Refine search

Reports

19 December 2023

Published

Treasury 2023

Treasury

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Regulation

Risk

Service delivery

Shared services and collaboration

What this report is about

Result of the Treasury portfolio of agencies’ financial statement audits for the year ended 30 June 2023.

The results of the audit of the NSW Government’s consolidated Total State Sector Accounts (TSSA), which are prepared by NSW Treasury, will be reported separately in our report on ‘State Finances 2023’.

The audit found

Unqualified audit opinions were issued on all general purpose financial statement audits.

Qualified audit opinions were issued on two of the 24 other engagements prepared by portfolio agencies. These related to payments made from Special Deposit Accounts that did not comply with the relevant legislation.

The number of monetary misstatements identified in our audits increased from 29 in 2021–22 to 39 in 2022–23.

The new parental leave policy impacted agencies across all portfolios. NSW Treasury should perform annual assessments to identify changes in legislation and regulation and provide timely guidance to the sector.

Transport for NSW and Sydney Metro have capitalised over $300 million of tender bid costs paid to unsuccessful tender bidders relating to significant infrastructure projects. Whilst NSW Treasury policy provides clarity on the reimbursement of unsuccessful bidders’ costs, clearer guidance on how to account for these costs in agencies’ financial statements is required.

The key audit issues were

Five high-risk issues were reported in 2022–23. Three were new findings on contract management, accounting treatments for workers compensation renewal premium adjustments and the management and oversight of a Special Deposit Account. Two repeat issues referred to the need to improve quality review processes over financial reporting and the timely approval of administration costs.

Portfolio agencies should prioritise and action recommendations to address internal control deficiencies.

This report provides Parliament and other users of the Treasury portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury portfolio of agencies (the portfolio) for 2023.

Section highlights

Unqualified audit opinions were issued on all Treasury portfolio agencies’ 2022–23 financial statements.
Two qualified audit opinions were issued on special purpose financial reports, relating to whether payments from the Electricity Retained Interest Corporation – Ausgrid (ERIC-A) Fund and the Electricity Retained Interest Corporation – Endeavour (ERIC-E) Fund, complied with the relevant legislation.
The total number of errors (both corrected and uncorrected) in the financial statements increased from 29 in 2021–22 to 39 in 2022–23.
Reported corrected misstatements increased from 15 in 2021–22 to 25 with a gross value of $7.1 billion in 2022–23. Reported uncorrected misstatements increased from 13 in 2021–22 to 14 in 2022–23, with a gross value of $277.6 million in 2022–23.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury portfolio.

Section highlights

Five high-risk issues were reported in 2022–23. Three were new findings on contract management, accounting treatments for workers compensation renewal premium adjustments and the management and oversight of a Special Deposit Account.
A further 35 moderate risk findings were reported in 2022–23, of which ten were repeat findings.
Some agencies have again spent monies without an authorised delegation.
The quality of information provided for audit purposes needs to improve.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Acquittals and other opinions

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

1 June 2023

Published

Natural disasters

Community Services

Environment

Finance

Local Government

Planning

Transport

Treasury

Whole of Government

Asset valuation

Compliance

Financial reporting

Infrastructure

Regulation

Risk

Service delivery

What this report is about

This report draws together the financial impact of natural disasters on agencies integral to the response and impact of natural disasters during 2021–22.

What we found

Over the 2021–22 financial year $1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters.

Total expenses were less than the budget due to underspend in the following areas:

clean-up assistance, including council grants
anticipated temporary accommodation support
payments relating to the Northern Rivers Business Support scheme for small businesses.

Natural disaster events damaged council assets such as roads, bridges, waste collection centres and other facilities used to provide essential services. Additional staff, contractors and experts were engaged to restore and repair damaged assets and minimise disruption to service delivery.

At 30 June 2022, the estimated damage to council infrastructure assets totalled $349 million.

Over the first half of the 2022–23 financial year, councils experienced further damage to infrastructure assets due to natural disasters. NSW Government spending on natural disasters continued with a further $1.1 billion spent over this period.

Thirty-six councils did not identify climate change or natural disaster as a strategic risk despite 22 of these having at least one natural disaster during 2021–22.

Section highlights

$1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters during 2021–22.
Budget underspent for temporary housing and small business support as lower than expected need.

Section highlights

83 local council areas were impacted by natural disasters during 2021–22, with 58 being impacted by more than one type of natural disaster.
$349 million damage to council infrastructure assets at 30 June 2022.

24 January 2023

Published

Design and implementation of the Transport Asset Holding Entity

Transport

Treasury

Asset valuation

Financial reporting

Infrastructure

Procurement

Risk

Service delivery

What the report is about

The Transport Asset Holding Entity (TAHE) is the State's custodian of rail assets. It is a state owned corporation and commenced operating on 1 July 2020.

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. We audited TAHE, Transport for NSW (TfNSW) and NSW Treasury.

Separate and related audits on TAHE are reported in 'State Finances 2022', 'State Finances 2021' and 'Transport and Infrastructure 2022' reports.

What we found

The design and implementation of TAHE, which spanned seven years, was not effective.

The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.

The benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose.

Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed.

Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.

What we recommended

We recommended that the audited agencies should:

improve accountability and transparency for major new fiscal transformation initiatives
ensure entities do not reflect the financial impact of significant initiatives in the Budget when there is uncertainty, or it creates perverse incentives
review record keeping practices, systems and policies to ensure compliance with the State Records Act 1998, and the NSW Government Information Classification, Labelling and Handling Guidelines
review procurement policies to ensure that consultant use complies with all NSW Government policy requirements.

The NSW Government established the Transport Asset Holding Entity (TAHE), a statutory State Owned Corporation (SOC), on 1 July 2020 to replace the former rail infrastructure owner – RailCorp. It is the State's custodian of rail network assets, including rail tracks and other infrastructure, rolling stock, land, train stations and facilities, retail space, and signal and power systems, within metropolitan and regional New South Wales. It is responsible for $2.8 billion of major capital projects in 2022–23.

TAHE was established under Part 2 of the Transport Administration Act 1988 and is governed by a decision-making board. The Treasurer and the Minister for Finance and Employee Relations are the Shareholding Ministers of TAHE, and they annually agree performance expectations articulated in a Statement of Corporate Intent.

Whereas TAHE is the custodian of rail assets, Sydney Trains and NSW Trains operate public rail services. TAHE does not have responsibility for the operation of the heavy rail network or train services, nor does it have network control functions. TAHE, Sydney Trains and NSW Trains are in the Transport and Infrastructure cluster in the public sector (formerly the Transport cluster and renamed in April 2022), which also includes Sydney Metro and Transport for NSW (TfNSW).

TfNSW leads the Transport and Infrastructure cluster. Its role is to set the strategic direction for transport across the State. This involves the shaping of planning, policy, strategy, regulation, resource allocation and other service and non-service delivery functions for all modes of transport.

