The spate of emergencies affecting NSW over the last year may have contributed to an increase in internal control deficiencies in the state’s public sector, a report says.

Auditor General Margaret Crawford look at financial and governance risks in areas including IT security and procurement, as well as business continuity, and delegation following machinery of government changes that came into force in July.

Her report, released on Tuesday, focuses on 40 of the largest public sector agencies for the year ending 30 June 2020, including departments, state owned corporations and statutory bodies.

Collectively they constitute an estimated 85 per cent of total public sector agency expenditure, and in the last financial year had a combined revenue of $117.6 billion.

The report found internal control deficiencies increased by 13 per cent compared to last year, with ten high risk findings compared to four last year.

The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies.

Margaret Crawford

Common findings were: out of date or missing policies, poor record keeping and document retention, and problems around centralised registers.

Deficiencies in financial operations, IT operations, compliance and reporting were common across all agencies.

“The recent emergencies have consumed agency time and resources and may have contributed to the increase in internal control deficiencies, particularly repeat deficiencies,” Ms Crawford said.

Procurement

As of 30 June 2020, the audited agencies reported 32,239 emergency procurements with a total contract value of $316,908,485.

The government’s emergency procurement procedures relaxed procurement requirements to some extent and most agencies were compliant.

However, the audit found that while all agencies had policies and guidance around procurement, 17 per cent hadn’t reviewed these policies.

It also found 13 per cent of agencies with contract registers didn’t include all contracts and eight per cent left out relevant contract details.

The report found inadequate oversight of controls around user access at 53 per cent of agencies, including a failure to monitor privileged users and deficient password controls at one in four.

“The deficiencies increase risk of non-compliance with NSW cyber security policy,” the report said.

Planning for business continuity

Deficiencies were also identified in business continuity and disaster recovery planning arrangements.

Twenty-three per cent of agencies hadn’t conducted a business impact analysis (BIA) to identify critical business functions and determine business continuity priorities, the report found.

“Addressing deficiencies will ensure agencies have adequate safeguards in their processes to again respond in the future, if required,” Ms Crawford said.

Agencies’ instruments of delegation and delegation manuals had also not been updated following legislative or administrative changes, or lacked dates for regular review.

The audit also found that recommendations made after last year’s audit hadn’t been implemented.

Thirty-eight per cent of agencies haven’t updated their gifts and benefits register, 56 per cent of agencies hadn’t provided staff training and 63 per cent hadn’t implemented an annual attestation process for senior management.

Ninety-seven per cent of agencies hadn’t published their gifts and benefits register on their website and 41 per cent were were failing to brief relevant individuals in trends in the register.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter