Section highlights

• $1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters during 2021–22.
• Budget underspent for temporary housing and small business support as lower than expected need.

Section highlights

• 83 local council areas were impacted by natural disasters during 2021–22, with 58 being impacted by more than one type of natural disaster.
• $349 million damage to council infrastructure assets at 30 June 2022.

Section highlights

• Unqualified audit opinions were issued for all completed 30 June 2022 financial statements audits of cluster agencies. Seven audits are ongoing. The audit of the Catholic Metropolitan Cemeteries Trust(CMCT) has not been able to commence, despite repeated requests to do so.
   
• The audits of the Water Administration Ministerial Corporation's (WAMC) financial statements for the years ended 30 June 2011 to 30 June 2020 were completed in November 2022. These audits had been long outstanding due to insufficient records and evidence to support the transactions and balances of WAMC, particularly for the earlier years. In recent years, management commenced actions to improve WAMC's governance and financial management, and finalise the outstanding audits.
  
  Disclaimed audit opinions were issued on the 2010–11 to 2015–16 financial statements as management was unable to certify that the financial statements exhibit a true and fair view of WAMC's financial position and financial performance.
  
  Qualified audit opinions were issued for the 2016–17 and 2017–18 financial statements due to insufficient evidence to support the completeness and valuation of water meters infrastructure assets, the impairment of water meters, and the completeness of buildings at Nimmie Caira.
  
  Unqualified audit opinions were issued for the 2018–19 and 2019–20 financial statements.
  
  The 2020–21 and 2021–22 WAMC audits are in progress.
   
• The Department of Planning and Environment (the department) assessed 45 Category 2 Statutory Land Managers (SLM) did not meet the reporting exemption criteria and therefore were required to prepare 2021–22 financial statements. None of these 45 Category 2 SLMs prepared and submitted their 30 June 2022 financial statements by the statutory reporting deadline.
  
  All 119 Commons Trusts have never submitted their financial statements for audit as required by the Government Sector Finance Act 2018 (GSF Act).
  
  The department needs to do more to ensure Category 2 SLMs and Commons Trusts meet their statutory reporting obligations.
  
  The department and Category 2 SLMs should finalise their reporting exemption assessments earlier to allow sufficient time for the non-exempted SLMs to prepare and submit annual financial statements by the statutory reporting deadline.
   
• NSW Treasury has met with the Catholic Metropolitan Cemeteries Trust (CMCT) to consider their perspective as part of confirming CMCT is a controlled entity of the State for the purposes of financial reporting. NSW Treasury has confirmed that the CMCT is a controlled entity of the State. This means that the CMCT is statutorily obliged under section 7.6 of the GSF Act to prepare financial statements in accordance with the GSF Act and Treasurer's Directions, and give them to the Auditor-General for audit pursuant to the Government Sector Audit Act 1983 (GSA Act). Section 34 of the GSA Act requires the Auditor-General to furnish an audit report on these financial statements.
  
  The department wrote to CMCT to request it work with, and offer full assistance to, the Auditor-General in the exercise of her duties. To date, the CMCT has not met its obligations to prepare financial statements under the GSF Act as it has not submitted its financial statements to the Auditor-General for audit despite repeated requests, and has not provided access to its books and records for the purposes of a financial audit. The CMCT contends that they are not a GSF agency as defined by the GSF Act and therefore not a controlled entity of the State.
   
• Six agencies required to perform early close procedures did not complete a total of 11 mandatory procedures. Incomplete procedures included the delayed resolution of matters raised in prior years and two agencies did not record movements in the fair value of physical assets in the financial statements.

