2022 status of Auditor-General’s recommendations

The Queensland Audit Office is in a unique position to provide advice and insights from our work across the public sector. This perspective can help entities respond better to existing issues, take advantage of improvement opportunities, and prepare for inevitable future challenges. This is more important than ever given the increasingly complex risks the public sector is facing, including growing global uncertainty, climate change, threats to supply chains, limited resources, rapid advancements in technology, and issues related to cybercrime.

My annual report on the status of Auditor‑General’s recommendations is one of the ways I share my wider learnings. In this report, I summarise the progress that entities are making in addressing my recommendations. I also share trends, challenges, and insights across the public sector.

This is the second report I have tabled on the status of recommendations included in reports to parliament. This report summarises entities’ progress in implementing recommendations from 2018–19 and 2019–20, and outstanding recommendations (partially implemented and not implemented recommendations) from last year’s report.  

My key reflections over the past 5 years

Five years ago, I took up my appointment as Auditor-General. Over this period, I have tabled 94 reports and made 325 recommendations. These reports have covered a broad range of topics and entities. I have prioritised audit topics based on the strategic risks facing the public sector. As I reflect on this time, some common and recurring issues emerge – many of which are systemic across government.

One of the key themes identified in Professor Coaldrake’s 2022 Review of culture and accountability in the Queensland public sector (Coaldrake review) is the importance of effective leadership within public sector entities. Effective leadership is vital to ensuring an entity’s culture focuses on integrity, accountability, and achieving excellence in service delivery.

It is also important that entities accept the need for change and learn from past experiences to improve the delivery of public services. My experience has been that entities are either unwilling to learn from the past or each other, or lack the systems or corporate knowledge to understand the reasons for past failings. In some instances, the fear of repeating past failures is resulting in entities missing opportunities to implement new systems and technologies. There is also a lack of information and data sharing within and between entities that would enable them to learn from the mistakes of others and prevent them from reoccurring.

I have explored these themes further, under the following 4 areas:

• strengthening governance and oversight
• using information technology and data better
• managing contracts and projects effectively
• understanding the impact of government restructuring.

Strengthening governance and oversight

The Coaldrake review noted the government is not meeting the public's rising expectations that it is accountable and transparent, and acts with integrity. To do this, public sector entities must uphold high standards of governance and must not see governance as mere compliance.

Good governance promotes accountability, integrity, and transparency, and can help entities to continuously improve. It can be a source of innovation and efficiencies in helping entities achieve their objectives. Despite these benefits, entities struggle to implement performance improvement frameworks with appropriate governance arrangements and robust internal controls.

Each year since my appointment, I have stressed the importance of effective audit committees and internal audit functions to the overall control environment of entities. For example, in my annual local government report I have repeatedly recommended that local councils have an audit committee. An effective audit committee plays a pivotal role in ensuring entities manage their responsibilities relating to financial reporting, internal control, systems, risk management, and internal audit. Nevertheless, 15 local councils still do not have an audit committee. This is a gap they need to address.

Further, my previous recommendations that Queensland Treasury updates its Audit Committee Guidelines to strengthen the independence and oversight of audit committees for state public sector entities is scheduled to be implemented by the end of 2022. The independence of audit committees is critical. Too often, I find audit committees of departments with large numbers of internal members (meaning staff employed by the entity). This, in effect, renders them merely a management committee, and makes it difficult for them to independently challenge management’s actions and hold management to account. Implementing my recommendations for strengthening audit committees would be consistent with the key themes of enhancing transparency and accountability raised in Professor Coaldrake's report.

A cornerstone of good governance is accurate and timely reporting. Transparency is vital if a government is to maintain the public’s trust. The Coaldrake review highlighted a reluctance within the Queensland Government to be open and transparent. The review focused on the proactive release of information, such as cabinet submissions. Equally important is the timely and accurate reporting of performance.  

Decision-makers rely on timely and accurate performance reporting to drive improvement. But, my audits have repeatedly found gaps in how entities monitor and report their performance. This has been both at a program and system level. Entities have failed to develop specific performance targets that are relevant, achievable, and measurable. In many cases, their performance targets and reporting practices focus on outputs, rather than outcomes. As such, they do not shine light on the effectiveness of their performance. Too often, entities only report success stories and fail to report areas of underperformance.