TAHE's Operating Licence is granted by the Portfolio Minister and authorises the entity to perform the functions required to acquire, develop, finance, divest and hold assets, pursuant to the Transport Administration Act 1988. The Portfolio Minister also issues a Statement of Expectations which outlines the government’s expectation for the business for the next three to five years.

TAHE's original Portfolio Minister was the Minister for Transport who approved, on 30 June 2020, the issuing of an interim 12-month Operating Licence to enable TAHE to commence operating on 1 July 2020. The Portfolio Minister then granted TAHE's current Operating Licence in 2021. After TAHE requested a 12-month extension to its current Operating Licence, its next Operating Licence is due on 1 July 2024. The current Portfolio Minister is the Minister for Infrastructure, Cities and Active Transport.

About this audit

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. In making this assessment, we considered whether:

the process of designing and implementing TAHE was cohesive and transparent, and delivered an effective outcome
agencies' roles and responsibilities were clear in the planning of TAHE
agencies effectively identified and managed certain risks.

Conclusion

The design and implementation of TAHE was not effective. The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments to sustain TAHE through continuing investment, and funding of the state owned rail operators. The ineffective process to design TAHE delivered a model that entails significant uncertainty as to whether the anticipated longer-term financial improvements to the Budget position can be achieved or sustained.

NSW Treasury and TfNSW had different objectives for TAHE

Up to June 2013, RailCorp had been the owner and operator of rail services and maintainer of the metropolitan rail network for almost a decade. It had been operating as a not-for-profit Public Non-Financial Corporation (PNFC).

In 2012, NSW Treasury (hereafter Treasury) decided there was a risk that the Australian Bureau of Statistics (ABS) would reclassify RailCorp to the General Government Sector (GGS), meaning depreciation expenses of approximately $870 million would be reflected in the GGS Budget. Treasury wanted to avoid this impact on the GGS Budget, and considered the establishment of a transport asset holding entity as a means to do so. Capital grants to RailCorp were being treated as an expense to the GGS Budget.

TfNSW also wanted an asset holding entity – but one that would be a non-trading ‘shell’ company with no staff that would hold and manage all public transport assets. TfNSW's concept envisaged the entity would have a structure that would enable future public transport reforms and strategic directions while ensuring vertical integration of operations between asset owners and the rail operators to maintain rail safety.

However, Treasury pursued its objective to improve the GGS Budget result, and sought to expand on TfNSW's 'shell' asset holding entity concept. Treasury wanted an entity that could generate a return on investment, as this meant that government investment in transport assets could be treated as equity investments, rather than a Budget expense, and in turn improve the GGS Budget position. As an example of the potential impact of creating this new entity, capital grants of $2.3 billion were paid to RailCorp in 2013–14. If Treasury's objective was met, grants of this significance would then be treated as an equity investment, rather than an expense in the GGS Budget.

In 2017, Treasury's preferred option was progressed through legislation, but both agencies' central objectives for the proposed asset holding entity would continue to prove difficult to reconcile. To achieve Treasury's objective to improve the Budget result, the entity would need to generate a return on investment (this is further discussed below). However, TfNSW expressed concerns that the prioritisation of rail safety, and the effective management of governance, regulation and operations would be more complex in an entity with commercial imperatives.

Asset holding entities are a common approach to the management of transport assets in Australia and internationally, and there are a range of approaches to how they are structured and used. Such structures should be driven by the goal of improved asset management. Ultimately, TfNSW's objectives could have been delivered through a simpler entity structure. However, reconciling TfNSW's objectives with Treasury's imperative to deliver and justify a Budget improvement in the short-term resulted in an overly lengthy process and an unnecessarily complex outcome that places an obligation on future governments to sustain. There is still significant uncertainty as to whether the short-term improvements to the Budget can continue to be realised in the longer-term.

The Budget benefits of TAHE were claimed before the entity was legislated, committing the agencies to deliver, regardless of the complexities that subsequently arose

The 2015–16 GGS Budget treated the government's investment in TAHE (still known at this time as RailCorp) as an equity contribution. This had the immediate impact of improving the Budget result by $1.8 billion per annum. However, the legislation to enable the establishment of TAHE had not yet been passed by Parliament, key elements of the operating model were still under development, and imminent changes in accounting standards had the potential to impact TAHE's financial model. The decision to book the benefits in the Budget early committed the involved agencies to implement a solution that justified the 2015–16 Budget impacts, irrespective of the challenges that arose.

TAHE's financial structure requires circular government investment to work

For the NSW Government to continue to treat its investment in TAHE as an equity contribution, rather than an expense to the Budget, there must be a reasonable expectation that TAHE will generate a sufficient rate of return as required by the Government Finance Statistics (GFS) framework. In doing so, it needs to recover a revaluation loss created by a $20.3 billion reduction in the value of its assets which was incurred in its first full year of operation. This loss occurred as a result of a revaluation of TAHE's assets when RailCorp (a not-for profit entity) became TAHE (a for-profit commercial entity) – and is discussed further in the 'Key findings' below.

TAHE generates a small portion of its income from transactions with the private sector but, as noted in our report 'State Finances 2021', TAHE receives the majority of its revenue (more than 80%) from access and licence fee agreements with Sydney Trains and NSW Trains. Both of these entities are funded by grants (a Budget expense) to TfNSW from the GGS Budget.

Based on Treasury’s correspondence with the ABS in 2015, TAHE was initially expected to pay a return on equity of 7% in 2016–17. The assumption of a 7% return persisted through to 2018, after the legislation enabling the establishment of TAHE was passed by Parliament. However, when the initial access and licence fees were agreed on 1 July 2020, this figure had been revised to an expected rate of return of 1.5% excluding the revaluation loss. This was below the long-term inflation target and did not include the recovery of the revaluation loss – risking the government's ability to treat its investment in TAHE as an equity contribution. Importantly, as TAHE is primarily reliant on fees paid by the state owned rail operators that, in turn, are funded by the GGS Budget (as an expense), the decision to change the returns model from 7% to 1.5% would in its own right have had a positive impact on the GGS Budget. However, the decision to use a 1.5% return would ultimately be problematic as it made it difficult to treat the government's contributions to TAHE as an equity investment, as discussed below.

On 14 December 2021, to avoid a qualified audit opinion, the NSW Government made the decision to increase TAHE's expected rate of return to 2.5%, equal to the Reserve Bank’s long-term inflation target.

In 2021-22, TAHE needed to start charging rail operators higher access and licence fees in order to generate a return of 2.5%, so as to support the government's treatment of its investment in TAHE as an equity contribution in the GGS Budget. This meant the government needed to provide additional grant (expense) funding to the state owned rail operators so they could pay the increased access and licence fees to TAHE. Based on current projections, TAHE is not expected to recover the revaluation loss until 2046.

There remains a risk that TAHE will not be able to generate a sufficient return on the NSW Government's investment without relying on increased funding to state owned rail operators so that they can in turn pay the higher access and licence fees. TAHE's ability to generate returns on government investment from other sources are uncertain and may not be achievable or sustainable. Current modelling highlights that TAHE remains largely reliant, through to 2046, on increasing fees (which are assumed to increase at 2.5% per annum from 2031 onwards when the current 10 year contracts with rail operators expire) paid by the state owned rail operators that remain principally reliant on GGS Budget grants.

