detection, response and recovery from cyber security incidents.

Councils need to be prepared to identify when a cyber incident occurs, and be able to respond to cyber incidents to contain any compromises and minimise the impact. This is even more important for councils with low levels of maturity in their preventative cyber security controls.

Key findings include:

  • None of the councils have a cyber incident response plan to ensure an effective response to and prompt recovery from cyber incidents, and their business continuity and disaster recovery planning documentation is not up to date.
  • None of the councils have clearly defined roles and responsibilities for detecting, responding to (including through appropriate reporting) and recovering from cyber incidents.
  • None of the councils maintain a register of cyber incidents to record information about the sources and types of incidents experienced and relevant responses, to support post-incident evaluation.

Cyber Security NSW and the OLG recommend that councils adopt requirements set out in the Cyber Security Guidelines for Local Government, but could do more to monitor whether the Guidelines are enabling better cyber security risk management in the sector.

Cyber Security NSW and the OLG recommend that local councils implement the Cyber Security Guidelines for Local Government. However, while the roles of both Cyber Security NSW and the OLG involve identifying and responding to specific sector risks, neither is monitoring the uptake of the Guidelines by local councils to identify whether they are enabling better cyber security risk management.

Cyber Security NSW and the OLG did not ensure that their roles, responsibilities and actions relevant to cyber security management were coordinated and complementary during the audit period. Cyber Security NSW's Local Government Engagement Plan was updated in November 2023 to include information about its approach to stakeholder collaboration to support a cyber secure NSW Government, including through engagement with the OLG.


1 The OLG was part of DPE up to 1 January 2024, when DPE was abolished and the OLG became part of the Department of Planning, Housing and Infrastructure (DPHI).

Local councils in New South Wales (NSW) provide a wide range of essential services and infrastructure to their communities. In doing so, councils use a range of information technology (IT) systems, assets, and digital services.

This audit follows several audit reports by the Audit Office of New South Wales that have considered how effectively NSW Government entities, including local councils have managed cyber security risks (see Appendix three).

The Audit Office of New South Wales has reported on how councils have managed cyber security risks since 2020. In the Local Government 2023 report, tabled in March 2024, gaps in cyber security frameworks and related internal controls were reported in 50 councils.

This chapter includes a summary of thematic key findings for the selected councils.

Cyber Security NSW is responsible for supporting local councils to improve their cyber resilience through a range of services and guidance and published its Local Government Engagement Plan in 2023 (discussed below).

The Office of Local Government (OLG) is responsible for strengthening the sustainability, performance, integrity, transparency and accountability of the local government sector. It does this through a range of activities including monitoring sector-wide and council-specific risks, issuing guidance, engaging with councils to build capacity and supporting the Minister for Local Government’s discretionary intervention powers.

Appendix one - Response from entities Cyber security in LG

Appendix two - Glossary-  Cyber security in local government

Appendix three – Overview of Audit Office of New South Wales reports that consider cyber security - Cyber security in local government

Appendix four – Cyber Security Guidelines – Local Government foundational requirements- Cyber security in local government

Appendix five – About the audit- Cyber security in local government

Appendix six – Performance auditing -Cyber security in local government

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #392- released 26 March 2024

Published

Actions for Local Government 2023

Local Government 2023

Local Government
Asset valuation
Cyber security
Financial reporting
Fraud
Information technology
Internal controls and governance

What this report is about

Results of the local government sector financial statement audits for the year ended 30 June 2023.

Findings

Unqualified audit opinions were issued for 85 councils, eight county councils and 12 joint organisations.

Qualified audit opinions were issued for 36 councils due to non-recognition of rural firefighting equipment vested under section 119(2) of the Rural Fires Act 1997.

The audits of seven councils, one county council and one joint organisation remain in progress at the date of this report due to significant accounting issues.

Fifty councils, county councils and joint organisations missed the statutory deadline of submitting their financial statements to the Office of Local Government, within the Department of Planning, Housing and Infrastructure, by 31 October.

Audit management letters included 1,131 findings with 40% being repeat findings and 91 findings being high-risk. Governance, asset management and information technology continue to represent 65% of the key areas for improvement.

Fifty councils do not have basic governance and internal controls to manage cyber security.

Recommendations

To improve quality and timeliness of financial reporting, councils should:

  • adopt early financial reporting procedures, including asset valuations
  • ensure integrity and completeness of asset source records
  • perform procedures to confirm completeness, accuracy and condition of vested rural firefighting equipment.

To improve internal controls, councils should:

  • track progress of implementing audit recommendations, and prioritise high-risk repeat issues
  • continue to focus on cyber security governance and controls.

 

Pursuant to the Local Government Act 1993 I am pleased to present my Auditor-General’s report on Local Government 2023. My report provides the results of the 2022–23 financial audits of 121 councils, eight county councils and 12 joint organisations. It also includes the results of the 2021–22 audits for two councils and two joint organisations which were completed after tabling of the Auditor-General’s report on Local Government 2022. The 2022–23 audits for eight councils, one county council and one joint organisation remain in progress due to significant accounting issues.

This will be my last consolidated report on local councils in NSW as my term as Auditor-General ends in April. Without a doubt, the change in mandate to make me the auditor of the local government sector has been the biggest challenge in my term. Challenging for councils as they adjust to consistent audit arrangements and for the staff of the Audit Office of NSW as they learn about the issues facing NSW councils.

The change in mandate aimed to improve the quality of financial management and reporting across the sector. This will take time. But this report does show some ‘green shoots’ with more councils submitting financial reports to the Office of Local Government by 31 October and more councils having Audit, Risk and Improvement Committees. 