Section highlights

• Since 2017, the Audit Office of New South Wales has recommended that the Department of Planning and Environment (the department) address the different practices across the local government sector in accounting for rural firefighting equipment. Despite repeated recommendations, the department did little to resolve this issue, and in 2022, 32 of 118 completed audits of councils received qualified audit opinions on their 2022 financial statements.
  Consistent with the department’s role to assess councils' compliance with legislative responsibilities, standards or guidelines, the department should intervene where councils do not recognise rural firefighting equipment.
• There continues to be significant deficiencies in Crown land records. The department should implement an action plan to ensure the Crown land database is complete and accurate.
• The number of findings reported to management decreased from 161 in 2020–21 to 132 in 2021–22. Eight high-risk findings were identified during 2021–22, of which six were repeat issues. One new high-risk finding related to deficiencies in governance processes and internal controls identified as a part of the Water Administration Ministerial Corporation's 2011–2020 financial statements audits.
• The department and NSW Treasury did not comply with section 35 of the Energy and Utilities Administration Act 1987 (EUA Act). However, complying with the EUA Act could create non-compliance with other pieces of legislation. Amendments to the EUA Act have been made to resolve this inconsistency. The amendment took effect from April 1999.

Section highlights

• Unqualified audit opinions were issued on the financial statements of cluster agencies. Two audits are ongoing.
• Cluster agencies completed all required early close procedures.
• Changes to accommodation arrangements managed by Property NSW on behalf of the department and cluster agencies resulted in the collective derecognition of approximately $100.6 million in right-of-use assets and corresponding lease liabilities totalling $110.4 million from the balance sheets of these agencies.
• Cluster agencies continue to provide financial assistance to communities affected by natural disasters.

Section highlights

• The 2021–22 audits identified five moderate issues across the cluster. One moderate risk issue was a repeat issue related to Local Land Services' annual fair value assessment of the asset improvements on land reserves used for moving stock.
• Of the four newly identified moderate rated issues, one related to internal control deficiencies and improvements and three related to financial reporting.
• The number of findings reported to management has decreased from 36 in 2020–21 to 14 in 2021–22.

Section highlights

• Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.
• An 'Other Matter' paragraph was included in the Independent Planning Commission’s (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983. From 2020–21, the IPC is required to prepare financial statements under the Government Sector Finance Act 2018.
• The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements were incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. These audits are currently underway, and the 2020–21 audit will commence shortly.
• The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 State controlled Crown land managers (CLMs) are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21. All 120 common trusts have never submitted their financial statements for audit. The department needs to do more to ensure that the CLMs and common trusts meet their statutory reporting obligations.
• Nine agencies that were required to perform early close procedures did not complete a total of 20 mandatory procedures. The most common incomplete early close procedures include the revaluation of property, plant and equipment, documenting all significant management judgments and assumptions, and the implementation of new and updated accounting standards.

Section highlights

• The number of findings reported to management has increased from 135 in 2019–20 to 180 in 2020–21, and 40 per cent were repeat issues.
• Seven high-risk issues were identified in 2020–21, and three high-risk findings were repeat issues.
• There continues to be significant deficiencies in Crown land records. The department should prioritise action to ensure the Crown land database is complete and accurate.

Section highlights

• Unqualified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Four audits are ongoing.
• The number of monetary misstatements identified during the audit decreased from 27 in 2019–20 to seven in 2020–21.
• Three cluster agencies could improve their early close process by completing all required procedures.
• Local Land Services disclosed a prior period error relating to the completeness of asset improvements on travelling stock reserves.

Section highlights

• The number of findings reported to management decreased from 36 in 2019–20 to 19 in 2020–21, and 47 per cent were repeat findings.
• The 2020–21 audits identified 12 moderate risk and seven low risk issues across the cluster.
• Four moderate risk issues and five low risk issues were repeat findings from
  2019–20.

Agencies implemented three new accounting standards during the year. Our audit of the Department identified there was a lack of quality assurance over the accuracy of lease information provided by Property NSW.

Recommendation:

The Department should:

• quality assure and validate the leasing information provided by Property NSW
• ensure changes made by Property NSW to lease data are supported and that assumptions and judgements applied are appropriate
• document their review of the data supplied.

We identified 30 internal control issues, including 16 findings that were raised with former agencies in previous years. Two matters from previous years have been elevated to high risk during 2019–20. Both matters related to Local Land Services:

• not completing all mandatory requirements as part of its early close procedures at 31 March 2020
• not performing annual fair value assessment of asset improvements on land reserves used for moving livestock.

Recommendation:

Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high-risk and repeat issues.

Section highlights

• Unqualified audit opinions were issued for all cluster agencies' 30 June 2020 financial statements audits.
• Nine of the ten cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting the financial statements. New South Wales Rural Assistance Authority missed the revised deadline by one day.
• Due to issues identified during audit, four financial statements audit were not completed and audit opinions issued by the statutory deadline.
• Emergency legislation allowing the Treasurer to continue authorising payments from the consolidated fund under the existing Appropriations Act enabled cluster agencies to prepare financial statements on a going concern basis.

Section highlights

• Two high-risk issues were identified during our audits. Both related to Local Land Services for:
  − not completing all mandatory requirements as part of its early close procedures at 31 March 2020
  − not performing annual fair value assessment of asset improvements on land reserves used for moving livestock
• More than one in two issues identified and reported to management in 2019–20 were raised in the former agencies.

There are 45 separate entities in the cluster. Unqualified audit opinions were issued for 38 cluster agencies' 30 June 2020 financial statements audits. Four financial statements audits are still ongoing, and three agencies were not subject to audit due to NSW Treasury reporting exemptions.

The majority of cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting financial statements. Twenty‑four of the 26 cluster agencies required to submit early close financial statements met the revised timeframe.

Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions not issued by the statutory deadline.

Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations.

Recommendation (partially repeat):

Property NSW should:

• review and document the accounting implications for each lease
• ensure the accuracy and validity of lease data used for the lease calculations
• review user access to the leasing system, including privileged users.

Our audits of the cluster agencies identified there was a lack of thorough quality assurance over the accuracy of lease information provided by Property NSW.

Recommendation:

The Department and cluster agencies should:

• quality assure and validate the information provided by Property NSW
• ensure changes made by Property NSW on lease data are supported and that assumptions and judgements applied are appropriate
• document their review of the data supplied.

In 2019–20, the Department resolved an additional 468 Aboriginal land claims compared to the prior year. However, the total number of unprocessed Aboriginal land claims increased by 914 to 36,769 at 30 June 2020. The number of claims remaining unprocessed for more than ten years after lodgement increased by 10.9 per cent from last year. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land.

Auditor-General's Reports to Parliament since 2007 have recommended action to address the increasing number of unprocessed claims. To date, the Department has not been able to resolve this issue.

During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims.

The Department will need to provide additional support and guidance to help Crown land managers (CLMs) meet their financial reporting obligations.

Recommendation:

The Department should:

• in consultation with NSW Treasury, develop an appropriate statutory reporting framework for CLMs
• ensure sufficient resources are available to help CLMs meet their reporting obligations.

During 2019–20, NSW Treasury established the reporting exemption criteria for the CLMs. Based on available information, the Department determined 31 CLMs would not meet the exemption criteria and therefore are required to prepare annual financial statements.

Six high‑risk issues were identified across the cluster in 2019–20:

• 5 of those were related to financial reporting issues identified in Property NSW, Wentworth Park Sporting Complex Land Manager, Lord Howe Island Board, Planning Ministerial Corporation and Hunter and Central Coast Development Corporation
• 1 issue was related to Lord Howe Island Board's outdated business continuity plan.

One in three internal control issues identified and reported to management in 2019–20 were repeat issues.

Recommendation:

Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high‑risk and repeat issues.

The unprecedented bushfires and COVID‑19 pandemic presented challenges for the cluster. Agencies established taskforces or response teams to respond to these emergencies.

With more staff working from home, agencies implemented protocols and procedures to manage risks associated with the remote working arrangements, and also needed to address certain technology issues.

The Department is responsible for the new Planning System Acceleration Program, which aims to fast‑track planning assessments, boost the State's economy and keep people in jobs during COVID‑19 pandemic. Between April and October 2020, the Department announced and determined 101 major projects and planning proposals.

Crown land is an important asset of the State. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel.

Auditor-General's Reports to Parliament since 2017 have recommended that the Department should ensure the database of Crown land is complete and accurate. Whilst the Department has commenced actions to improve the database, this remained an issue in 2019–20.

Recommendation (repeat issue):

The Department should prioritise action to ensure the Crown land database is complete and accurate. This allows state agencies and local councils to be better informed about the Crown land they control.

Since its creation on 1 July 2019, the Department has largely established its governance arrangements, including setting up the Audit and Risk Committee and internal audit function for the Department and relevant cluster agencies.