The process of designing and implementing TAHE was not transparent to independent scrutiny

Our report 'State Finances 2021' commented that Treasury did not always provide this Office with information relating to TAHE on a timely basis. Similarly, during this performance audit, there were also multiple instances where auditees were unable to provide documentation regarding key activities in the process to deliver TAHE. Agencies also applied higher sensitivity classifications to large tranches of documents than was justified or required by policy. Of particular concern is the incorrect classification of documents as Cabinet sensitive information. The incorrect or over-classification of documentation as Cabinet sensitive delayed this Office's ability to provide scrutiny or independent assurance.

There was a lack of clarity around the roles and responsibilities of governance structures set up to oversee the design and implementation of TAHE

From 2014, multiple workstreams and advisory committees were established to progress the design and implementation of TAHE. For some of these committees and workstreams, there is limited information on what they were tasked to do and what they achieved. Most had ceased meeting by 2018, before significant work needed to deliver TAHE was completed.

The lack of clarity around the roles and responsibilities of these governance structures reduced opportunities for TfNSW and Treasury to reconcile their differing objectives for TAHE, and resolve key questions earlier in the process.

There was a heavy reliance on consulting firms throughout the process to establish TAHE, and the management of consultant engagements failed to ensure that agencies received independent advice to support objective decision-making

In 2020, Treasury and TfNSW failed to prevent, identify, or adequately manage a conflict of interest when they engaged the same 'Big 4' consulting firm to work on separate TAHE-related projects. Both agencies used the firm's work to further their respective views with regard to the financial implications of TAHE's operating model. At this time those views were still unreconciled.

Treasury engaged the firm to provide a fiscal risk management strategy and advice on the impact of changes to accounting standards. TfNSW engaged the same firm to develop operating and financial models for TAHE, which raised concerns regarding the viability of TAHE. Disputes arose around the findings of these reports. Treasury disagreed with some of the outcomes of the work commissioned by TfNSW, relating to accounting treatment and fiscal advice.

The management of this conflict (real or perceived) was left to the 'Big 4' consulting firm when it was more appropriate for it to be managed by Treasury and TfNSW. If these agencies had communicated more effectively, used available governance structures consistently, and shared information openly about their use of the firm and the nature of their respective engagements, these disputes might have been avoided. This issue, coupled with deficiencies in procurement by both agencies, reflected and further perpetuated the lack of cohesion in the design and implementation of TAHE.

More broadly, over the period 2014 – 2021, 16 separate consulting firms were employed to work on 36 contracts, valued at over $22.56 million, relating to TAHE ranging from accounting and legal advice, project management, and the provision of administrative support and secretariat services.

Consultants are legitimately used by agencies to provide advice on how to achieve the outcomes determined by government, including advising agencies on the risks and challenges in achieving those outcomes. Similarly, consultants can provide expert knowledge in the service of achieving those outcomes and managing the risks. However, the heavy reliance on consulting firms during the design and implementation of TAHE heightened the risk that agencies were not receiving value for money, were outsourcing tasks that should be performed by the public service, and did not mitigate the risk that the advice received was not objective and impartial. The risk that the role of consultants could have been blurred between providing independent advice to government on options and facilitating a pre-determined outcome was not effectively treated or mitigated. This risk was amplified because a small number of firms were used repeatedly to provide advice on one topic. The effective procurement and management of consultants is an obligation of government agencies.

Appendix one – Responses from audited agencies, and Audit Office clarification of matters raised in the TAHE formal response

Appendix two – Classification of government entities

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #372 - released 24 January 2023

23 December 2022

Published

Treasury 2022

Treasury

Asset valuation

Compliance

Cyber security

Financial reporting

Information technology

Internal controls and governance

Management and administration

Procurement

Regulation

Risk

Service delivery

Shared services and collaboration

What the report is about

Results of the Treasury cluster agencies' financial statement audits for the year ended 30 June 2022.

The results of the audit of the NSW Government's consolidated Total State Sector Accounts (TSSA), which is prepared by NSW Treasury, are reported separately in our report on 'State Finances 2022'.

What we found

Unmodified audit opinions were issued on all 30 June 2022 general purpose financial statement audits.

Qualified audit opinions were issued on three of the 25 other engagements prepared by cluster agencies. These related to payments made from Special Deposit Accounts (SDA) that did not comply with the relevant legislation.

What the key issues were

Commercial agreements were signed between TAHE, the operators and Transport for NSW in June 2022, which reflected an expected rate of return of 2.5% on contributed equity. However, it remains critical that the government continue to provide sufficient funding to the operators so they can pay for access and use TAHE assets. These findings are reported in our report on 'State Finances 2022'.

Eight high-risk issues were raised in 2021–22, of which five relate to NSW Treasury.

A number of previously reported audit findings and recommendations with respect to icare continue to be ongoing issues. This includes the Workers Compensation Nominal Insurer continuing to hold less assets than the estimated present value of its future payment obligations, when measured in accordance with the accounting framework.

What we recommended

Our report on 'State Finances 2022' made several recommendations to improve NSW Treasury's processes.

In this report, we recommended icare should ensure:

it has sufficient controls in place over claim payments, including an effective quality assurance program, to minimise claim payment errors
that documentation to support PIAWE calculations is appropriately maintained, and that the minimum documentation requirements are set out in a policy.

This report provides Parliament and other users of the Treasury cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury cluster (the cluster) for 2022.

Section highlights

Unqualified audit opinions were issued on the general purpose financial statements of all cluster agencies.
A qualified opinion was issued on the NSW Government's consolidated Total State Sector Accounts (TSSA), which are prepared by NSW Treasury. This is reported separately in our 'State Finances 2022' NSW Auditor-General's Report to Parliament.
Three qualified audit opinions were issued on special purpose financial reports, relating to whether payments from the funds complied with the relevant legislation.
Reported corrected misstatements increased from seven in 2020–21 to ten in 2021–22 with a gross value of $808.6 million. Reported uncorrected misstatements decreased from 17 in 2020–21 to 11 in 2021–22 with a gross value of $85.7 million.
Nine of 15 cluster agencies either did not submit or did not complete certain mandatory early close procedures on time.
NSW Treasury corrected a $39.7 million prior period error retrospectively in the financial statements as it overstated its accrual at 30 June 2021 relating to hotel quarantine costs.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury cluster.