I also want to acknowledge that councils face significant challenges responding to and recovering from emergency events whilst cost and resourcing pressures have been persistent.

The findings from our audits identify opportunities to further improve timeliness and quality of financial reporting and integrity of systems and processes. The recommendations in this report are also intended to improve financial management and reporting capability, encourage sound governance, and boost cyber resilience.

 

Margaret Crawford PSM
Auditor-General for New South Wales

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines audit observations related to the financial reporting audit results of councils, county councils and joint organisations.

A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical government.

This chapter outlines the overall trends in governance and internal controls across councils, county councils and joint organisations in 2022–23.

Financial audits focus on key governance matters and internal controls supporting the preparation of councils’ financial statements. Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues are reported to management and those charged with governance through audit management letters. These letters include our observations with risk ratings, related implications, and recommendations.

Appendix one – Response from the Office of Local Government within the Department of Planning, Housing and Infrastructure

Appendix two – NSW Crown Solicitor’s advice

Appendix three – Status of previous recommendations

Appendix four – Status of audits

Appendix five – Councils received qualified audit opinions for non-recognition of rural firefighting equipment

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Regulation insights

Regulation insights

Environment
Finance
Health
Local Government
Whole of Government
Compliance
Cyber security
Internal controls and governance
Management and administration
Procurement
Regulation
Risk

What this report is about

In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.

This analysis includes performance audits, compliance audits and the outcomes of financial audits.

Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.

The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.

Audit findings

The analysis of findings and recommendations is structured around four key themes related to effective regulation:

  • governance and accountability
  • processes and procedures
  • data and information management
  • support and guidance.

The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.

In this report, we also draw out insights for agencies that provide a public sector stewardship role.

The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.

The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.

Image
Picture of Margaret Crawford Auditor-General for New South Wales in a copper with teal specks dress with black cardigan.

I am pleased to present this report, Regulation insights. This report highlights themes and generates insights about effective regulation from the last six years of audit.

Effective regulation is necessary to ensure compliance with the law. Effective regulation also promotes social, economic, and environmental outcomes, and minimises risks or negative impacts associated with certain activities. But regulation can be challenging and costly for governments to implement. It can also involve costs and impact on the regulated parties, including other public sector and private entities, and individuals. As such, effective regulation needs to be administered efficiently, and with integrity.

Having a clearly articulated and communicated regulatory approach is essential to achieving this outcome, particularly when this promotes voluntary compliance and sets performance standards that are informed by community expectations. A consistent approach to exercising regulatory powers is important: it should be supported by robust information about regulatory risks and issues, and accompanied with timely, proportionate responses. Providing relevant support to the regulated parties and coordinating activities to facilitate compliance and performance can generate efficiencies.

Finally, transparency matters. It matters so that government has oversight of and can be held accountable for its leadership of public sector compliance, and in regulating the activities of third parties. Transparency also matters because it can provide insights into the effective exercise of government power. To achieve this, meaningful regulatory information needs to be reported.

While these issues are most pertinent for government agencies that exercise traditional regulatory functions, they are also relevant to lead government agencies that provide a stewardship role in promoting compliance and performance by other government agencies in relation to particular areas of risk.

Over the past six years, our audit work has found many common and repeat performance gaps, creating risks, inefficiencies, and limiting outcomes of regulatory activities. In considering these gaps, this report provides public sector leaders with insights into the challenges and opportunities they may encounter when aiming for more effective regulation, including the good governance of regulatory activities. This includes insights for lead agencies that provide a public sector stewardship role. Through applying these insights and maximising regulatory effectiveness, unintended impacts on the people and sectors government serves and protects can be avoided or at the very least minimised.

 

Margaret Crawford PSM
Auditor-General for NSW

This report brings together key findings and recommendations relevant to regulation from selected performance and compliance audits between 2018 and early 2024 (19 in total), and from two reports that summarise results of financial audits during the same period. It aims to provide insights into the challenges and opportunities the public sector may encounter when aiming to enhance regulatory effectiveness.

The report is structured in two sections, each setting out insights from relevant audits and providing summaries as illustrative examples.

Section 3 is focused on insights from audits of agencies that administer regulatory powers and functions over other entities or activities (typically known as 'regulators'). The powers and functions of regulators are defined in law, and often relate to issuing approvals (e.g., licensing) for certain activities, and/or monitoring allowable activities within certain limits. Regulators often have compliance and enforcement powers that can be exercised in particular circumstances, such as when a regulated entity has not complied with relevant requirements.

Agencies may be primarily established as regulators or perform regulatory activities alongside other functions. Depending on the context, the regulated activity may relate to other state agencies, local government entities, non-government entities or individuals.

Section 4 summarises insights from a selection of audits of agencies that provide a stewardship role in promoting compliance by and performance of other state agencies and local government entities in relation to specific regulations or policies. These policies may or may not be mandatory and, unlike a more traditional regulator, the coordinating agency may not have enforcement powers to ensure compliance.

These policies, and accompanying guidelines and frameworks, are typically issued by ‘central agencies’ such as the Premier's Department that have a public sector stewardship role. They can also be issued by agencies with a leadership role in particular policy areas ('lead agencies'). While individual agencies and local government entities implementing these policies are responsible for their own compliance and performance, lead and central agencies have an oversight role including by promoting accountability and coordinating activities towards achieving compliance and performance outcomes across the public sector.

Readers are encouraged to view the full reports for further information. Links to versions published on our website are provided throughout this document, and a full list is in Appendix one. An overview of the rationale for selecting these audits and the approach to developing this report is in Appendix two.