The Department still operated three main financial reporting systems in 2019–20, and has commenced the process to consolidate some of the systems.

The recent Regional NSW MoG change led to the transfer of $446 million net assets and $284 million 2019–20 budget from the Department to the newly created Department of Regional NSW on 2 April 2020.

Section highlights

• Unqualified audit opinions were issued for all completed 30 June 2020 financial statements audits. Timeliness of financial reporting remains an issue for 13 agencies.
• Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations. Cluster agencies can also improve their management of lease information provided by Property NSW.
• The number of unprocessed Aboriginal land claims continued to increase. During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims.

The Department has not yet developed a statutory reporting framework for Crown land managers and will need to provide additional resources to help Crown land managers meet their financial reporting obligations.

Section highlights

• Six high risk issues were identified during 2019–20 audits. One in three issues identified and reported to management in 2019–20 were repeat issues.
• The Department has fast tracked the assessment and determination of 101 projects as a part of the Planning System Acceleration Program.
• There continues to be significant deficiencies in Crown land records. The Department should ensure the Crown land database is complete and accurate.

Internal control deficiencies increased by 13 per cent compared to last year. This is predominately due to a seven per cent increase in new internal control deficiencies and 24 per cent increase in repeat internal control deficiencies. There were ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Agencies should:

• prioritise addressing high-risk findings
• address repeat internal control deficiencies by re-setting action plans and timeframes and monitoring the implementation status of recommendations.

A number of findings remain common across multiple agencies over the last four years, including:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers.

We found deficiencies in information security controls over key financial systems including:

• user access administration deficiencies relating to inadequate oversight of the granting, review and removal of user access at 53 per cent of agencies
• privileged users were not appropriately monitored at 43 per cent of agencies
• deficient password controls that did not align to the agency's own password policies at 25 per cent of agencies.

The deficiencies above increase the risk of non-compliance with the NSW Cyber Security Policy, which requires agencies to have processes in place to manage user access, including privileged user access to sensitive information or systems and remove that access once it is not required or employment is terminated.

The response to the recent emergencies and the COVID-19 pandemic has encompassed a wide range of activities, including policy setting, on-going service delivery, safety and availability of staff, availability of IT and other systems and financial management. Agencies were required to activate their business continuity plans in response, and with the continued impact of COVID-19 have not yet returned to a business-as-usual environment.

Our audits focused on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic.

We identified deficiencies in agency business continuity and disaster recovery planning arrangements. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities. Agencies can also improve the content of their BIA. For example, ten per cent of agencies' BIAs did not include recovery time objectives and six per cent of agencies did not identify key IT systems that support critical business functions. Scenario testing improves the effectiveness with which a live crisis is handled, but 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. There were also opportunities to improve the effectiveness of scenario testing exercises by:

• involving key dependent or inter-dependent third parties who support or deliver critical business functions
• testing one or more high impact scenarios identified in their business continuity plan
• preparing a formalpost-exercise report documenting the outcome of their scenario testing.

Agencies have responded to the recent emergencies but addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

We found agencies' governance functions could have been better informed about responses to disruptive incidents that had activated a business continuity or disaster recovery response between 1 January 2019 to 31 December 2019. For instance:

in 89 per cent of instances where a business continuity response was activated, a post-incident review had been performed. In 82 per cent of these instances, the outcomes were reported to a relevant governance or executive management committee

in 95 per cent of instances where a disaster recovery response was activated, a post incident review had been performed. In 86 per cent of these instances, the outcomes were reported to a relevant governance committee or executive management committee.

Examples of recorded incidents included extensive air quality issues and power outages due to bushfires, system and network outages, and infected and hijacked servers.

Agencies should assess their response to the recent emergencies and the COVID-19 pandemic and update business continuity, disaster recovery and other business resilience frameworks to incorporate lessons learned. Agencies should report to those charged with governance on the results and planned actions.

Agency procurement policies did not capture the requirements of several key NSW Procurement Board Directions (the Directions), increasing the risk of non-compliance with the Directions. We noted: 

• 67 per cent of agencies did specify that procurement above $650,000 must be open to market unless exempt or procured through an existing Whole of Government Scheme or contract
• 36 per cent of agencies did specify that procurements above $500,000 payable in foreign currencies must be hedged
• 69 per cent of agencies' policies did specify that the agency head or cluster CFO must authorise the engagement of consultants where the engagement of the supplier does not comply with the standard commercial framework.

