Report 17: 2020–21

Local government 2020

Audit objective

This report summarises the audit results of Queensland’s 77 local government entities (councils) and the entities they control.

Overview

Queensland's local governments are the first line of connection to communities; providing Queenslanders with a wide range of services such as roads, water and waste, libraries, and parks. This year, the COVID-19 pandemic presented new challenges for local governments to deliver these services while under immense pressure in a time of unpredictable change.

Tabled 22 April 2021. 

Elim Beach

Auditor-General’s foreword

This year, the emergence of COVID-19 presented challenges for local governments on a never before seen scale. Local councils are the first line of connection to communities; providing Queenslanders with essential services, which involves a high level of interaction. The resources councils needed to deliver these services were put under immense pressure.

The task councils also faced in delivering on their financial reporting accountabilities should not be underestimated. I wish to recognise and thank them for their efforts. Most councils ensured they could provide us with their data and information when faced with the need to work more remotely. This meant we could deliver our audit and assurance services and prepare our reports to parliament in line with our planned time frames.

I also wish to thank my workforce—Queensland Audit Office staff and our audit service providers—for their dedication during this busy and unique period. I recognise how committed they were to our ethos of service delivery and in supporting our clients.

Our new ways of engaging from afar during the pandemic meant we could continue to share our insights and advice with our clients on an ongoing basis and maintain our working relationships. When restrictions began to lift, we appreciated more than ever the value of in-person engagement. My team and I visited some councils in western Queensland to hear about their experiences during the pandemic and to receive feedback on our services. We have more visits across Queensland planned for the coming year.

We do not know what 2021 will bring, but we know the impacts of the pandemic will be enduring for years to come. The state and federal governments have heavily relied on borrowings, to stimulate the Queensland and Australian economies. Councils will need to consider the impact of the pandemic to their overall sustainability and how they continue to provide the essential services to their communities in a cost affordable manner. 

We will all apply our learnings from 2020 to manage change, and emerging and new risks, and to further refine and improve our processes. I believe councils and QAO will continue to successfully work together as part of a shared commitment to the Queensland community.

Brendan Worrall
Auditor-General

Elim Beach

Report on a page—results of our audits

This report summarises the audit results of Queensland’s 77 local government entities (councils) and the entities they control.

Financial statements are reliable

As at the date of this report, 75 of 77 councils (2019: 73 of 77) had completed their financial statements. This was a significant achievement given the challenges presented by COVID-19 and the substantial turnover in elected representatives following the March 2020 local government elections.

The financial statements of councils, and the entities they control, are reliable and comply with relevant laws and standards.

COVID-19 travel restrictions and responding to community needs on short notice meant some councils were unable to value their assets in a timely manner and most councils had not fully assessed the impact of three new accounting standards on their financial statements. Together, these factors led to a decline in the timeliness and quality of the financial statements. 

Financial sustainability continues to deteriorate

Councils’ financial performance continued to deteriorate in 2020. This was not unexpected. Travel restrictions, community lockdowns and initiatives to support their communities through the pandemic, meant councils earned lower revenue (waiving or discounting revenue from car parking, dining, and reduced patronage at public facilities and airports). And they incurred more expenditure (higher employee costs by bringing forward capital projects, maintaining quarantine facilities and border controls, and increased cost of cleaning of council and public facilities). This resulted in 70 per cent of Queensland councils spending more than they earned in 2020, which is 25 per cent worse than last year.

Most councils with a high reliance on grants from state and federal governments have consistently incurred operating losses each year for the last five years. We have found that these councils that regularly incur operating losses often have weak strategic planning, asset management, and financial management practices. That said, planning for financial sustainability is a challenge for these councils because the current funding model provides grants to councils largely on a year-by-year basis, making medium- to long-term planning difficult. 

The Department of State Development, Infrastructure, Local Government and Planning (the department) could assist councils by providing greater baseline funding certainty with multi‑year grant programs. The department could also work with councils to improve financial and asset management capability.

As of 30 June 2020, 25 councils are at a high risk of not being financially sustainable. This is four more councils than last year and represents approximately one-third of the sector.