The status of agencies' responses to audit recommendations

Findings from the audits referred to in this report were current at the time each respective report was published. In many cases, agencies accepted audit recommendations, as reflected in the letters from agency heads that are included in the appendix of each audit report.

The Public Accounts Committee of the NSW Parliament has a role in reporting on and ensuring that agencies respond appropriately to audit recommendations. Readers are encouraged to review the Public Accounts Committee's inquiries on agencies' implementation of audit recommendations, which can be found on the Committee's website.

Published

Actions for Driver vehicle system

Driver vehicle system

Transport
Finance
Cyber security
Information technology
Internal controls and governance
Project management
Service delivery

What this report is about

Transport for NSW (TfNSW) uses the Driver vehicle System (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.

DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.

DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.

This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.

Audit findings

TfNSW has not effectively planned the replacement of DRIVES.

It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.

In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.

TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.

TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.

TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.

Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.

Audit recommendations

TfNSW should:

  • implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
  • ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
  • ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
  • ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
  • develop a clear statement of the future role in whole of government service delivery for the system
  • resolve key issues currently faced by the DRIVES replacement program including by:
    • clearly setting out a strategy and design for the replacement
    • preparing a specific business case for replacement.

The DRIver VEhicle System1 (often known as DRIVES) is the Transport for NSW (TfNSW) system which is used to manage over 6.2 million driver licences and over seven million vehicle registrations in New South Wales.

DRIVES first went live in 1991 and has been significantly extended and enhanced over the past 33 years. DRIVES is a significant NSW Government information system — containing personal information such as home addresses for most of the NSW adult population, sensitive health information such as medical conditions, and biometric data in photographs.

Service NSW, part of the Department of Customer Service, is the NSW Government's 'one stop shop' for services to NSW citizens and businesses. It uses DRIVES when it delivers many transport-related services to NSW citizens such as licence renewals and checks the identity information stored in DRIVES as part of other services delivered to NSW citizens, such as a 'working with children check'.

DRIVES supports TfNSW's regulatory functions and the collection of more than $5 billion in revenue annually for the NSW Government. The system is also used by many organisations outside of the NSW Government including commercial insurers and national regulators, as well as individual citizens who access DRIVES for services such as 'Renew my registration' or 'Book a driver knowledge test'.

TfNSW owns and manages DRIVES. It intends to replace DRIVES with a modernised system to improve its cost, performance, and security.

The objective of this performance audit was to assess whether TfNSW is effectively:

  • managing the current system, and 
  • planning to transition DRIVES to a modernised system.

The auditee is TfNSW. We have consulted with the Department of Customer Service as a key stakeholder during the audit process.

This part of the report considers whether Transport for NSW (TfNSW) is effectively managing the current system. It considers DRIVES’:

  • role in NSW Government service delivery
  • ease of use and appropriateness for a modern system
  • mechanisms to ensure the service is available for users.

This part of the report considers whether Transport for NSW (TfNSW) is effectively planning to transition DRIVES to a modernised system. It makes findings on the:

  •  effort to develop a business case to fund the replacement of DRIVES
  • issues which have contributed to the slow progress of the replacement program.

Published

Actions for State Finances 2023

State Finances 2023

Treasury
Whole of Government
Asset valuation
Compliance
Cyber security
Financial reporting
Infrastructure
Internal controls and governance
Management and administration
Regulation

What this report is about

Results of the audit of the Consolidated State Financial Statements of the New South Wales General Government Sector (GGS) and Total State Sector (TSS) for the year ended 30 June 2023.

Findings

The audit opinion on the 2022–23 Consolidated State Financial Statements was qualified in relation to two issues and included an emphasis of matter.

The first qualification matter is a continuation of the prior year limitation of scope on the audit relating to the Catholic Metropolitan Cemeteries Trust (CMCT), a controlled state entity, who continued to deny access to its management, books and records for the purposes of a financial audit. As a result, the Audit Office was unable to obtain sufficient appropriate audit evidence to support the assets, liabilities, income and expenses relating to CMCT recorded in the TSS and the equity investment recognised in the GGS relating to the net assets of CMCT.

The second qualification matter relates to the limitations on the accuracy and reliability of financial information relating to Statutory Land Managers (SLMs) and Common Trust entities (CTs) controlled by the State and were either exempted from requirements to prepare financial reports, or who were required to submit financial reports and have not done so. The Audit Office was unable to obtain sufficient appropriate audit evidence to determine the impact on the value of non-land assets and liabilities, income and expenses that should be recognised in the 2022–23 Consolidated State Financial Statements and which have not been recorded in the Consolidated State Financial Statements.

The independent audit opinion also includes an emphasis of matter drawing attention to key decisions made by the NSW Government regarding the future of the Transport Asset Holding Entity of New South Wales (TAHE).

Recommendations

The report includes recommendations for NSW Treasury to address several high-risk findings, including:

  • ensuring accurate and reliable financial information is available to recognise the non-land balances of SLMs and CTs
  • ensuring the CMCT, SLMs and CTs meet their statutory reporting obligations
  • conducting a broader review of the financial reporting exemption framework
  • continued monitoring of TAHE's control over its assets
  • providing timely guidance to the sector relating to legislative or policy changes that impact financial reporting
  • developing an accounting policy for the reimbursement of unsuccessful tender bid cost contributions.

Pursuant to section 52A of the Government Sector Audit Act 1983, I am pleased to present my Report on State Finances, for the year ended 30 June 2023. 

The report highlights the maturity of financial reporting across the sector, with most New South Wales (NSW) government agencies that consolidate into the whole-of-government accounts having unqualified audit reports.  