While Queensland public sector entities have made continuous improvements to their financial reporting processes, the timely release of annual reports has been an issue. Continued delays in releasing this information is not consistent with the community’s expectations of timeliness and transparency in government.

Using information technology and data better

Our society is now more data-driven than ever before. Technology is advancing rapidly, bringing new opportunities. New information technology systems can help entities to deliver their services more efficiently. But to draw on these benefits, entities need to keep abreast of technology developments. They need to explore whether they have the right systems and are using them in the right way. In addition, they need to understand their data and use it to make more informed decisions.

Too often, I find entities are relying on legacy systems that are not fit for purpose and result in duplication. Legacy systems are particularly susceptible to cyber attacks. In many cases, these systems do not talk to each other, and data remains siloed. A lack of integration can restrict entities from having a complete view of performance and present a barrier to the timely sharing of information. It often leads to ineffective and inefficient processes, which are further compounded by periodic machinery of government changes.

The use and analysis of data within and across entities would benefit from a common data dictionary and data lake (a centralised repository to store structured and unstructured data). This would enable public sector entities to use a variety of government data sets as well as data external to government. In combination, this data could provide greater insights into the performance of government services, better inform risk, and allow for more targeted, timely and cost-effective policy responses.

Managing contracts and projects effectively

Over the past 5 years, I have found that entities fail to manage their contracts effectively. In many cases, this is due to inadequate governance and lack of forward planning, poor contract management practices, and a lack of skills and experience in managing contracts. This has resulted in delays, overspend, and, in some instances, systems that are not fit for purpose.

Managing contracts can be difficult, and this is particularly the case for infrastructure and information and communication technology (ICT) project contracts. But there is opportunity for entities to learn from past failings. Entities can introduce more robust planning, ensure they have the appropriate capability, and strengthen their risk management practices. While these actions alone will not negate the risks associated with managing large contracts, they will enable entities to better tackle unforeseen challenges and help ensure that projects achieve value for money and their intended outcomes.

The Queensland Government intends to spend $52.2 billion on infrastructure projects over the next 4 years. It is currently spending $1.5 billion on ICT projects. It is therefore critical that entities examine past mistakes and use these learnings as the building blocks for future contracts. This is even more important as the state government prepares for the 2032 Olympic and Paralympic Games.

Understanding the impact of government restructuring

Governments need to ensure that the public service has the capacity to implement change and focus on longer-term goals and strategies. In his report, Professor Coaldrake identified a loss of capacity in the Queensland public service.

This loss of capacity may be attributable, in part, to the regular restructuring of government functions. While restructuring is the prerogative of government, restructures are rarely quick, inexpensive, or simple. Common impacts of these changes include:

• the need for entities to re-establish workplace culture and internal controls, thereby reducing the ability for them to develop and mature
• the existence of outdated legacy systems developed to meet the specific needs of a previous department or structure
• difficulty in assessing financial and performance information of departments over time
• confusion over responsibilities for the delivery of government programs and objectives
• entities directing their resources and attention to implementing change, rather than day-to-day operations and long-term strategic objectives.

My concluding thoughts

Since my appointment, I have focused on helping governments to deliver better public services for Queenslanders. This will continue for the remainder of my term. Over the next 2 years, I will prioritise audits that centre on improving the aspects of government service delivery described above, and the focus areas identified in my Forward work plan 2022–25, plus other areas or risks that emerge.  

I hope my reports to parliament are a catalyst for positive change. While I always ask entities if they agree with the recommendations in my reports, I cannot force implementation. Real change requires the resolve and action of public sector entities themselves through a culture of learning and self-improvement, rather than being forced into action by my public reporting.

Entities will thrive in an environment that encourages the public service to challenge the way they have done things in the past and looks at how to improve in an uncertain future. The benefits of innovation and automation should motivate entities, not the fear of failure.

I hope public sector entities recognise the value of audit, welcome the scrutiny, and act on my recommendations to foster a culture of change and continuous improvement.

I trust this report gives parliamentarians, parliamentary committees, and members of the public a more complete picture of the progress entities are making in delivering my recommendations on government service delivery.