Since 2013, the department has used three financial ratios to measure the sustainability of councils. These ratios set specific benchmarks that are applied to all the councils, regardless of their size and circumstances. The department recognises the need to update its sustainability measures and is developing options for new measures.

Elim Beach

Report on a page—internal controls

Councils need to strengthen their governance

Each year, we assess councils’ internal controls—the people, systems, and processes they use to achieve their objectives, prepare reliable financial reports, and comply with applicable laws. All weaknesses need to be addressed, but some of them are significant and should be prioritised.  

Between 2017 and 2019, councils made progress in resolving the weaknesses in their internal controls. Despite this recent progress, the change to the working environment this year has contributed to an increase in the number of significant weaknesses in internal controls.

More than one-third of councils do not have appropriate processes in place to identify and manage their strategic and operational risks. This exposes them to a higher risk of not being able to meet their objectives, or operational failures, fraud or error.

Also of concern is that, as at 30 June 2020, 10 councils (2019: 12 councils) still did not have an audit committee nor an active internal audit function. In addition to that, six councils (2019: six councils) did not have an audit committee and two councils (2019: one council) did not have an active internal audit function. An effective audit committee and internal audit function help councils ensure their internal controls are effective, risk management and financial reporting processes are strong, and audit recommendations are resolved in a timely manner. This enhances governance and increases councils’ ability to run their businesses effectively and efficiently.

Information systems are vulnerable

We continue to identify weaknesses in the controls councils use to secure their information systems. We found inappropriate user access to systems, unauthorised installation of applications on council networks, inadequate segregation of duties (to make sure there are checks in place), and poor password practices.

Information systems are open to cyber attacks, and this year one council was the victim of a successful ransomware attack, resulting in disruptions to its financial and operational activities.

Councils need to appropriately secure access to their financial systems, as they underpin the integrity of their financial reporting and operations.

Procurement and contract management processes need to be improved

Some councils are not following established procurement processes to demonstrate they have obtained value for money or prove they had the appropriate approvals to obtain goods and services.  

In addition, some councils do not have a contract register containing all the necessary information (for example, start and end dates of the contract) they need to manage their contracts effectively. This exposes them to various financial and reputational risks, including the risk of their suppliers not delivering on agreed terms.

Elim Beach

Recommendations for councils

We make the following recommendations to the councils:

Improve financial reporting by strengthening month-end and year-end financial reporting processes

REC 1

Councils should strengthen their month-end and year-end processes to assist with timely and accurate monthly internal financial reporting and their annual financial statements.

We recommend all councils use their recent financial statement preparation experiences to perform an initial self-assessment against the maturity model available on our website.

Improve valuation and asset management practices

REC 2

  • Councils need to engage with asset valuers early to complete the valuation of assets well before year end.
  • Councils need to use accurate information in their long-term asset management strategies and budget decisions.
  • Councils need to regularly match the asset data in their financial records to the asset data in their engineering/geographic information systems to ensure it is complete and reliable.

Strengthen security of information systems

REC 3

We recommend all councils strengthen the security of their information systems. Councils rely heavily on technology, and increasingly, they have to be prepared for cyber attacks. Any unauthorised access could result in fraud or error, and significant reputational damage. 

Councils’ workplace culture, through their people and processes, must emphasise strong security practices to provide a foundation for the security of information systems. 

All entities across the local government sector should:

  • provide security training for employees so they understand the importance of maintaining strong information systems, and their roles in keeping them secure
  • assign employees only the minimum access required to perform their job, and ensure important stages of each process are not performed by the same person
  • regularly review user access to ensure it remains appropriate
  • monitor activities performed by employees with privileged access (allowing them to access sensitive data and create and configure within the system) to ensure they are appropriately approved
  • implement strong password practices and multifactor authentication (for example, a username and password, plus a code sent to a mobile), particularly for systems that record sensitive information
  • encrypt sensitive information to protect it
  • patch vulnerabilities in systems in a timely manner, as upgrades and solutions are made available by software providers to address known security weaknesses that could be exploited by external parties.

Councils should also self-assess against all of the recommendations in Managing cyber security risks (Report 3: 2019–20) to ensure their systems are appropriately secured.