This report also highlights important areas for improvement. Improving the timely completion of the NSW Government's consolidated financial statements, and resolving matters on the quality of the Total State Sector Accounts that have resulted in modifications to the independent audit opinion, should be a key focus.  

Colleagues in NSW Treasury and key agencies, along with staff of the Audit Office, have worked extremely hard and collaboratively throughout the year to resolve significant accounting and audit matters, and address recommendations from past audits. I thank them for their diligence and commitment to ensuring the quality and timeliness of financial management and reporting in the NSW public sector.  

This level of professionalism needs to be sustained in view of the significant challenges that lie ahead, including embedding sustainability reporting and the disclosure of climate-related financial information. The State and the Audit Office are well placed to meet these challenges.  

As this is the last report I will present on State Finances during my term as Auditor-General, I would like to conclude by saying what an honour it has been to serve the Parliament of NSW in such an important role. A commitment to independent assurance and transparent reporting on the activities of government have been a hallmark of NSW for two centuries. We should all take pride in and protect this commitment to good government.

 

Margaret Crawford PSM 

Auditor-General for New South Wales

The Independent Auditor's report was qualified 

The audit opinion on the Consolidated State Financial Statements of the New South Wales General Government Sector (GGS) and Total State Sector (TSS) for the year ended 30 June 2023 was qualified in relation to two issues and included an emphasis of matter. These matters are detailed below. 

From here on, the Consolidated State Financial Statements are referred to as the Total State Sector Accounts (TSSA), in line with NSW Treasury's naming convention. 

The audit opinion continued to be qualified due to a limitation on the scope of the audit relating to the Catholic Metropolitan Cemeteries Trust 

The first qualification matter is a continuation of the prior year limitation of scope relating to the Catholic Metropolitan Cemeteries Trust (CMCT), who continued to deny access to its management, books and records for the purposes of a financial audit. 

NSW Treasury's position remains that CMCT is a controlled entity of the State for financial reporting purposes. This means CMCT is a GSF agency and is obliged under Section 7.6 of the Government Sector Finance Act 2018 (GSF Act) to prepare financial statements and give them to the Auditor-General for audit. 

To date, CMCT has not met its statutory obligations under the GSF Act. CMCT has not submitted its financial statements to the Auditor-General for audit despite repeated requests and has not provided access to its books and records for the purposes of a financial audit. As a controlled entity, NSW Treasury is required by Australian Accounting Standards to consolidate the CMCT into the TSSA. 

Consequently, the Audit Office was unable to obtain sufficient appropriate audit evidence on the carrying amount of assets and liabilities recognised in the TSS as at 30 June 2023 and of the amount of income and expenses for the year then ended. The value of the net assets of CMCT consolidated into the TSS is $321 million, and the total comprehensive income of CMCT consolidated into the TSS for the year is $25.8 million. The GGS financial statements for the year ended 30 June 2023 also recognised an equity investment in the net assets of CMCT ($321 million). 

This limitation of scope resulted in a qualified audit opinion being issued on the TSS and the GGS. 

Section 3 of this report titled 'Limitation of scope relating to CMCT' discusses this matter in further detail. 

The audit opinion was qualified due to a limitation on the scope of the audit relating to the non-land assets, liabilities, income and expenses of controlled entities that manage crown land and associated assets and for which reliable financial information is not available 

There are 579 Category 2 Statutory Land Managers and 119 Commons Trust entities controlled by the State. 

A category 2 Statutory Land Manager (SLM) is a type of Crown Land Manager that is controlled by the State. It excludes other Crown Land Managers such as councils, metro cemeteries and Crown Holiday Parks land managers. Commons Trusts (CT) are responsible for the care, control and management of commons for which the trust is established. A common is a parcel of land that has been set aside by the Governor or the Minister for specific use in a certain locality, such as grazing, camping or bushwalking.

NSW Treasury has determined that SLMs and CTs are controlled entities of the State. Consequently these should be recognised in the TSSA as required by Australian Accounting Standards. However, the non-land assets, liabilities, income and expenses of SLMs and CTs have not been recognised in the TSSA. 

Most of these entities have not prepared financial statements, upon which to consolidate the non-land assets, liabilities, income and expenses of SLMs and CTs into the TSSA. This is because they have either not complied with their financial reporting obligations under section 7.6 of the GSF Act, or they were not required to prepare financial statements as they met the prescribed reporting exemption criteria set out in the Government Sector Finance Regulation 2018. 

In 2022–23 NSW Treasury reviewed available financial information to estimate the aggregate value of non-land assets, liabilities, income and expenses relating to SLMs and CTs that were not recognised in the TSSA. 

NSW Treasury estimates the aggregate value of non-land assets not recognised in the TSSA to be in the range of $351.6 million to $382.4 million. However, there are significant limitations on the accuracy and reliability of financial information that support these estimates. Only 12 entities were supported by what NSW Treasury defined as ‘highly reliable financial data’. Two hundred and eighty-four entities provided self-reported information and 288 entities had not submitted any financial data. The balances of the remaining entities were supported by what NSW Treasury defined as ‘somewhat reliable financial data’. This included ‘lower-quality’ financial statements and assessments of asset values performed by the former Department of Planning and Environment (DPE). 

Because of the limitations on the accuracy and reliability of financial information relating to SLMs and CTs, the Audit Office was unable to obtain sufficient appropriate audit evidence to determine the impact on the value of non-land assets and liabilities that should be recognised in the TSSA as at 30 June 2023 and of the amount of income and expenses that should be recognised in the TSSA for the year then ended. 

Accordingly, this limitation of scope resulted in a qualified audit opinion being issued on the TSSA. 