Section highlights

Eight high-risk issues were identified in 2021–22, an increase from four high-risk and one extreme risk in 2020–21. A further 31 moderate risk findings were reported in 2021–22, of which 12 were repeat findings.
Inconsistencies in the Government Sector Finance Act 2018 (GSF Act) and Government Sector Audit Act 1983 (GSA Act) relating to key statutory timeframes have been addressed.
Further to last year's reporting, some agencies have again spent moneys without an authorised delegation.
There was a lack of quality review of submissions for audit by NSW Treasury.
The Nominal Insurer's net assets decreased from a $2.5 billion surplus at 30 June 2018, to a $1.2 billion deficiency at 30 June 2022.
The Nominal Insurer's return-to-work rates stabilised, but remain below the performance levels prior to the COVID-19 pandemic.
The Nominal Insurer paid $29.5 million in 2021–22 to remediate historical underpayment of compensation benefits to workers (Pre-Injury Average Weekly Earnings (PIAWE) payments), and a further $8.5 million was payable at 30 June 2022.
During its review of historical PIAWE errors, icare found that indexation may have been incorrectly applied, or failed to have been applied when determining injured worker entitlements within the Nominal Insurer between 2012 and 2019. Based on calculations provided by icare, the Audit Office reported an uncorrected judgemental misstatement of $28.5 million (understatement).

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Acquittals and other opinions

Copyright notice

30 June 2022

Published

Audit Insights 2018-2022

Community Services

Education

Environment

Finance

Health

Industry

Justice

Local Government

Premier and Cabinet

Planning

Transport

Treasury

Universities

Whole of Government

Asset valuation

Cross-agency collaboration

Compliance

Cyber security

Financial reporting

Fraud

Information technology

Infrastructure

Internal controls and governance

Management and administration

Procurement

Project management

Regulation

Risk

Service delivery

Shared services and collaboration

Workforce and capability

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

Integrity and transparency
Performance and monitoring
Governance and oversight
Cyber security and data
System planning for disruption
Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

Fast facts

72 audits included in the Audit Insights 2018–2022 analysis
4 years of audits tabled by the Auditor-General for New South Wales
6 key themes for Audit Insights 2018–2022.

picture of Margaret Crawford Auditor-General for New South Wales in black dress with city skyline as background I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

Integrity and transparency	Performance and monitoring	Governance and oversight	Cyber security and data	System planning	Resource management
Insufficient documentation of decisions reduces the ability to identify, or rule out, misconduct or corruption.	Failure to apply lessons learned risks mistakes being repeated and undermines future decisions on the use of public funds.	The control environment should be risk-based and keep pace with changes in the quantum and diversity of agency work.	Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture.	Priorities to meet forecast demand should incorporate regular assessment of need and any emerging risks or trends. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination.	Governments must weigh up the cost of reliance on consultants at the expense of internal capability, and actively manage contracts and conflicts of interest.
Government entities should report to the public at both system and project level for transparency and accountability.	Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact.	Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls.	In implementing strategies to mitigate cyber risk, agencies must set target cyber maturity levels, and document their acceptance of cyber risks consistent with their risk appetite.	Service planning should establish future service offerings and service levels relative to current capacity, address risks to avoid or mitigate disruption of business and service delivery, and coordinate across other relevant plans and stakeholders.	Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds.
Entities must provide balanced advice to decision-makers on the benefits and risks of investments.	Benefits realisation should identify responsibility for benefits management, set baselines and targets for benefits, review during delivery, and evaluate costs and benefits post-delivery.	Active review of policies and procedures in line with current business activities supports more effective risk management.	Governments hold repositories of valuable data and data capabilities that should be leveraged and shared across government and non-government entities to improve strategic planning and forecasting.	Formal structures and systems to facilitate coordination between agencies is critical to more efficient allocation of resources and to facilitate a timely response to unexpected events.	Transformation programs can be improved by resourcing a program management office.
Clear guidelines and transparency of decisions are critical in distributing grant funding.	Quality assurance should underpin key inputs that support performance monitoring and accounting judgements.	Governance arrangements can enable input into key decisions from both government and non-government partners, and those with direct experience of complex issues.			Workforce planning should consider service continuity and ensure that specialist and targeted roles can be resourced and allocated to meet community need.
Governments must ensure timely and complete provision of information to support governance, integrity and audit processes.
Read more	Read more	Read more	Read more	Read more	Read more

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

20 May 2022

Published

COVID-19: response, recovery and impact

Community Services

Education

Health

Justice

Premier and Cabinet

Transport

Treasury

Whole of Government

Cross-agency collaboration

Financial reporting

Management and administration

Service delivery

Shared services and collaboration

What the report is about

This report draws together the financial impact of COVID-19 on the agencies integral to responses across the state government sector of New South Wales.

What we found

Since the COVID-19 pandemic hit NSW in January 2020, and until 30 June 2021, $7.5 billion was spent by state government agencies for health and economic stimulus. The response was largely funded by borrowings.

The key areas of spending since the start of COVID-19 in NSW to 30 June 2021 were:

direct health response measures – $2.2 billion
personal protective equipment – $1.4 billion
small business grants – $795 million
quarantine costs – $613 million
increases in employee expenses and cleaning costs across most agencies
vaccine distribution, including vaccination hubs – $71 million.

The COVID-19 pandemic significantly impacted the financial performance and position of state government agencies.

Decreases in revenue from providing goods and services were offset by increases in appropriations, grants and contributions, for health and economic stimulus funding in response to the pandemic.

Most agencies had expense growth, due to additional operating requirements to manage and respond to the pandemic along with implementing new or expanded stimulus programs and initiatives.

Response measures for COVID-19 have meant the NSW Government is unlikely to meet targets in the Fiscal Responsibility Act 2012 being:

annual expense growth kept below long-term average revenue growth
elimination of State’s unfunded superannuation liability by 2030.

Fast facts

First COVID-19 case in NSW on 25 January 2020
COVID-19 vaccinations commenced on 21 February 2021
By 31 December 2021, 25.2 million PCR tests had been performed in NSW and 13.6 million vaccines administered, with 93.6% of the 16 and over population receiving two doses
During 2020–21, NSW Health employed an extra 4,893 full-time staff and incurred $28 million in overtime mainly in response to COVID-19
During 2020–21, $1.2 billion was spent on direct health COVID-19 response measures and $532 million was spent on quarantine for incoming international travellers

Section highlights

Up to 30 June 2021, $7.5 billion has been spent by state government agencies for health and economic stimulus.
Revenue increased for most agencies as falling revenue from providing goods and services was offset by additional funding from appropriations, grants and contributions.
Expenses increased as most agencies incurred additional costs to manage and respond to the pandemic along with delivering stimulus and support programs.
Borrowings of $7.5 billion over the last two years helped to fund the response to COVID-19.

Section highlights

NSW Government unlikely to meet targets in Fiscal Responsibility Act 2012.

7 September 2021

Published

Managing climate risks to assets and services

Planning

Environment

Treasury

Industry

Infrastructure

Management and administration

Risk

Service delivery

What the report is about

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.

Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.

NSW Treasury estimates these risks could have significant costs.

What we found

DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.

In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.

DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.

There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.

DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.

NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.

In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.

What we recommended

DPIE and NSW Treasury should, in partnership:

enhance the coordination of climate risk management across agencies
implement climate risk management across their clusters.

DPIE should:

update information and strengthen education to agencies, and monitor progress
review relevant land-use planning, development and building guidance
deliver a climate change adaptation action plan for the state.