Brendan Worrall
Auditor-General

The Queensland Audit Office makes recommendations to state and local government entities to support better delivery of public services and make a difference to the lives of Queenslanders. In this report, we provide an update on entities’ self-assessed progress in implementing the performance audit recommendations we made to them in 2018–19 and 2019–20. We also discuss any outstanding recommendations from last year’s report.

Our analysis of entities’ reported progress against the different types of recommendations we make highlights some common challenges and opportunities for the public sector. We offer insights about where all entities can improve their systems and practices.

Our recommendations focus on many different aspects of public service delivery. We ensure our recommendations are client focused, address the root cause, and add value to the public sector.

What did we examine?

What did we find?

Entities reported the following progress with implementing our recommendations:

Appendix B summarises entities’ self-assessed progress in implementing our recommendations. The best way to explore their reported progress on each recommendation is via our interactive dashboard available at www.qao.qld.gov.au.

We design our recommendations to help our clients improve their service delivery and learn from the better practices of others.

We consult with entities on our draft recommendations before we table a report in parliament, and we ask entities to confirm whether they agree with our recommendations. We cannot make entities implement our recommendations, but we can track, report, and share insights on their progress.

For this report, we asked 56 public sector entities, including local governments, to self-assess their progress in implementing the performance audit recommendations we issued from:

• 17 reports tabled in 2018–19 and 2019–20
• 17 reports from earlier years that had outstanding recommendations (we define ‘outstanding recommendations’ as those either not implemented or partially implemented from last year’s report).

Entities reported their progress to us in June and July 2022. This report, therefore, reflects the status of entities’ self-assessed progress in implementing our recommendations at that time. We have not audited the action they have taken, and therefore cannot provide assurance over their responses.

We asked entities to assess whether they had fully, partially, or not implemented our recommendations, or whether they assessed the recommendations as no longer applicable (using the criteria detailed in Appendix D). Where entities report fully implementing our recommendations, we expect their actions to address the issue that we identified and to be operating effectively, not to be a plan to address the issue.

Insights into our most frequent recommendations

Although we examine many different aspects of the public sector, the same issues often emerge, resulting in similar recommendations.

We analysed all the recommendations we made in 2018–19 and 2019–20 to identify those we made most often. This gives us some indication of what entities find most challenging.

We grouped our recommendations into 10 categories, as shown in Figure 1A.

Appendix C explains these categories and shows entities’ reported progress against them.

Figure 1B shows the 3 most common categories of recommendations we made in 2018–19 and 2019–20 and the underlying issues our recommendations sought to address.  

Insights into outstanding recommendations

We also analysed the 10 categories to identify which had the highest number of outstanding recommendations.

The most common type of outstanding recommendations related to governance, followed closely by performance monitoring and reporting, and risk management.

Figure 1C shows the status of the 3 most common categories of outstanding recommendations in 2018–19 and 2019–20. 

Governance

Entities need effective governance arrangements to be transparent and accountable, and to drive improvement. We made 56 governance-related recommendations from 14 reports to parliament tabled in 2018–19 and 2019–20.

Entities reported implementing 68 per cent (38) of the 56 recommendations, with 32 per cent (18) of the recommendations still outstanding. We identified opportunities where entities could strengthen their governance arrangements by:

• improving transparency over decision-making
• clarifying and formally communicating roles, responsibilities, and accountability for services
• creating governance structures with adequate authority to manage system performance.

Entities need to implement these outstanding recommendations quickly and effectively. The longer they leave it, the greater the risk that these gaps will grow. Inadequate governance can result in poor performance, a lack of accountability, and may make an entity more susceptible to corruption.

We will continue to prioritise audits that focus on entities’ internal controls and governance arrangements. In 2023–24, we plan to examine the effectiveness of local government audit committees.

Performance monitoring and reporting

Entities need strong performance monitoring and reporting practices to assess whether they are efficient, effective, economical, and providing value for money in the ways they deliver services. In 2018–19 and 2019–20, we made 70 performance monitoring and reporting recommendations from 9 reports to parliament. We recommended that entities enhance their performance monitoring and reporting, including: agreeing on performance targets developing targets that measure both outputs and outcomes reporting regularly on their performance to key decision-makers.

Entities reported that 21 per cent (15) of the 70 recommendations were still outstanding. As we reported last year in our report 2021 status of Auditor-General’s recommendations (Report 4: 2021–22), these recommendations are not normally difficult, time consuming, or costly to implement. However, entities have not implemented a significant number of them. As such, key decision-makers are not getting the information they require to make informed decisions. They are likely relying on 'gut-feel' rather than evidence, limiting their ability to deliver efficient and effective services.