Section 4 of this report titled 'Limitation of scope relating to Category 2 Statutory Land Managers and Commons Trusts' discusses this matter in further detail. 

The audit opinion included an emphasis of matter drawing attention to key decisions regarding the future of the Transport Asset Holding Entity of New South Wales (TAHE) 

The Independent Auditor’s Report also includes an emphasis of matter, drawing attention to key decisions made by the government in August 2023 regarding the future of TAHE. 

The decisions are likely to have a significant impact on TAHE's financial position and future operating model, including converting TAHE from a for-profit State Owned Corporation (SOC) to a non-commercial Public Non-Financial Corporation (PNFC). 

These decisions may impact the future commercial agreements with the public rail operators and the future valuation of TAHE’s assets that are consolidated in the TSS. The decisions also mean that cash contributions made to TAHE are treated as grant expenses, rather than equity investments, the audit matter that has previously been reported. 

Section 5 of this report titled 'Investment in TAHE' discusses this matter in further detail. 

Other significant matters relating to the TSSA audit are covered in Section 6 titled 'Key audit findings'.

The number of identified errors increased in 2022–23 

In 2022–23, agency financial statements presented for audit contained 29 errors, where each error exceeded $20 million (20 errors in 2021–22). The total value of these errors was $2.5 billion, an increase from the previous year ($973 million in 2021–22). 

The following graph shows the number of reported errors (both corrected and uncorrected), exceeding $20 million over the past five years in agencies’ financial statements presented for audit. 

Most errors related to: 

  • the incorrect application of Australian Accounting Standards and NSW Treasury policies 
  • issues with the data, judgements and assumptions used when valuing non-current physical assets and liabilities 
  • non-recognition of provisions related to the enhanced paid parental leave scheme that became effective 1 October 2022.

CMCT continues to deny the NSW Government and the Auditor-General access to its management, books and records 

NSW Treasury has reconfirmed the CMCT is a controlled entity of the State. The Audit Office accepts the position of NSW Treasury. 

The reaffirmation of this position means CMCT is a GSF agency under the provisions of the GSF Act. Section 7.6 of the GSF Act places an obligation on CMCT to prepare financial statements and give them to the Auditor-General. Further, section 34 of the Government Sector Audit Act 1983 (the GSA Act) requires the Auditor-General to furnish an audit report on these financial statements. 

The Audit Office recommended in the ‘State Finances 2022’ report that NSW Treasury and DPE should ensure CMCT meets its statutory reporting obligations. CMCT continues to contest NSW Treasury’s determination and asserts they are not a controlled entity of the NSW Government. 

To date, CMCT has not met its statutory obligations to prepare financial statements under the GSF Act and provide them to the Auditor-General for audit. CMCT has not submitted their financial statements to the Auditor-General for audit despite repeated requests and has not provided access to its books and records for the purposes of a financial audit. There continued to be correspondence between the Audit Office of NSW, CMCT, NSW Treasury and DPE in 2022–23 regarding this matter.

Category 2 Statutory Land Managers and Commons Trusts should be consolidated in the TSSA 

A category 2 Statutory Land Manager (SLM) is a type of Crown Land Manager that is controlled by the State. It excludes other Crown Land Managers such as councils, metro cemeteries and Crown Holiday Parks land managers. SLMs are persons or entities appointed by the Minister to be responsible for the care, control and management of Crown reserves on behalf of the people of New South Wales. 

Commons Trusts (CTs) are responsible for the care, control and management of commons for which the trust is established. A common is a parcel of land that has been set aside by the Governor or the Minister for specific use in a certain locality, such as grazing, camping or bushwalking. CTs are considered to be controlled entities of the Minister who administers the Commons Management Act 1989. CTs are not SLMs. 

Category 2 SLMs and CTs are controlled entities of the State and should be consolidated in the Total State Sector Accounts as required by Australian Accounting Standards. 

Most of these entities have not prepared audited financial statements, upon which to consolidate the non-land assets, liabilities, income and expenses of SLMs and CTs into the Total State Sector Accounts. This is because they have either not complied with their financial reporting obligations under section 7.6 of the GSF Act or they were not required to prepare audited financial statements as they met the prescribed reporting exemption criteria set out in the Government Sector Finance Regulation 2018. Further information on this compliance matter is included in Section 6 of this report titled 'Key audit findings'. 

Insufficient financial information is available to estimate the value of non-land assets, liabilities, revenues and expenses of SLMs and CTs that should be consolidated in the TSSA 

In 2022–23, NSW Treasury reviewed the available financial information to estimate the aggregate value of assets, liabilities, income, and expenses relating to SLMs and CTs that should be consolidated in the TSSA. 

Land managed by the SLMs and CTs is valued each year by the former Department of Planning and Environment (DPE) and included in the TSSA in aggregate ($466 million, 2021–22: $318 million). However, there were significant issues with the accuracy and reliability of financial information to support non-land assets, liabilities, income and expenses of SLMs and CTs. 

NSW Treasury considered the financial statements of 30 of the largest SLMs and CTs, self-reported financial information for around 400 SLMs and CTs, asset valuations, aerial photography, review of business operations, risks, legal claims, insurance arrangements and limitations imposed due to the scale and bespoke nature of the operations. DPE facilitated further engagement with SLMs and CTs to identify additional information.

NSW Treasury estimates the aggregate value of non-land assets not recognised in the TSSA to be in the range of $351.6 million to $382.4 million. However, there are significant limitations on the accuracy and reliability of financial information that support these estimates. Only 12 entities were supported by what NSW Treasury defined as ‘highly reliable financial data’. Two hundred and eighty-four entities provided self-reported information and 288 entities had not submitted any financial data. The balances of the remaining entities were supported by what NSW Treasury defined as ‘somewhat reliable financial data’. This included ‘lower-quality’ financial statements and assessments of asset values performed by DPE. 