Improve risk management processes

REC 4

Councils should have a complete and up-to-date risk management framework including:

  • comprehensive risk registers that identify risks (including the risk of fraud) and appropriate risk mitigation strategies
  • current and relevant business continuity and disaster recovery plans and that these plans are tested periodically.

Enhance procurement and contract management practices

REC 5
  • Councils need to ensure they obtain value for money for the goods and services they procure and that they have the appropriate approvals to procure the goods and services. 
  • To effectively manage their contractual obligations, councils should ensure their contract registers are complete and contain up-to-date information.
1
Elim Beach

Recommendations for the department

We make the following recommendations to the Department of State Development, Infrastructure, Local Government and Planning (the department).

Require all councils to establish audit committees

REC 6

We continue to recommend that the department requires all councils to establish audit committees and that the chairperson of this committee is independent of council and management.

In light of the difficulties some councils have faced with internal control weaknesses, fraud, ransomware, and achieving financial sustainability, this is more important now than ever.  

Makes changes to sustainability ratios

REC 7

We recommend that the department develops new financial sustainability ratios for Queensland councils. In developing these ratios and associated targets, we recommend that the department considers the different sizes, services, and circumstances of the various councils.

We also recommend that the new financial sustainability ratios be established in time for the year ending 30 June 2022.

Provide greater certainty over long-term funding

REC 8

We recommend that the department reviews its current funding model to identify opportunities to provide funding certainty to councils beyond one financial year. A three- to five‑year funding model would assist councils, especially those heavily reliant on grants, to develop and implement more sustainable medium- to long‑term plans.

Provide training to councillors and senior leadership teams around financial governance

REC 9

We recommend that the department provides periodic training to councillors and the senior leadership team for councils that are highly reliant on grants. The training should focus on helping these councils:

  • establish strong leadership and governance
  • enhance internal controls and oversight
  • improve financial sustainability in the long term.
1

Reference to comments

In accordance with s. 64 of the Auditor-General Act 2009, we provided a copy of this report to relevant entities. In reaching our conclusions, we considered their views and represented them to the extent we deemed relevant and warranted. Any formal responses from the entities are at Appendix A.

Elim Beach

1. Overview of entities in this sector

FIGURE 1A
Entities in the local government sector
 

Queensland Audit Office.

1
Elim Beach

2. Results of our audits

This chapter provides an overview of our audit opinions for the local government sector.

Chapter snapshot

Graphic showing 'Decrease in quality and timeliness of reporting. 75 unmodified opinions for councils; 61 council statements signed by their legislative deadline; 22 councils made no adjustments to draft financial statements; 67 unmodified opinions for council-related entities. 2 recommendations for councils (enhance month-end and year-end financial reporting processes; improve valuation and asset management practices).'
1
Definition

We express an unmodified opinion when the financial statements are prepared in accordance with the relevant legislative requirements and Australian accounting standards.

We issue a qualified opinion when the financial statements as a whole comply with relevant accounting standards and legislative requirements, with the exceptions noted in the opinion.

We include an emphasis of matter to highlight an issue of which the auditor believes the users of the financial statements need to be aware. The inclusion of an emphasis of matter paragraph does not change the audit opinion.

Challenges faced by local government in 2020

Unpredictable change and new challenges impacted councils’ financial performance and reporting processes this year, which in turn affected their ability to finalise their financial statements in a timely manner.

Against the COVID-19 backdrop of physical distancing, lockdowns and border closures, councils needed to support their communities with various relief measures while continuing to deliver essential services. Council staff also had to quickly enhance their information technology systems to support a more mobile workforce.

Councils contended with the introduction of three new accounting standards, which were complex. But earlier and more timely planning by councils over the past three years may have alleviated some of the pressures these presented.

Local government elections in March 2020 created further change, with 272 new elected members (making up approximately half of all councillors). This required a period of induction for new members and meant councils revisited their priorities and strategic direction in some areas.

Audit opinion results

Status of audit of financial statements

At the date of this report, we had issued audit opinions for 75 councils (2019: 73 councils) and 67 of the entities they control (2019: 72 controlled entities). Of the 75 councils we issued audit opinions for:

  • 61 councils (2019: 68 councils) met their legislative deadline
  • 10 councils (2019: four councils) met the extended time frame granted by the minister
  • four councils (2019: nil) did not meet their legislative deadline.