NSW Treasury should:

strengthen climate risk-related guidance to agencies
coordinate guidance on resilience in infrastructure planning
review how climate risks have been assured in agencies’ asset management plans.

Fast facts

4 years

between commitments in the NSW Climate Change Policy Framework, and DPIE and NSW Treasury producing key supports to agencies for climate risk management.

$120bn

Value of physical assets held by nine NSW Government entities we examined that have not completed climate risk assessments.

Low capability to do climate risk assessment has been found across state agencies. The total value of NSW Government physical assets is $365 billion, as at 30 June 2020.

x3

NSW Treasury’s estimates of the annual fiscal and economic costs associated with natural disasters will triple by 2060–61.

According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.

According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.

The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.

In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.

The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:

use robust climate projection information to understand the potential climate impacts
undertake sound climate risk assessments, within an enterprise risk management framework
implement adaptation plans that reduce these risks, and harness opportunities.

Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.

According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.

This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.

Conclusion

The Department of Planning, Industry and Environment (the department) has made climate projections available to agencies since 2014, but provided limited guidance to assist agencies to identify and manage climate risks. NSW Treasury first noted climate change as a contextual factor in its 2012 guidance on risk management. NSW Treasury only clarified requirements for agencies to integrate climate considerations into their risk management processes in December 2020.

The department has not delivered on a NSW Government commitment for a state-wide climate change adaptation action plan, which was meant to be completed in 2017. Currently many state agencies that own or manage assets and provide services do not have climate risk management in place.

Since 2019, the department and NSW Treasury have worked in partnership to develop a coordinated approach to supporting agencies to manage these risks. This includes guidance to agencies on climate risk assessment and adaptation planning published in 2021.

More work is needed to embed, sustain and lead effective climate risk management across the NSW public sector, especially for the state's critical infrastructure and essential services that may be exposed to climate change impacts.

The NSW Government set directions in the 2016 NSW Climate Change Policy Framework to 'manage the impact of climate change on its assets and services by embedding climate change considerations into asset and risk management’ and more broadly into 'government decision-making'.

The department released climate projections and has made information on projected climate change impacts available since 2014, but this has not been effectively communicated to agencies. The absence of a state-wide climate change adaptation action plan has limited the department's implementation of a coordinated, well-communicated program of support to agencies for their climate risk management.

NSW Treasury is responsible for managing the state's finances and providing stewardship to the public sector on financial and risk management, but it did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019. NSW Treasury estimates the financial costs of climate-related physical risks are significant and will continue to grow.

The partnership between the department and NSW Treasury has produced the 2021 Climate Risk Ready NSW Guide and Course, which aim to help agencies understand their exposure to climate risks and develop adaptation responses. The Guide maps out a process for climate risk assessment and adaptation planning and is referenced in NSW Treasury policy on internal audit and risk management. It is also referenced in NSW Treasury guidance to agencies on how to reflect the effects of climate-related matters in financial statements.

There is more work to be done by the department on maintaining robust, accessible climate information and educating agencies in its use. NSW Treasury will need to continue to update its policies, guidance and economic analyses with relevant climate considerations to support an informed, coordinated approach to managing physical climate risks to agencies' assets and services, and to the state's finances more broadly.

The effectiveness of the department and NSW Treasury's support involves the proactive and sustained take-up of climate risk management by state agencies. There is a key role for the department and NSW Treasury in monitoring this progress and its results.

Prior to 2021, support provided by the Department of Planning, Industry and Environment (the department) to agencies for managing physical climate risks to their assets and services has been limited. NSW Treasury has a stewardship role in public sector performance, including risk management, but has not had a defined role in working with the department on climate risk matters until mid-2019. The low capacity of agencies to undertake this work has been known to NSW Government through agency surveys by the department in 2015 and by the department and NSW Treasury in 2018.

The support delivered to agencies around climate risk management, including risk assessment and adaptation planning, has been slow to start and of limited impact. The department's capacity to implement a coordinated approach to supporting agencies has also been limited by the absence of a state-wide adaptation strategy and related action plan.

In 2021, products were released by the department and NSW Treasury with potential to improve support to agencies on climate risk assessment and adaption planning (that this, Climate Risk Ready NSW Guide and Course, which provides links to key NSW Treasury polices). The department and NSW Treasury are now leading work to develop a more coordinated approach to climate risk management for agencies' assets and services, and building the resilience of the state to climate risk more broadly.

Climate projections are a key means of understanding the potential impacts of climate change, which is an important step in the climate risk assessment process. The Department of Planning, Industry and Environment (the department) used a robust approach to develop its climate projections (NARCliM). The full version of NARCliM (v1.0) is based on 2007 models¹¹ and while still relevant, this has limited its perceived usefulness and uptake. The process of updating these projections requires significant resourcing. The department has made recent updates to enhance the currency and usefulness of its climate projections. NARCliM (v2.0) should be available in 2022.

While climate projections have been available to agencies and the community more broadly since 2013–14, the department has not been effective in educating the relevant data users within agencies in how to use the information for climate risk assessments and adaptation planning.

The absence of a strategy focused on this is significant and has contributed to the current low levels of climate risk assessment uptake across agencies (see section 2). Agencies are required to use the climate projections developed by the department when developing long term plans and strategies as part of the NSW Government Common Planning Assumptions.

¹¹The department advises the 2007 global climate models were released to users by the Intergovernmental Panel on Climate Change in 2010.

It is too soon to determine the impact of the 2021 Climate Risk Ready NSW (CRR) Guide and Course, produced by the Department of Planning, Industry and Environment (the department) and NSW Treasury. But there are opportunities for these agencies to progress these developments in partnership: especially with the establishment of senior executive steering and oversight committees related to climate risk.

For the department, key opportunities to embed climate risk management include leveraging land use planning policies and guidance to drive adaptation, which has potential to better protect the state's assets and services. NSW Treasury has a role in continuing to update its policies, guidance and economic analyses with relevant climate change considerations to support an informed, coordinated approach to addressing physical climate risks to agencies' assets and services, and to the state's finances more broadly.

There is currently no plan on how the department and NSW Treasury intend to routinely monitor the progress of agencies with implementing the CRR Guide or developing climate risk 'maturity' more broadly. As agencies are responsible for implementing risk management systems that meet NSW Treasury standards, which now clearly includes consideration of climate risk (TPP20-08), establishing effective monitoring, reporting and accountability around this progress should be a priority for the department and NSW Treasury.

Appendix one – Response from agencies

Appendix two – Timeline of key activities

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #355 - released (7 September 2021).