Risk management

Strong and robust risk management practices are more important than ever. Increasing global uncertainty, climate change, threats to global supply chains, limited resources, cybercrime, data protection, and privacy are just some of the challenges facing entities. Entities must be proactive to effectively manage risks.

We made a variety of recommendations to strengthen how entities manage their risk, including:

• identifying areas of greatest risk and potential harm
• developing a framework for managing risk and applying it consistently
• developing and implementing a methodology for identifying and assessing risk.

We made 23 recommendations about how entities manage risk. Entities reported implementing 57 per cent (13) of these recommendations.

Most of the outstanding risk management recommendations were from our report on Managing cyber security risks (Report 3: 2019–20). While entities reported partially implementing the report’s recommendations, they are planning to take additional action to enhance their risk management practices.

Later in this report, we discuss in more detail entities’ progress in implementing the recommendations from the Managing cyber security risks audit.

Insights from entities’ responses

In most cases, we found that entities are keeping better track of our recommendations and have more mature processes for monitoring implementation. Some entities keep a register of all our recommendations, and recommendations from other integrity agency reviews and evaluations. Nevertheless, some entities still do not have adequate systems and processes for tracking their progress. They were uncertain about their progress and, therefore, vague in their responses.

Some entities have established working groups and cross-agency committees to help oversee and coordinate implementation. This can be useful, particularly where we address recommendations to multiple entities that require a coordinated approach. However, this can also be problematic if it leads to an expectation that these groups are accountable for the recommendations. Accountability for implementing our recommendations rests with the relevant organisation we make them to. This is why we ask the head of each entity (the chief executive officer) to sign their entity’s self-assessment.   

The important oversight role of audit committees

Audit committees play a critical role in the governance of an entity. They promote accountability, integrity, and transparency. They also hold management to account by monitoring the effectiveness of their performance and overseeing the implementation of audit recommendations. It is important that audit committees examine what entities have done, rather than what they intend to do, before closing a recommendation. 

Case study 1 highlights how audit and risk committees can help entities to monitor their performance.

We make recommendations to help entities improve the public services they deliver. The recommendations may address performance gaps, inefficiencies, duplication, and unnecessary risk across the public sector. We may also identify better practices, which other entities could consider.

In this section, we discuss the progress that entities reported in implementing the recommendations from previous reports. This includes:

• 343 recommendations from 17 reports tabled in 2018–19 and 2019–20
• 111 recommendations from reports tabled between 2015–16 and 2017–18, which entities reported as outstanding (partially implemented and not implemented) in last year’s report.

We begin with the overall status of implementation, then break it down into years and provide detailed analysis for specific reports. We selected these reports based on their number of outstanding recommendations or the important themes. We then report on the implementation of recommendations by departments, hospital and health services, local governments, and other entities. 

Overall status of implementation

We asked 56 entities to self-assess their progress in implementing 454 performance audit recommendations from 34 reports between 2015–16 and 2019–20. Appendix B includes a list of the reports we asked entities to self-assess against, and a summary of entities’ self-assessed progress.

Entities reported that they had:

• fully implemented 64 per cent (291)
• partially implemented 29 per cent (131)
• not implemented 3 per cent (15).

They also reported that 4 per cent (17) of recommendations were no longer applicable to them.

Figure 2A shows the status of all recommendations we issued in 2018–19 and 2019–20, and the status of recommendations that entities reported were outstanding last year. 

Status of recommendations from 2019–20

2019–20 reports to parliament with outstanding recommendations

Entities reported that all 7 reports to parliament from 2019–20 have outstanding recommendations. We show these in Figure 2B.

In the following section, we break down 2 reports selected based on the number of outstanding recommendations and the important themes they address.

Managing the sustainability of local government services

Local governments (councils) deliver essential services such as roads, water, sewerage, and waste collection to Queensland communities. They must deliver their services sustainably, despite challenges such as population growth, budget constraints, rising costs, a supply crisis, skills shortages, limited resources, and increasing demands for their services.