The council financial statements we signed are reliable

We found that the 75 councils’ financial statements were reliable and comply with relevant laws and standards. Of these, we included an emphasis of matter in our audit reports of two councils to highlight:

  • uncertainty over Wujal Wujal Aboriginal Shire Council’s ability to repay its debts as and when they arise
  • that Mount Isa City Council did not recognise an obligation to remediate its landfills.
For the first time in three years, Doomadgee Aboriginal Shire Council met its statutory deadline and received an unmodified opinion. This is a good result.
1

    Two controlled entities—Artspace Mackay Foundation and Local Buy Trading Trust—received qualified opinions because they were unable to provide us with enough evidence to demonstrate the completeness of the revenue they recorded.

    We also included emphases of matter in our audit reports for 11 controlled entities for the following reasons:

    • nine controlled entities decided to wind up their operations
    • one controlled entity was reliant on financial support from its parent entity
    • one controlled entity was unable to pay its debts as and when they fall due.

    Appendix E provides the results of the financial audits.

    Entities exempt from audit and those we do not issue an audit opinion for

    Not all local government entities are required to prepare financial statements or are required to be audited by the Auditor-General. Appendices F and G list these entities.

    Status of unfinished audits from previous years

    At the time we tabled Local government entities: 2018–19 results of financial audits (Report 13: 2019–20) in February 2020, four councils and six council-related entities had not finalised their financial statements. All of them subsequently finalised their financial statements (including financial sustainability reports for the councils).

    Palm Island Aboriginal Shire Council received a qualified opinion regarding completeness and accuracy of the revenue it reported. We also included an emphasis of matter in our audit opinion drawing attention to an ongoing investigation by the Crime and Corruption Commission.

    Doomadgee Aboriginal Shire Council received a qualified opinion, as the depreciation expense (which measures wearing out of assets) it recognised in its financial statements for the previous year was incorrect.

    For two council-related entities—Major Brisbane Festivals Pty Ltd and Townsville Breakwater Entertainment Centre Joint Venture—we included an emphasis of matter in our audit opinion about their ability to pay debts as and when they fall due. 

    The other two councils and the remaining four council-related entities all received unmodified opinions.

    Appendix H provides a full list of these entities and the results of their audits.

    Financial statement preparation processes

    FIGURE 2A
    Financial statement preparation processes
    Image showing three graphs. Year-end processes (47% fully implemented; no change compared to 2018-19); Timeliness (62% timely; down 33% compared to 2018-19); Quality (31% made no adjustments; down 17% compared to 2018-19).

    Queensland Audit Office.

    1

    This year, we noted a decline in the timeliness and quality of local government financial statements. Travel restrictions and community lockdowns impacted councils’ ability to complete independent valuations of their assets in a timely manner. Audit teams also needed to shift when they visited councils and how to complete their work.

    Our assessment of the effectiveness of each council’s financial statement preparation processes is included in Appendix J.

    Common issues with financial statement preparation processes

    Councils were generally under-prepared for the changes arising from the new accounting standards

    This year, councils adopted three new Australian accounting standards, which became mandatory for the first time. Two related to how revenue is recognised in financial statements, and one was about the leasing of assets.

    Implementation of the new accounting standards resulted in an increase to the sector’s total liabilities of $983 million (or 11 per cent). This is offset by a $528 million increase in assets.

    These accounting standards had been in place for at least three years before they became mandatory in 2019–20. However, most councils did not use this time to determine the impact these accounting standards would have on their financial statements until late in the 2019–20 financial year. This contributed to the decline in the quality and timeliness in finalising financial statements compared to the previous years.

    Most councils also recorded the impact of the new accounting standards only as a part of their year-end financial statement process, meaning that the balances they reported in their monthly financial reports were incorrect. This may have affected decisions made by elected members—who rely on the monthly financial reports when considering where to spend money.

    Ineffective month-end and year-end processes

    Councils perform processes at the end of each month and year that assist in the preparation of their financial statements. In conducting the audit, we consider the systems and processes (internal controls) councils use to prepare financial reports and comply with applicable laws.