24 November 2020

Published

Internal controls and governance 2020

Education

Environment

Community Services

Finance

Health

Industry

Justice

Premier and Cabinet

Transport

Treasury

Compliance

Cyber security

Information technology

Internal controls and governance

Management and administration

Procurement

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

financial and information technology controls
business continuity and disaster recovery planning arrangements
procurement, including emergency procurement
delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

New, repeat and high risk findings

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

prioritise addressing high-risk findings
address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

Common findings

A number of findings remain common across multiple agencies over the last four years, including:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

2. Information technology controls

IT general controls

We found deficiencies in information security controls over key financial systems including:

user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
privileged users were not appropriately monitored at 43 per cent of agencies
deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

3. Business continuity and disaster recovery planning

Assessing risks to business continuity and Scenario testing

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

involving key dependent or inter-dependent third parties who support or deliver critical business functions
testing one or more high impact scenarios identified in their business continuity plan
preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Responding to disruptions

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Management review and oversight

Eighty-two per cent and 86 per cent of agencies report to their audit and risk committees (ARC) on their business continuity and disaster recovery planning arrangements, respectively. Only 18 per cent and five per cent of ARCs are briefed on the results of respective scenario testing. Briefing ARCs on the results of scenario testing exercises helps inform their decisions about whether sound and effective business continuity and disaster recovery arrangements have been established.

4. Procurement, including emergency procurement

Policy framework	Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework. Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.
Managing contracts	Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details. Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.
Training and support	Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including: not conducting value for money assessments prior to renewing or extending the contract with their existing supplier not obtaining approval from a delegated authority to commence the procurement process procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services. Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.
Procurement activities	While agencies had implemented controls for tender activities above $650,000, 43 per cent of unaccredited agencies did not comply with the NSW Procurement Policy Framework because they had not had their procurement endorsed by an accredited agency within the cluster or by NSW Procurement. This endorsement aims to ensure the procurement is properly planned to deliver a value for money outcome before it commences.
Emergency procurement	As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies. The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example: 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board. Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law. Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes: updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

5. Delegations

Instruments of delegation

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

16 per cent of agencies had not updated their financial delegations to reflect the changes
16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Compliance with delegations

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

6. Status of 2019 recommendations

Progress implementing last year's recommendations

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date or missing policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Section highlights

We found that agencies are not always regularly reviewing and updating their financial and human resources delegations when there are changes to legislation or other organisational changes within the agency or from machinery of government changes. For example, agencies did not understand or correctly apply the requirements of the GSF Act, resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

In order for agencies to operate efficiently, make necessary expenditure and human resource decisions quickly and lawfully, particularly in emergency situations, it is important that delegations are kept up to date, provide clear authority to decision makers and are widely communicated.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

9 April 2020

Published

Destination NSW's support for major events

Treasury

Financial reporting

Management and administration

Procurement

Project management

Service delivery

This report focuses on whether Destination NSW (DNSW) can demonstrate that its support for major events achieves value for money.

The audit found that DNSW’s processes for assessing and evaluating the major events it funds are mostly effective, but its public reporting does not provide enough transparency.

DNSW provides clear information to event organisers seeking funding and has a comprehensive methodology for conducting detailed event assessments. However, the reasons for decisions to progress events from the initial assessment to the detailed assessment stage are not documented in sufficient detail.

DNSW does not publish detailed information about the events it funds or the outcomes of these events. This means that members of the public are unable to see whether its activities achieve value for money. However, DNSW’s internal reporting to its key decision‑makers, including the CEO, the Board and the Minister is appropriate.

The Auditor-General made four recommendations to DNSW, aimed at improving the transparency of its activities, improving the documentation of decisions and certain compliance matters, and streamlining its approach to assessing and evaluating events that receive smaller amounts of funding.

Read full report (PDF)

Destination NSW (DNSW) provides funding to attract a range of major events to New South Wales, including high-profile professional sports matches and tournaments, musicals, art and museum exhibitions, and participation-focused events such as festivals and sports events that members of the public can enter. The NSW Government's rationale for providing funding is to encourage event organisers to hold events in New South Wales, and to ensure that events held in New South Wales maximise the potential for attracting overseas and interstate visitors.

This audit assessed whether DNSW can demonstrate that its support for major events achieves value for money. In making this assessment, the audit examined whether:

DNSW effectively assesses proposals to support major events
DNSW effectively evaluates the impact of its support for major events.

This audit focused on DNSW's work to attract major events to New South Wales. It did not assess DNSW's tourism promotion or development work, which includes developing tourism strategies, marketing and advertising campaigns, national and international partnerships, and regional programs.

Conclusion

Destination NSW's processes for assessing event applications and evaluating its support for major events are mostly effective. DNSW's internal systems allow it to know whether its decisions are achieving value for money. Its public reporting does not provide enough information about its activities and their outcomes, although it is consistent with that of equivalent organisations in other Australian jurisdictions.

DNSW's process for assessing applications for funding from organisers of major events is mostly effective. Clear information is provided to event organisers seeking funding, and DNSW has a comprehensive methodology for conducting detailed event assessments. However, the reasons for decisions to progress events from the initial assessment to the detailed assessment stage are not documented in sufficient detail.

DNSW has a framework for disclosure and monitoring staff conflicts of interest. However, its forms for staff to disclose conflicts of interest on specific events they are working on are ambiguous. DNSW's management of gifts and benefits broadly complies with the minimum standards set by the Public Service Commission, but there are some gaps in its implementation of these.

DNSW conducts an evaluation of each major event it supports. DNSW articulates expected outcomes in contracts with event organisers and uses a sound methodology to evaluate events. Internal reporting to its key decision-makers, including the CEO, the Board and the Minister is appropriate. However, DNSW does not publish detailed information about the events it funds or the outcomes of these events. This means that members of the public are unable to see whether its activities achieve value for money.

Appendix one – Response from Destination NSW

Appendix two – About the audit

Appendix three – Performance auditing

Copyright Notice

Parliamentary reference - Report number #332 - released 9 April 2020.

5 November 2019

Published

Internal Controls and Governance 2019

Education

Community Services

Finance

Health

Industry

Justice

Planning

Premier and Cabinet

Transport

Treasury

Whole of Government

Compliance

Cyber security

Fraud

Information technology

Internal controls and governance

Management and administration

Procurement

Project management

This report covers the findings and recommendations from the 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector. The 40 agencies selected for this report constitute around 84 per cent of total expenditure for all NSW public sector agencies.

The report provides insights into the effectiveness of controls and governance processes across the NSW public sector. It evaluates how agencies identify, mitigate and manage risks related to:

financial controls
information technology controls
gifts and benefits
internal audit
contingent labour
sensitive data.

The Auditor-General recommended that agencies do more to prioritise and address vulnerabilities in their internal controls and governance. The Auditor-General also recommended agencies increase the transparency of their management of gifts and benefits by publishing their registers on their websites.

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2019.

1. Internal control trends

New, repeat and high risk findings

There was an increase in internal control deficiencies of 12 per cent compared to last year. The increase is predominately due to a 100 per cent increase in repeat financial and IT control deficiencies.

Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

Common findings

A number of findings were common to multiple agencies. These findings often related to areas that are fundamental to good internal control environments and effective organisational governance, such as:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers
policies, procedures or controls no longer suited to the current organisational structure or business activities.

2. Information technology controls

IT general controls

We examined information security controls over key financial systems that support the preparation of agency financial statements. We found:

user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
an absence of privileged user activity reviews at 35 per cent of agencies
password controls that did not align to password policies at 20 per cent of agencies.

We also found 20 per cent of agencies had deficient IT program change controls, mainly related to segregation of duties in approval and authorisation processes, and user acceptance testing of program changes prior to deployment into production environments. User acceptance testing helps identify potential issues with software incompatibility, operational workflows, absent controls and software issues, as well as areas where training or user support may be required.

3. Gifts and benefits

Gifts and benefits registers

All agencies had a gifts and benefits policy and 90 per cent of agencies maintain a gifts and benefits register. However, 51 per cent of the gifts and benefits registers we examined contained incomplete declarations, such as missing details for the approving officer, value of the gift and/or benefit offered and reasons supporting the decision.

In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate, compliant with policy and were not direct or indirect inducements to the recipients to favour suppliers or service providers.

Agencies should ensure their gifts and benefits register includes all key fields specified in the Public Service Commission's minimum standards for gifts and benefits. Agencies should also perform regular reviews of the register to ensure completeness and ensure any gift or benefit accepted by a staff member meets the public's expectations for ethical behaviour.

Managing gifts and benefits

We found opportunities to improve gifts and benefits processes and enhance transparency. For example, only three per cent of agencies publish their gifts and benefits registers on their websites.

Agencies can improve management of gifts and benefits by:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers, suppliers and contractors
providing on-going training, awareness activities and support to employees, not just at induction
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

Reporting and monitoring

Only 35 per cent of agencies reported trends in the number and nature of gifts and benefits recorded in their registers to the agency's senior executive management and/or a governance committee.

Agencies should regularly report to the agency executive or other governance committee on trends in the offer and acceptance of gifts and benefits.

4. Internal audit

Obtaining value from the internal audit function

Agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value. For example, only 73 per cent of CAEs regularly attend meetings of the agency board or executive management committee.

Internal audit functions can add greater value by involving the CAE more extensively in executive forums as an observer.

Internal audit functions should also consider producing an annual report on internal audit. An annual report allows the internal audit function to report on their performance and add value by drawing to the attention of audit and risk committees and senior management strategic issues, thematic trends and emerging risks.

Role of the Chief Audit Executive

Forty-five per cent of agencies assigned responsibilities to the Chief Audit Executive (CAE) that were broader than internal audit, but 17 per cent of these had not documented safeguards to protect the independence of the CAE.

The reporting lines and status of the CAE at some agencies also needs review. At two agencies, the CAE reported to the CFO.

Agencies should ensure:

the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE does not report functionally or administratively to the finance function or other significant recipients of internal audit services
the CAE's duties are compatible with preserving their independence and where threats to independence exist, safeguards are documented and approved.

Quality assurance and improvement program

Thirty-five per cent of agencies did not have a documented quality assurance and improvement program for its internal audit function.

The policy and the International Standards for the Professional Practice of Internal Auditing require agencies to have a documented quality assurance and improvement program. The results of this program should be reported annually.

Agencies should ensure there is a documented and operational Quality Assurance and Improvement Program for the internal audit function that covers both internal and external assessments.

5. Managing contingent labour

Obtaining value for money from contingent labour

According to NSW Procurement data, spend on contingent labour has increased by 75 per cent over the last five years, to $1.5 billion in 2018–19. Improvements in internal processes and a renewed focus on agency monitoring and oversight of contingent labour can help ensure agencies get the best value for money from their contingent workforces.

Agencies can improve their management of contingent labour by:

preparing workforce plans to inform their resourcing strategy and ensure that engaging contingent labour aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use and tenure to agency executive teams
strengthening on-boarding and off-boarding processes.

We also found 57 per cent of the 23 agencies we examined with contingent labour spend of more than $5 million in 2018–19 have implemented the government's vendor management system and service provider 'Contractor Central'.

6. Managing sensitive data

Identifying and assessing sensitive data

Sixty-eight per cent of agencies maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete and risks may be overlooked.

Agencies can improve processes to manage sensitive data by:

identifying and maintaining an inventory of sensitive data through a comprehensive and structured process
assessing the criticality and sensitivity of the data so that protection of high risk data can be prioritised.

Managing data breaches

Eighty-eight per cent of agencies have established policies to respond to potential data breaches when they are identified and 70 per cent of agencies maintain a register to record key information in relation to identified data breach incidents.

Agencies should maintain a data breach register to effectively manage the actions undertaken to contain, evaluate and remediate each data breach.

This report covers the findings and recommendations from our 2018–19 financial audits that relate to internal controls and governance at 40 of the largest agencies (refer to Appendix three) in the NSW public sector. The 40 agencies selected for this volume constitute around 84 per cent of total expenditure for all NSW public sector agencies.

Although the report includes several agencies that have changed as a result of the Machinery of Government changes that were effective from 1 July 2019, its focus on sector wide issues and insights means that its findings remain relevant to NSW public sector agencies, including newly formed agencies that have assumed the functions of abolished agencies.

This report offers insights into internal controls and governance in the NSW public sector

This is the third report dedicated to internal controls and governance at NSW State Government agencies. The report provides insights into the effectiveness of controls and governance processes in the NSW public sector by:

highlighting the potential risks posed by weaknesses in controls and governance processes
helping agencies benchmark the adequacy of their processes against their peers
focusing on new and emerging risks, and the internal controls and governance processes that might address those risks.

Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse.

Areas of specific focus of the report have changed since last year

Last year's report topics included transparency and performance reporting, management of purchasing cards and taxi use, and fraud and corruption control. We are reporting on new topics this year and re-visiting agency management of gifts and benefits, which we first covered in our 2017 report. Re-visiting topics from prior years provides a baseline to show the NSW public sectors’ progress implementing appropriate internal controls and governance processes to mitigate existing, new and emerging risks in the public sector.

Our audits do not review all aspects of internal controls and governance every year. We select a range of measures and report on those that present heightened risks for agencies to mitigate. This year the report focusses on:

internal control trends
information technology controls, including access to agency systems
protecting sensitive information held within agencies
managing large and diverse workforces (controls around employing and managing contingent workers)
maintaining an ethical culture (management of gifts and benefits)
effectiveness of internal audit function and its oversight by Audit and Risk Committees.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, internal controls and audit observations are included in the individual 2019 cluster financial audit reports, which will be tabled in parliament from November to December 2019.

Internal controls are processes, policies and procedures that help agencies to:

operate effectively and efficiently
produce reliable financial reports
comply with laws and regulations
support ethical government.

Key conclusions and sector wide learnings

We identified four high risk findings, compared to six last year. None of the findings are common with those in the previous year. There was an overall increase of 12 per cent in the number of internal control deficiencies compared to last year. The increase is predominately due to a 100 per cent increase in the number of repeat financial and IT control deficiencies.