The financial sustainability of some councils is a major risk. For many councils, achieving financial sustainability can be difficult due to their location and small populations. Some have a low revenue base but a large infrastructure asset base to maintain. As a result, many councils rely on the support of the Queensland and Australian governments to sustain their operations.

In our report Local government 2021 (Report 15: 2021–22), we highlighted that 45 councils (approximately 60 per cent of the sector) are at either a moderate or a high risk of not being financially sustainable. We show councils’ latest financial sustainability ratios in our 2021 local government dashboard.

We have conducted a series of performance audits to examine councils’ sustainability. Our Forward work plan 2022–25 identifies audits we intend to conduct in this area in future years. Figure 2C shows the series of audits on council sustainability.

Managing the sustainability of local government services (Report 2: 2019–20) was the third in our series of reports on this issue. Councils reported implementing 27 per cent (8) of the recommendations from this report. They have partially implemented 63 per cent (19) and have not implemented 10 per cent (3). Some local governments did not explain why they had not implemented recommendations. 

For example, we recommended that councils undertake regular reviews to assess whether their services are affordable and meet their communities’ current and future needs. Western Downs Regional Council did not explain why it had not implemented this recommendation. Instead, it reported undertaking ‘ad hoc’ reviews. Similarly, Noosa Shire Council reported that it does not monitor the effectiveness or efficiency of its services.  

If councils are to be more sustainable, they must plan effectively to identify the type and level of service they can afford to provide their community. For example, the opening hours of a public swimming pool. They need to understand the full cost of delivering services, including the direct and indirect costs. Having the right information on their costs allows councils to make informed decisions on how they spend their money.

Equally, they must regularly review the performance of their services. This is particularly important with rising costs, supply shortages, and budget constraints. Regular review allows councils to prioritise services that are efficient and effective, and to consider alternative action for services not delivering value to their community.  

Managing cyber security risks

Cyber security risks now represent one of the most significant threats to organisations, with attacks increasing in intensity and frequency. The Australian Cyber Security Centre reported that, in 2020–21, cybercrime reports increased by 13 per cent, with organisations self-reporting cybercrime losses of $33 billion. One-third of the entities affected by cyber security incidents are associated with Australia’s critical infrastructure.

In Managing cyber security risks (Report 3: 2019–20), we examined whether 3 entities effectively managed their cyber security risks. We made 17 recommendations to all 3 entities.

We did not name the entities involved in this audit because:

• we did not want to compromise their security by publicly identifying their security vulnerabilities
• we wanted all entities, not just those included in the audit, to consider the recommendations and, where necessary, take action to strengthen their systems.

We recommended that all entities self-assess against the findings of the report and, where relevant:

• develop a framework for managing cyber security risk
• classify information, and identify and assess cyber security risks
• review how they manage their information technology assets
• design strategies for mitigating cyber security risks
• monitor and log the use of devices.

The entities we audited reported good progress in implementing the recommendations from this audit. They reported fully implementing 67 per cent (34) and partially implementing 31 per cent (16) of the 51 recommendations. Only one entity reported not implementing one of our recommendations. However, it has implemented some controls to improve how it manages its ICT assets and has engaged a consultant to review its cyber security, including the recommendations from our report.

While many entities have increased their focus on cyber risk, every year we continue to find weaknesses in the security of their information systems. Public sector entities, small and large, must recognise this is a genuine risk to them and act to mitigate the risk. Their profile makes them a target. They need to maintain their vigilance and continue to strengthen their controls. Entities that rely on legacy systems are particularly susceptible. Our office will continue to focus on the security of public sector systems and information. In 2022–23, we will examine how entities respond to, and recover from, cyber attacks.

Recommendations assessed as no longer applicable

The Department of State Development, Infrastructure, Local Government and Planning reported that 5 recommendations from the report Evaluating major infrastructure projects (Report 14: 2019–20) were no longer applicable.

It reported that these recommendations, addressed to Building Queensland, were no longer applicable because parliament dissolved Building Queensland in May 2021.

We agree that these recommendations are no longer applicable given they primarily related to Building Queensland’s role, strategies, and processes.

Status of recommendations from 2018–19

Reports to parliament with no outstanding recommendations

Entities reported fully implementing all recommendations from 3 reports tabled in parliament in 2018–19 or assessed the remaining recommendations as no longer applicable. These included:

• Access to the National Disability Insurance Scheme for people with impaired decision-making capacity (Report 2: 2018–19)
• Follow-up of Maintenance of public schools (Report 16: 2018–19)
• Market‑led proposals (Report 12: 2018–19).