Although the review provided some information about the SLMs and CTs, NSW Treasury concluded that there were significant limitations in the financial information available from the SLMs and CTs, and limited information to support compliance with accounting policies and relevant Treasurer’s directions. 

The TSSA audit opinion was qualified in relation to SLMs and CTs 

The opinion in the TSSA’s audit report was qualified due to the limitations on the accuracy and reliability of financial information relating to SLMs and CTs. This is a new audit qualification for 2022–23. 

This limitation was appropriately disclosed in Note 1 'Statement of Significant Accounting Policies' of the TSSA. The Statement of Compliance signed by the Secretary of NSW Treasury and the Treasurer on 18 January 2024 was also updated to acknowledge the disclosure in Note 1 regarding SLMs and CTs.

In September 2023, the NSW Government announced its intention to convert TAHE into a non-commercial PNFC. 

TAHE’s new operating model is expected to be implemented in three phases: 

  • Phase 1: the government expects to transition TAHE to not-for-profit status by taking administrative actions under the State Owned Corporations Act 1989
  • Phase 2: the government expects to introduce an initial wave of legislative changes to allow for the introduction of the new operating model. 
  • Phase 3: the government expects to introduce further legislative changes to remove TAHE’s status as a SOC. The corporation is expected to be renamed. 

Cash contributions from NSW Treasury to TAHE in 2022–23 have been expensed and are no longer treated as equity contributions 

In prior years the cash transfers from NSW Treasury (an entity in the GGS) to TAHE, an entity controlled by the State that is classified in the PNFC sector, were treated as equity contributions. 

The equity contributions were recognised on the basis there was a reasonable expectation to earn a sufficient rate of return of 2.5% (including recovering any holding losses) on the investment in TAHE. The exception to this treatment is if there is no reasonable expectation of a sufficient rate of return on the contribution, in which case, the transfer should be recorded as a capital transfer expense. Returns include dividends, income tax equivalents and holding gains or losses. 

The accounting treatment of the cash contributions to TAHE has been an area of significant audit focus in previous years, and significant audit findings reported to Parliament. The significant uncertainty relating to the assumptions and estimates used to forecast a 2.5% return on GGS investments into TAHE, that supported the recognition of an equity contribution in the prior year, was reported as an emphasis of matter in the 2021–22 TSSA audit report. 

In 2022–23 the government changed the intent and expectations in relation to the future operating model of TAHE. This change in direction meant the government will no longer account for cash contributions to TAHE as equity, but rather will treat such contributions as an expense. This is because the government is no longer demonstrating that there is a reasonable expectation of a sufficient rate of return on the contributions made by the GGS to TAHE. 

As a result, from 1 July 2022, the capital funding of $1.6 billion provided to TAHE in 2022–23 has been recorded as a capital transfer expense in the GGS Statement of Comprehensive Income. 

The emphasis of matter included in last year’s TSSA audit report relating to the significant uncertainty relating to the assumptions and estimates used to forecast returns on GGS investments into TAHE is no longer relevant this year. However, the Audit Office have included a new emphasis of matter in the 2022–23 TSSA audit report, drawing attention to the key decisions made by the government in August 2023 regarding the future of TAHE. 

'Emphasis of matter' paragraphs are included in an agency's Independent Auditor's Report for matters that have been presented or disclosed by the agency in its certified financial statements. Whilst they do not constitute an audit qualification, they do highlight matters that are, in our judgment, relevant to the users' understanding of the financial statements. 

Further information on last year's audit of the government's investment in TAHE can be found in our ‘State Finances 2022’ report.

Valuation of TAHE assets in TAHE's accounts

At 30 June 2023, TAHE reported $16.5 billion in property, plant and equipment and related intangibles within the cash generating units (CGUs) – a $2.8 billion or 15% decrease from the same time last year (2021–22: $19.3 billion). The fair value of these assets at balance date is determined using the income approach – appropriate for TAHE given its current for-profit status. Such an approach is reliant on, and is sensitive to TAHE’s judgements, estimates and assumptions. 

The reduction in the carrying value of reported assets was largely driven by the uncertainty of TAHE's future operating model under the new government, which increased the risk and discount rates applied to the valuation model. 

Given the uncertainty over the future of TAHE, NSW Treasury and TAHE will need to assess whether the income approach remains an appropriate basis of valuation going forward. 

Control of TAHE assets 

TAHE's position on control of assets for the current year was accepted 

TAHE assessed that it maintains control of its assets as it has exercised authority and power over its assets during the year, as well as continuing to operate as an independent SOC. 

Consistent with the prior year, the audit did not find evidence that the assets held by TAHE are not controlled by TAHE. However, given the constraints that can be imposed through the operating licence, there is a risk that limitations could be placed on the operations or functions of TAHE. Future limitations to the degree of control TAHE, and its board, can exercise over it functions may impact the degree of control TAHE has over its assets going forward. The current operating licence issued by the Minister for Transport expires on 30 June 2024. 

Furthermore, the government’s decision to change the operating model for TAHE in future years could impact the control TAHE has over its assets. The control of these assets by TAHE will be a continued area of audit focus.

Recommendation 

NSW Treasury and TAHE should continue to monitor the risk that control of TAHE assets could change in future reporting periods based on the government’s decision on TAHE’s new operating model. 

TAHE must continue to demonstrate control of its assets; or the current accounting presentation would need to be reconsidered.

Performance audit on the design and implementation of TAHE 

In January 2023, the Auditor-General tabled a performance audit on the 'Design and implementation of the Transport Asset Holding Entity', which assessed the effectiveness of NSW government agencies' design and implementation of TAHE. The audit included TAHE, Transport for NSW and NSW Treasury. 

The audit found the design and implementation of TAHE, which spanned seven years, was not effective. 

The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.

The budget benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose. 

Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed. 

Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.

Deficit of $10.6 billion compared with a budgeted deficit of $11.3 billion 

The General Government Sector (GGS) comprises of 210 entities and provides public services or carries out policy or regulatory functions. Agencies in this sector are funded centrally by the State. 

A principal measure of the government's overall activity and policies is its net operating balance (budget result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors. 

Outside the GGS, a further 104 government-controlled entities are included within the TSSA. These entities form part of the PNFC (32) and PFC (72) sectors, and generally provide goods and services for which consumers pay for directly (including water and electricity). 

The GGS's budget result for the 2022–23 financial year was a deficit of $10.6 billion compared to an original forecast of a budget deficit of $11.3 billion.

Revenues increased $6.6 billion to $113.2 billion 

The State’s total revenues increased $6.6 billion to $113.2 billion, an increase of 6.2% compared to the previous year. Total revenue growth in 2021–22 was 18.2%. The State's increase in revenue was mostly from $2 billion in sale of goods and services, $1.5 billion in fines, regulatory fees and other revenue, and $1.4 billion in interest. 

Sale of goods and services increased by 14.8% 

Sale of goods and services revenue increased by $2 billion, mainly due to the return of the State's operations and services post the COVID-19 pandemic, including the: 

  • return of elective surgery, increased patient services and sale of high-cost drugs under the Pharmaceutical Benefits Scheme co-payment for Section 100 Highly Specialised Drugs for both private and public patients 
  • increased user demand for public transport 
  • re-opening of schools contributing to higher revenue from student fees, sports and extracurricular activities. 

Fines, regulatory fees and other revenue increased by 19.8% 

Fines, regulatory fees and other revenue increased by $1.5 billion, mainly due to higher mining royalties collected by the State of $949 million. Extracted volume and weight of coal, gold and copper increased in 2022–23, as the COVID-19 pandemic lockdown restrictions eased, increasing the demand for export commodities. 

Interest revenue increased by 137.6% 

Interest revenue increased by $1.5 billion because of the strong interest rate environment and increases in the cash rate impacting securities, investment deposits and government agencies. As a result, this is passed on to new client loans as TCorp’s own borrowing costs increase.

Assets grew by $75.1 billion to $651 billion 

The State’s assets include physical assets such as land, buildings and infrastructure systems, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $75.1 billion or 13.1% to $651 billion. The increase was largely due to increases in the carrying value of land, buildings and infrastructure systems. 

Valuing the State’s physical assets 

The State’s physical assets were valued at $489 billion 

The value of the State’s physical assets increased by $52.6 billion to $489 billion in 2022–23 ($46.7 billion increase in 2021–22). The State’s physical assets include land and buildings ($214 billion), infrastructure systems ($256 billion) and plant and equipment ($19.4 billion). 

The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include assets reclassified to held for sale.

Appendix one – Prescribed entities

Appendix two – TSS sectors and entities

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Actions for Internal controls and governance 2023

Internal controls and governance 2023

Whole of Government
Compliance
Cyber security
Information technology
Internal controls and governance
Management and administration
Regulation
Workforce and capability

What this report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2023.

Findings

Internal control trends

The proportion of control deficiencies identified as high-risk this year decreased to 4.5% (8.2% in 2022).

Repeat findings of control deficiencies represent 38% of all findings (48% in 2022). 

Information technology

Over half of the agencies reviewed have deficiencies in managing user access to their information systems. Over a third of agencies had deficiencies in their controls over privileged user accounts within their information technology environments. 

Cyber security

Over 80% of assessments for maturity levels against the NSW Cyber Security Policy have reported one or more self-assessed Mandatory Requirements are not practiced on a consistent and regular basis.

Essential Eight cyber controls have not improved, and they need to. 

Governance framework

Deficiencies were noted in agencies' governance and risk management frameworks, namely: outdated risk management policies, lack of risk appetite statements, and internal audit functions not being externally evaluated.  

Payroll and work health and safety (WHS)

Overtime expenses increased by 40% between 2020 and 2023, compared to salaries and wages which increased by 16% over the same period.

Five agencies have WHS policies that do not reflect current WHS regulations.

Recommendations

Several important recommendations were made for agencies to prioritise efforts to improve cyber security controls and cyber resilience measures.

It was also recommended that agencies periodically review their risk management maturity and implement action plans, and ensure their WHS policies and procedures reflect current legislation requirements including the need to manage psychosocial risks.

 

Internal controls are processes, policies and procedures that help agencies to:

  • operate effectively and efficiently
  • produce reliable financial reports
  • comply with laws and regulations
  • support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies found across agencies.

For consistency and comparability, we have adjusted the 2022 results to incorporate additional audit findings that were reported after the date of the Internal controls and governance 2022 report. Therefore, the 2022 figures will not necessarily align with those reported in our 2022 report.

Section highlights

  • The Audit Office identified 12 high-risk findings, compared to 23 last year, with eight repeated from last year. Eleven of the high-risk findings related to financial controls while one related to other (governance) controls.
  • The proportion of repeat deficiencies has decreased from 48% in 2021–22 to 38% in 2022–23. 