Some agencies attributed the delay in actioning repeat findings to the diversion of staff from their regular activities to implement and operationalise the recent Machinery of Government changes. As a result, actions to address audit recommendations have been deferred or re-prioritised, as the changes are implemented. Agencies need to ensure they are actively managing the risks associated with having these vulnerabilities in internal control systems unaddressed for extended periods of time.

We also identified a number of findings that were common to multiple agencies. These common findings often related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

out of date policies or an absence of policies to guide appropriate decisions
poor record keeping and document retention
incomplete or inaccurate centralised registers or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

Key conclusions and sector wide learnings

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage gifts and benefits.

Key conclusions and sector wide learnings

We found most agencies have implemented the Public Service Commission's minimum standards for gifts and benefits. All agencies had a gifts and benefits policy and 90 per cent of agencies maintained a gifts and benefits register and provided some form of training to employees on the treatment of gifts and benefits.

Based on our analysis of agency registers, we found some areas where opportunities existed to make processes more effective. In some cases, gaps in recorded information meant the basis for decisions around gifts and benefits was not always clear, making it difficult to determine whether decisions in those instances were appropriate and compliant with policy. Fifty-one per cent of the gifts and benefits registers reviewed contained declarations where not all fields of information had been completed. Seventy-seven per cent of agencies that maintained a gifts and benefits register did not include all key fields suggested by the minimum standards.

Areas where agencies can improve their management of gifts and benefits include:

ensuring agency policies comprehensively cover the elements necessary to make it effective in an operational environment, such as identifying risks specific to the agency and actions that will be taken in the event of a policy breach
establishing and publishing a statement of business ethics on the agency's website to clearly communicate expected behaviours to clients, customers,suppliers and contractors
updating gifts and benefits registers to include all key fields suggested by the minimum standards, as well as performing regular reviews of the register to ensure completeness
providing on-going training, awareness activities and support to employees, not just at induction
regularly reporting gifts and benefits to executive management and/or a governance committee such as the audit and risk committee, focussing on trends in the number and types of gifts and benefits offered to and accepted by agency staff
publishing their gifts and benefits registers on their websites to demonstrate a commitment to a transparently ethical environment.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency internal audit functions.

Key conclusions and sector wide learnings

We found agencies have established and maintained internal audit functions to provide assurance on the effectiveness of agency controls and governance systems as required by TPP15-03 'Internal Audit and Risk Management Policy for the NSW Public Sector'. However, we identified areas where agencies' internal audit functions could improve their processes to add greater value, including:

documenting and implementing safeguards to address conflicting roles performed by the Chief Audit Executive (CAE)
ensuring the reporting lines for the CAE comply with the NSW Treasury policy, and the CAE reports neither functionally or administratively to the finance function or other significant recipients of internal audit services
involving the CAE more extensively in executive forums as an observer
documenting a Quality Assurance and Improvement Program for the internal audit function and performing both internal and external performance assessments to identify opportunities for continuous improvement
reporting against key performance indicators or a balanced scorecard and producing an annual report on internal audit to bring to the attention of the audit and risk committee and senior management strategic issues, thematic trends and emerging risks that may require further attention or resources.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to on-board, manage and off-board contingent labour.

Key conclusions and sector wide learnings

Agencies have implemented controls to manage contingent labour and most agencies have some level of reporting and oversight of contingent labour at an executive level. However, the increasing trend in spend on contingent labour warrants a renewed focus on agency monitoring and oversight of their use of contingent labour. Over the last five years spend on contingent labour has increased by 75 per cent, to $1.5 billion in 2018–19.

There are also some key gaps that limit the ability of agencies to effectively manage contingent labour. Key areas where agencies can improve their management of contingent labour include:

preparing workforce plans to inform their resourcing strategy, and confirm prior to engaging contingent labour, that this solution aligns with the strategy and best meets business needs
involving agency human resources units in decisions about engaging contingent labour
regularly reporting on contingent labour use to agency executive teams, particularly in terms of trends in agency spend, tenure and compliance with policies and procedures
strengthening on-boarding and off-boarding processes, including establishing checklists to on-board and off-board contingent labour, making provisions for knowledge transfer, and assessing, documenting and capturing performance information.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of governance and processes in relation to the management of sensitive data.

Key conclusions and sector wide learnings

Information technology risks are rapidly increasing. More interfaces between agencies and greater connectivity means the amounts of data agencies generate, access, store and share continue to increase. Some of this information is sensitive information, which is protected by the Privacy Act 1988.

It is important that agencies understand what sensitive data they hold, the risks associated with the inadvertent release of this information and how they are mitigating those risks. We found that agencies need to continue to identify and record their sensitive data, as well as expand the methods they use to identify sensitive data. This includes data held in unstructured repositories, such as network shared drives and by agency service providers.

Key areas where agencies can improve their management of sensitive data include:

identifying sensitive data, based on a comprehensive and structured process and maintaining an inventory of the data
assessing the criticality and sensitivity of the data so that the protection of high risk data can be prioritised
developing comprehensive data breach management policies to ensure data breaches are appropriately managed
maintaining a data breach incident register to record key information in relation to identified data breaches incidents, including the estimated cost of the breach
providing on-going training and awareness activities to employees in relation to sensitive data and managing data breaches.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – In-scope agencies

Audit progress

Sector

Year

Report type

Topic

Reports

What this report is about

The audit found

The key audit issues were

Section highlights

Section highlights

What this report is about

What we found

Section highlights

Section highlights

What the report is about

What we found

What we recommended

About this audit

Conclusion

NSW Treasury and TfNSW had different objectives for TAHE

The Budget benefits of TAHE were claimed before the entity was legislated, committing the agencies to deliver, regardless of the complexities that subsequently arose

TAHE's financial structure requires circular government investment to work

The process of designing and implementing TAHE was not transparent to independent scrutiny

There was a lack of clarity around the roles and responsibilities of governance structures set up to oversee the design and implementation of TAHE

There was a heavy reliance on consulting firms throughout the process to establish TAHE, and the management of consultant engagements failed to ensure that agencies received independent advice to support objective decision-making

Copyright notice

What the report is about

What we found

What the key issues were

What we recommended

Section highlights

Section highlights

Copyright notice

What the report is about

What we found

Fast facts

Copyright notice

What the report is about

What we found

Fast facts

Section highlights

Section highlights

What the report is about

What we found

What we recommended

Fast facts

4 years

$120bn

x3

Conclusion

The department has not delivered on a NSW Government commitment for a state-wide climate change adaptation action plan, which was meant to be completed in 2017. Currently many state agencies that own or manage assets and provide services do not have climate risk management in place.

Since 2019, the department and NSW Treasury have worked in partnership to develop a coordinated approach to supporting agencies to manage these risks. This includes guidance to agencies on climate risk assessment and adaptation planning published in 2021.

More work is needed to embed, sustain and lead effective climate risk management across the NSW public sector, especially for the state's critical infrastructure and essential services that may be exposed to climate change impacts.

Copyright notice

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Conclusion

This report offers insights into internal controls and governance in the NSW public sector

Areas of specific focus of the report have changed since last year

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings

Key conclusions and sector wide learnings