Recommendation: Agencies should review their procurement policies and guidelines to ensure they capture the key requirements of the NSW Government Procurement Policy Framework, including NSW Procurement Board Directions.

Eighty-eight per cent of agencies maintain a central contract register to record all details of contracts above $150,000, which is a requirement of GIPA legislation. Of the agencies that maintained registers, 13 per cent did not capture all contracts and eight per cent did not include all relevant contract details.

Sixteen per cent of agencies did not periodically review their contract register. Timely review increases compliance with GIPA legislation, and enhances the effectiveness with which procurement business units monitor contract end dates, contract extensions and commence new procurement.

Ninety-three per cent of agencies provide training to staff involved in procurement processes, and a further 77 per cent of agencies provide this training on an on-going basis. Of the seven per cent of agencies that had not provided training to staff, we noted gaps in aspects of their procurement activity, including:

• not conducting value for money assessments prior to renewing or extending the contract with their existing supplier
• not obtaining approval from a delegated authority to commence the procurement process
• procurement documentation not specifying certain key details such as the conditions for participation including any financial guarantees and dates for the delivery of goods or supply of services.

Training on procurement activities ensures there is effective management of procurement processes to support operational requirements, and compliance with procurement directions.

As at 30 June 2020, agencies within the scope of this report reported conducting 32,239 emergency procurements with a total contract value of $316,908,485. Emergency procurement activities included the purchase of COVID-19 cleaning and hygiene supplies.

The government, through NSW Procurement released the 'COVID-19 Emergency procurement procedure', which relaxed procurement requirements to allow agencies to make COVID-19 emergency procurements. Our review against the emergency procurement measures found most agencies complied with requirements. For example:

• 95 per cent of agencies documented an assessment of the need for the emergency procurement for the good and/or service
• 86 per cent of agencies obtained authorisation of the emergency procurement by the agency head or the nominated employee under Public Works and Procurement Regulation 2019
• 76 per cent of agencies reported the emergency procurement to the NSW Procurement Board.

Complying with the procedure helps to ensure government resources are being efficiently, effectively, economically and in accordance with the law.

Recommendation: Agency procurement frameworks should be reviewed and updated so they can respond effectively to emergency situations that may arise in the future. This includes:

• updating procurement policies and guidelines to define an emergency situation, specify who can approve emergency procurement and capture other key requirements
• using standard templates and documentation to prompt users to capture key requirements, such as needs analysis, supplier selection criteria, price assessment criteria, licence and insurance checks
• having processes for reporting on emergency procurements to those charged with governance and NSW Procurement.

We found that agencies have established financial and human resources delegations, but some had not revisited their delegation manuals following the legislative and machinery of government changes. For those agencies impacted by machinery of government changes we noted:

• 16 per cent of agencies had not updated their financial delegations to reflect the changes
• 16 per cent of agencies did not update their human resources delegations to reflect the changes.

Delegations manuals are not always complete; 16 per cent of agencies had no delegation for writing off bad debts and 26 per cent of agencies had no delegation for writing off capital assets.

Recommendation: Agencies should ensure their financial and human resources delegation manuals contain regular set review dates and are updated to reflect the Government Sector Finance Act 2018, machinery of government changes and their current organisational structure and roles and responsibilities.

Agencies did not understand or correctly apply the requirements of the Government Sector Finance Act 2018 (GSF Act), resulting in non-compliance with the Act. We found that 18 per cent of agencies spent deemed appropriations without obtaining an authorised delegation from the relevant Minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act.

Further detail on this issue will be included in our Auditor-General's Reports to Parliament on Central Agencies, Education, Health and Stronger Communities, which will be tabled throughout December 2020.

Recommendation: Agencies should review financial and human resources delegations to ensure they capture all key functions of laws and regulations, and clearly specify the relevant power or function being conferred on the officer.