 

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

Section highlights

  • Over half of the agencies reviewed have deficiencies in managing user access.
  • Thirty-six per cent of agencies had deficiencies in their controls over privileged accounts.
  • Weaknesses were identified in how agencies manage service providers or other organisations which have access to their systems and data.
  • Inadequate records were kept to demonstrate approvals for key system implementation milestones, including successful data migration testing and approval for go-live.
  • Thirty-two per cent of agencies had not implemented segregations of duties over key payroll functions. 

 

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security.

Section highlights

  • Eighty-three per cent of maturity assessments have reported one or more Mandatory Requirements below level three, which is the level at which the requirement is self-assessed and considered to be practiced on a consistent and regular basis.
  • Essential Eight maturity levels have remained unchanged or have declined, and may not be suitable for the level of risk agencies face.
  • All 25 agencies reviewed have a cyber incident response plan and all but two newly created agencies tested their plan.
  • Systems to detect cyber incidents across agencies could improve.
  • There is a risk of under reporting cyber incidents at six agencies that kept insufficient records to support their cyber incident classifications.
  • Overall, agencies need to increase their focus and prioritise efforts to ensure effective cyber security and resilience measures are in place. 

 

Governance in the context of the NSW public service refers to the structures, processes, and mechanisms by which government departments and agencies are held to account when they make decisions and implement policies and programs in the service of the public interest. It also includes the principles and practices that guide how these agencies work together.

This chapter outlines our audit observations, conclusions and recommendations from our review of agencies' governance frameworks and practices, with consideration of NSW Treasury issued policies and best practices. It focuses on two key areas: governance arrangements and risk management.

Section highlights

  • Whilst agencies have generally adopted governance and risk management frameworks that align with Treasury issued policies and best practices, we noted deficiencies, including:
    • 20% of governing boards operated without a board charter
    • 16% of agencies had risk management policies that were beyond their scheduled review date
    • 16% of agencies did not have a risk appetite statement
    • 28% of agency internal audit functions have not been externally evaluated in the last five years.
  • Agencies should perform periodic assessments/reviews of their risk maturity and implement action plans where required. 

 

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' payroll controls and management of work health and safety (WHS).

Section highlights

  • Agencies should improve their controls around payroll masterfile maintenance, such as enforcing segregation of duties in system access levels and ensuring changes to data are reviewed by an independent officer.
  • On average, overtime expenses represented three per cent of total salaries and wages in 2023 and have increased by 40.2% since 2020, compared to salaries and wages which increased by 16.3% over the same period.
  • Five agencies have outdated WHS policies, which do not reflect changes to WHS regulations. Sixteen per cent of agencies have not included psychosocial hazards in their WHS procedures or risk assessment process. 

 

Published

Actions for Treasury 2023

Treasury 2023

Treasury
Compliance
Cyber security
Financial reporting
Information technology
Internal controls and governance
Management and administration
Procurement
Regulation
Risk
Service delivery
Shared services and collaboration

What this report is about

Result of the Treasury portfolio of agencies’ financial statement audits for the year ended 30 June 2023.

The results of the audit of the NSW Government’s consolidated Total State Sector Accounts (TSSA), which are prepared by NSW Treasury, will be reported separately in our report on ‘State Finances 2023’.

The audit found

Unqualified audit opinions were issued on all general purpose financial statement audits.

Qualified audit opinions were issued on two of the 24 other engagements prepared by portfolio agencies. These related to payments made from Special Deposit Accounts that did not comply with the relevant legislation.

The number of monetary misstatements identified in our audits increased from 29 in 2021–22 to 39 in 2022–23.

The new parental leave policy impacted agencies across all portfolios. NSW Treasury should perform annual assessments to identify changes in legislation and regulation and provide timely guidance to the sector.

Transport for NSW and Sydney Metro have capitalised over $300 million of tender bid costs paid to unsuccessful tender bidders relating to significant infrastructure projects. Whilst NSW Treasury policy provides clarity on the reimbursement of unsuccessful bidders’ costs, clearer guidance on how to account for these costs in agencies’ financial statements is required.

The key audit issues were

Five high-risk issues were reported in 2022–23. Three were new findings on contract management, accounting treatments for workers compensation renewal premium adjustments and the management and oversight of a Special Deposit Account. Two repeat issues referred to the need to improve quality review processes over financial reporting and the timely approval of administration costs.

Portfolio agencies should prioritise and action recommendations to address internal control deficiencies.

 

This report provides Parliament and other users of the Treasury portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

  • financial reporting
  • audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury portfolio of agencies (the portfolio) for 2023.

Section highlights

  • Unqualified audit opinions were issued on all Treasury portfolio agencies’ 2022–23 financial statements.
  • Two qualified audit opinions were issued on special purpose financial reports, relating to whether payments from the Electricity Retained Interest Corporation – Ausgrid (ERIC-A) Fund and the Electricity Retained Interest Corporation – Endeavour (ERIC-E) Fund, complied with the relevant legislation.
  • The total number of errors (both corrected and uncorrected) in the financial statements increased from 29 in 2021–22 to 39 in 2022–23.
    Reported corrected misstatements increased from 15 in 2021–22 to 25 with a gross value of $7.1 billion in 2022–23. Reported uncorrected misstatements increased from 13 in 2021–22 to 14 in 2022–23, with a gross value of $277.6 million in 2022–23.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury portfolio.

Section highlights

  • Five high-risk issues were reported in 2022–23. Three were new findings on contract management, accounting treatments for workers compensation renewal premium adjustments and the management and oversight of a Special Deposit Account.
  • A further 35 moderate risk findings were reported in 2022–23, of which ten were repeat findings.
  • Some agencies have again spent monies without an authorised delegation.
  • The quality of information provided for audit purposes needs to improve.

 

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Acquittals and other opinions

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.