Entities reported that the remaining 7 reports to parliament from 2018–19 have outstanding recommendations. We show these in Figure 2D. 

In the following section, we break down 2 reports selected based on the number of outstanding recommendations and the important themes they address.

Monitoring and managing ICT projects

Managing information and communication technology (ICT) projects can be complex and can present significant risks. Entities need to effectively manage ICT projects to ensure they are delivered on time and on budget and achieve their intended outcomes.

In Monitoring and managing ICT projects (Report 1: 2018–19), we made 8 recommendations, including:

• enhancing the Queensland government ICT dashboard and publishing guidelines
• implementing efficient and automated processes for collecting, collating, approving, and publishing dashboard data
• strengthening whole-of-government assurance frameworks for monitoring ICT projects
• considering the need for projects with high business impact to undergo periodic health checks
• using learnings from project health checks and gateway reviews in monitoring and managing programs and projects.

We made 4 of the 8 recommendations to 20 departments (80 recommendations in total). We addressed the remaining 4 recommendations to the Queensland Government Chief Information Office and the Department of Communities, Housing and Digital Economy.

Departments reported fully implementing 87 per cent (73) and partially implementing 7 per cent (6) of the 84 recommendations. Two departments assessed that 5 recommendations were no longer applicable.

Despite the good progress reported, we continue to find ICT projects that are over budget and delayed. Some projects fail. For example, the State Penalties Enforcement Registry spent more than $52 million on an ICT system that it never implemented. We highlighted these deficiencies in our report Effectiveness of the State Penalties Enforcement Registry ICT reform (Report 10: 2019–20).

In our report Energy 2021 (Report 7: 2021–22), we highlighted that Energy Queensland’s new information technology project is expected to be $77 million over budget. Energy Queensland recently announced that it now expects the project to be $181 million over budget and delivered one year late.

We have published 2 better practice guides, Learnings for ICT projects and Delivering successful technology projects, to help entities manage their ICT projects.

Audit committees can play an important role helping entities monitor their ICT projects. In our report Effectiveness of the State Penalties Enforcement Registry ICT reform, we recommended that Queensland Treasury updates its Audit Committee Guidelines to ensure audit committees are required to monitor and receive reports from management on risks for major ICT projects. Treasury has partially implemented this recommendation. It advised it has commenced amending its guidelines and is consulting with relevant stakeholders about the proposed changes. In April 2022, it requested that we grant it an extension to update its guidelines. We have agreed to extend the date for issuing the updated guidelines to 31 December 2022.                                                                                  

Delivering forensic services 

Forensic services, such as DNA testing, play a critical role in criminal investigations. Police, prosecutors, and the courts rely on forensic services to help them identify, exonerate, prosecute, and convict people suspected of committing crimes.

In our audit Delivering forensic services (Report 21: 2018–19), we assessed whether agencies deliver forensic services efficiently and effectively in investigating crime and prosecuting offenders.

We recommended that the Queensland Police Service and Queensland Health implement a governance structure to effectively coordinate and provide accountability for managing forensic services across agencies.

Both entities reported only partially implementing this recommendation, despite receiving it more than 3 years ago. They reported they had drafted a memorandum of understanding but could not agree because it did not contain performance criteria and cost information. As such, the entities still have not formally agreed on their objectives or their expectations for delivering forensic services. This may result in uncertainty, conflicting priorities, and unnecessary work. It is important these agencies formalise this agreement as a matter of priority.

In June 2022, the Queensland Government announced an independent Commission of Inquiry into Forensic DNA Testing in Queensland. The Commission will report back to government on its findings in December 2022.

Recommendations assessed as no longer applicable

Entities reported that 9 recommendations from 2018–19 were no longer applicable. The most common reason was due to changes in government policy. For example, 3 hospital and health services reported that 3 recommendations from the report Digitising public hospitals (Report 10: 2018–19) were no longer applicable, as Queensland Health stopped the rollout of the Integrated Electronic Medical Record program in December 2019.