Recommendations were made last year to improve transparency over reporting on gifts and benefits and improve the visibility management and those charged with governance had over actions taken to address conflicts of interest that may arise. This year, we continue to note:

• 38 per cent of agencies have not updated their gifts and benefits register to include all the key fields required under the minimum standards set by the Public Service Commission
• 56 per cent of agencies have not provided training to staff and 63 per cent of agencies have not implemented an annual attestation process for senior management
• 97 per cent of agencies have not published their gifts and benefits register on their website and 41 per cent of agencies are not reporting on trends in the gifts and benefits register to those charged with governance.

While we acknowledge the significance of the recent emergencies, which have consumed agency time and resources, we note limited progress has been made implementing these recommendations. Further detail on the status of implementing all recommendations is in Appendix 2.

Recommendation: Agencies should re-visit the recommendations made in last year's report on internal controls and governance and action these recommendations.

Section highlights

We identified ten high risk findings, compared to four last year with two findings repeated from the previous year. There was an overall increase of 13 per cent in the number of internal control deficiencies compared to last year due to a seven per cent increase in new internal control deficiencies, and a 24 per cent increase in repeat internal control deficiencies. The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

We identified a number of findings that remain common across multiple agencies over the last four years. Some of these findings related to areas that are fundamental to good internal control environments and effective organisational governance. Examples include:

• out of date or missing policies to guide appropriate decisions
• poor record keeping and document retention
• incomplete or inaccurate centralised registers, or gaps in these registers.

Policies, procedures and internal controls should be properly designed, be appropriate for the current organisational structure and its business activities, and work effectively.

Section highlights

Government agencies’ financial reporting is heavily reliant on information technology (IT). We continue to see a high number of deficiencies related to IT general controls, particularly those related to user access administration. These controls are key in adequately protecting IT systems from inappropriate access and misuse.

IT is also important to the delivery of agency services. These systems often provide the data to help monitor the efficiency and effectiveness of agency processes and services they deliver. Our financial audits do not review all agency IT systems. For example, IT systems used to support agency service delivery are generally outside the scope of our financial audit. However, agencies should also consider the relevance of our findings to these systems.

Agencies need to continue to focus on assessing the risks of inappropriate access and misuse and the implementation of controls to adequately protect their systems, focussing on the processes in place to grant, remove and monitor user access, particularly privileged user access.

Section highlights

We identified deficiencies in agency business continuity and disaster recovery planning arrangements and opportunities for agencies to enhance their business continuity management and disaster recovery planning arrangements. This will better prepare them to respond to a disruption to their critical functions, resulting from an emergency or other serious event. Twenty-three per cent of agencies had not conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities and 40 per cent of agencies had not conducted a business continuity scenario testing exercise in the period from 1 January 2019 to 31 December 2019. Scenario testing improves the effectiveness with which a live crisis is handled.

This section focusses on the preparedness of agency business continuity and disaster recovery planning arrangements prior to the onset of the COVID-19 pandemic. While agencies have responded to the recent emergencies, proactively addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required.

During 2020–21 we plan to conduct a performance audit on 'Business continuity and disaster recovery planning'. This audit will consider the effectiveness of agency business continuity planning arrangements to maintain business continuity through the recent emergencies and/or COVID-19 pandemic and return to a business-as-usual environment. We also plan to conduct a performance audit on whole-of-government 'Coordination of emergency responses'.

Section highlights

We found agencies have procurement policies in place to manage procurement activity, but the content of these policies was not sufficiently detailed to ensure compliance with NSW Procurement Board Directions (the Directions). The Directions aim to ensure procurement activity achieves value for money and meets the principles of probity and fairness.

Agencies have generally implemented controls over their procurement process. In relation to emergency procurement activity, agencies reported conducting 32,239 emergency procurements with a total contract value of $316,908,485 up to 30 June 2020. Our review of emergency procurement activity conducted during 2019–20 identified areas where some agencies did not fully comply with the 'COVID-19 Emergency procurement procedure'.

We also found not all agencies are maintaining complete and accurate contract registers. This not only increases the risk of non-compliance with GIPA legislation, but also limits the effectiveness of procurement business units to monitor contract end dates, contract extensions and commence new procurement in a timely manner. We noted instances where agencies renewed or extended contracts without going through a competitive tender process during the year.