The Department of Seniors, Disability Services and Aboriginal and Torres Strait Islander Partnerships reported that 4 recommendations from Monitoring and managing ICT projects (Report 1: 2018–19) were not applicable. It reported that it has a memorandum of understanding with another agency to manage and support its ICT services, which the recommendations related to.  

We agree that these recommendations are no longer applicable.

Status of outstanding recommendations from prior years

In our report 2021 status of Auditor-General’s recommendations (Report 4: 2021–22), we highlighted that 111 recommendations were outstanding.  

Of these, entities reported that this year they: 

• fully implemented 40 per cent (45)
• partially implemented 48 per cent (53)
• had not implemented 9 per cent (10).

They reported that the remaining 3 per cent (3) of recommendations were no longer applicable.

Age of outstanding recommendations

Figure 2E shows the age of the 63 outstanding recommendations. 

On average, these outstanding recommendations are 5 years old. Three recommendations made to local government remain only partially implemented from our report Flood resilience of river catchments (Report 16: 2015–16), despite being issued more than 6 years ago. Similarly, 22 recommendations from our report Forecasting long‑term sustainability of local government (Report 2: 2016–17) remain outstanding despite being issued more than 5 years ago.  

Recommendations assessed as no longer applicable

Children’s Health Queensland Hospital and Health Service reported that 2 recommendations from our report Efficient and effective use of high value medical equipment (Report 10: 2016–17) were not applicable to a paediatric operating environment.

Gold Coast Hospital and Health Service reported that one recommendation from our report Queensland public hospital operating theatre efficiency (Report 15: 2015–16) was no longer applicable. It took an alternative approach to address the underlying issue we raised.

We agree that these recommendations are no longer applicable.

Progress of implementation by entity type

In the following section, we analyse reported progress in implementing recommendations by:

• departments
• hospital and health services (HHSs)
• local governments
• other entities.

Departments

We asked departments to self-assess their progress in implementing 202 recommendations issued to them in 2018–19 and 2019–20 and 27 outstanding recommendations from last year’s report.  

They reported implementing 74 per cent of the 229 recommendations.

The following 10 departments reported implementing all recommendations:

• Department of Agriculture and Fisheries
• Department of Children, Youth Justice, and Multicultural Affairs
• Department of Education
• Department of Energy and Public Works
• Department of Regional Development, Manufacturing and Water
• Department of the Premier and Cabinet
• Department of Tourism, Innovation and Sport
• Department of Transport and Main Roads
• Public Service Commission
• The Public Trustee of Queensland.

The remaining 12 departments did not implement all their recommendations.

Figure 2G shows the departments that reported partially implementing and/or not implementing some of the recommendations.

Some departments, such as the Department of Transport and Main Roads, provided detailed comments explaining the action they had taken and the outcomes of those actions. Others provided responses that lacked sufficient detail. For example, the Queensland Police Service reported that it had not implemented recommendation 5 from our report Criminal justice system—reliability and integration of data (Report 14: 2016–17). However, it did not explain why it had not implemented the recommendation or explain what additional action it intends to undertake.

Few entities clearly explained the outcome of their actions (despite being asked to). We do not know whether they failed to evaluate the outcome of their actions or whether they simply did not report on them. Evaluating the success of any program or activity is pivotal to continuous improvement. Timely and robust evaluations help entities determine what has worked well and what they can improve.

Hospital and health services (HHSs)

We asked 11 HHSs to self-assess their progress implementing 36 recommendations made to them in 2018–19 and 2019–20 and 42 outstanding recommendations from last year’s report.

Five HHSs reported implementing all recommendations:

• Cairns and Hinterland HHS
• Darling Downs HHS
• Mackay HHS
• Metro North HHS
• Townsville HHS.

Six HHSs reported having outstanding recommendations.

Figure 2I shows the 6 HHSs that reported having outstanding recommendations.

We tabled one report, Digitising public hospitals (Report 10: 2018–19), that had recommendations addressed to HHSs in 2018–19 and 2019–20. We asked the 9 HHSs that participated in the rollout of the Integrated Electronic Medical Record (ieMR) program to self-assess their progress.

They reported implementing 89 per cent (32) of the 36 recommendations.

The Department of Health paused the rollout of the ieMR program in July 2019, as it sought to assess the benefits from the program. In June 2022, the Queensland Government announced an additional $300 million to continue the program’s rollout over the next 5 years. The government expects to implement ieMR across another 4 hospitals by 2027 (in addition to the 16 hospitals already using it) and upgrade the capability of one hospital that had intermediate ieMR capability.

Local governments

We asked local governments (councils) to self‑assess their progress implementing 37 recommendations made to them in 2018–19 and 2019–20 and 40 outstanding recommendations.

Two councils reported implementing all recommendations:

• Cairns Regional Council
• Gold Coast City Council.

Councils reported implementing 26 per cent (20) of the recommendations. The other 57 remain outstanding. Although councils reported a high number of outstanding recommendations, in many cases they are acting on them. The high percentage of partially implemented recommendations reflects this.

Figure 2K shows the status of recommendations by councils that reported having outstanding recommendations. Councils vary widely in their size and location, and in the range of community services they provide. To enable comparison, we have grouped them into 5 common segments used by the Local Government Association of Queensland: Coastal, Resources, Rural/Regional, Rural/Remote, and South East Queensland.

Some councils provided detailed responses. For example, Cairns Regional Council provided detailed comments about its actions implementing recommendations from Managing consumer food safety in Queensland (Report 17: 2018–19). It also clearly explained the outcome of its actions.

Other councils provided responses that were inconsistent with the response they provided last year. For example, in our report Forecasting long-term sustainability of local government (Report 2: 2016–17) we recommended councils improve the quality of their long-term forecasts and financial planning by maintaining complete and accurate asset condition data and asset management plans. Last year, Paroo Shire Council reported that it had partially implemented this recommendation. This year it reported that it had not implemented the recommendation but did not explain why.

Similarly, in our report Managing local government rates and charges (Report 17: 2017–18), we recommended that all councils publish a hardship policy to assist ratepayers to seek a concession for hardship. Last year, Richmond Shire Council reported that it had partially implemented this recommendation. This year it reported that it had not implemented the recommendation. It also did not explain why.

These councils need to keep better track of the recommendations we make and the action they are taking.

Other entities

We made 17 recommendations to the following entities:

• GasFields Commission Queensland
• Queensland Building and Construction Commission
• TAFE Queensland.

They reported implementing 65 per cent (11) of the recommendations and partially implementing 35 per cent (6).

Status of recommendations from follow-up audit reports

Our follow-up audits examine entities’ effectiveness in implementing the recommendations we made in our initial report. We report the detailed results of these follow-up audits separately to parliament.

In 2018–19, we tabled 3 follow-up reports:

• Follow-up of Bushfire prevention and preparedness (Report 5: 2018–19)
• Follow‑up of Maintenance of public schools (Report 16: 2018–19)
• Follow-up of Managing child safety information (Report 20: 2018–19).  

Our follow-up audits Bushfire prevention and preparedness and Managing child safety information did not contain any new recommendations. However, our findings highlighted that the in-scope entities had only partially implemented the recommendations from the original reports. As such, we asked the relevant entities to self-assess their progress against the outstanding recommendations we made in the original reports Bushfire prevention and preparedness (Report 10: 2014–15) and Managing child safety information (Report 17: 2014–15).

Queensland Fire and Emergency Services reported fully implementing the 2 outstanding recommendations from our report on bushfire prevention and preparedness. It provided detailed comments about its actions. This included establishing more than 50 area fire management groups to help mitigate Queensland’s bushfire risk.

The Department of Children, Youth Justice and Multicultural Affairs reported fully implementing 3 recommendations from our report on managing child safety information. It has only partially implemented the remaining 3 recommendations. It is currently developing a new system to improve information sharing and collaboration with key stakeholders. It expects to complete this in 2024.

We made a new recommendation in our report Follow‑up of Maintenance of public schools (Report 16: 2018–19). We recommended that the Department of Education supports all schools to develop 3-year maintenance plans for all school buildings with a replacement value greater than $100,000. The department reported fully implementing this recommendation.

We use the information we obtain from entities’ self-assessments, in conjunction with our other monitoring processes, to determine which follow-up audits we will undertake. Each year, we usually select one or 2 past audits to follow up to provide assurance over entity progress in implementing our recommendations.

We are currently undertaking a follow-up audit of Conserving threatened species (Report 7: 2018–19), which we expect to table in late 2022.

We will include any proposed follow-up audits in our upcoming Forward work plan 2023–26.