    We identified 65 deficiencies in the internal controls across 29 councils, where those councils did not follow good accounting practices in preparing their month-end and year-end financial reports. This year, these processes were impacted not only by the introduction of the three new accounting standards, but also by changes in working arrangements due to COVID-19.

    The most common deficiencies identified included:

    • reconciliation (matching) of important balances in the financial statements with supporting documents not being performed in a timely manner or not performed at all
    • quality review by council management over month-end and year-end financial reports was either inadequate or did not occur.
    Financial statement preparation maturity model

    A council’s effectiveness in preparing financial statements is influenced by the strengths and weaknesses of its financial reporting processes. Councils with good, established processes produce good quality month-end and year-end financial reports. This enables them to achieve more timely and higher-quality financial statements, because the year-end processes are an extension of the month-end processes.

    We have developed a reporting tool for assessing financial statement preparation—the financial statement preparation maturity model. This model will assist councils in identifying improvement opportunities in their financial reporting processes and can be adapted for entities of different sizes and circumstances. This model is available on our website.

    Recommendation for all councils

    Improve financial reporting by strengthening month-end and year-end financial reporting processes (REC 1)

    Councils should strengthen their month-end and year-end processes to assist with timely and accurate monthly internal financial reporting and their annual financial statements.

    We recommend all councils use their recent financial statement preparation experiences to perform an initial self-assessment against the maturity model available on our website.
    1

    Councils continue to find valuation processes, asset management plans, and asset data maintenance a challenge

    As of 30 June 2020, councils reported total property, plant and equipment assets of $112 billion (2019: $107 billion). The valuation activities undertaken by councils in relation to these assets are complex, with most councils relying on the expertise of external valuers to assist in determining fair values (the amounts for which the assets could be exchanged in a fair transaction).

    Asset valuation continues to be one of the year-end processes most often not completed in a timely manner. COVID-19 travel restrictions made it even more complex this year, with valuers unable to visit some communities to assess the value of the assets.

    Councils that engaged with their valuers early in the financial year were able to complete their asset valuations in a timely manner and were able to reflect the changes in the asset values before producing their financial statements.

    Assessing the fair value of assets provides councils with the approximate cost of replacing an asset in the future—in today’s dollars. This, combined with asset management plans, helps councils with their decisions on when to maintain, renew or replace assets.

    As at 30 June 2020, 11 councils (2019: 13 councils) have outdated or incomplete asset management plans. Of these, four have populations more than 20,000 and three of them are experiencing population growth. This is relevant because planning is particularly important for large and growing councils.

    Asset management is critical to the long-term sustainability of the local community. If councils do not budget appropriately for the significant cost of maintaining, replacing, or upgrading assets, they risk being unable to provide safe and consistent services to the community.

    An effective asset management plan is reliant on good data about assets. Asset data is maintained on councils’ financial systems and on the geographic information systems they use to capture, store, and manage the detailed components of their assets (such as roads, bridges, and dams). The data in these two systems should be reconciled (matched) periodically and any differences should be resolved in a timely manner. 

    We continue to see councils identifying ‘found assets’ that they have not previously recorded in their financial systems. This primarily arises from not reconciling the asset data between the financial systems and geographic information systems. This year, nine councils (2019: 10 councils) that reported found assets made changes to their financial statements for a total amount of $230 million (2019: $497 million). 

    To ensure effective decision-making and efficient use of public money, the engineers (who build and maintain assets) and accountants (who manage the finances) must work with the same asset data. When this is not the case, a council’s decisions may be compromised, and it is at risk of wasting public money.

    Recommendation for all councils

    Improve valuation and asset management practices (REC 2)
    • Councils need to engage with asset valuers early to complete the valuation of assets well before year end.
    • Councils need to use accurate information in their long-term asset management strategies and budget decisions.
    • Councils need to regularly match the asset data in their financial records to the asset data in their engineering/geographic information systems to ensure it is complete and reliable.
    1
    Elim Beach

    3. Internal controls in local governments

    Internal controls are the people, systems, and processes that ensure an entity can achieve its objectives, prepare reliable financial reports, and comply with applicable laws. Features of an effective internal control environment include:

    • a strong governance framework that promotes accountability and supports strategic and operational objectives
    • secure information systems to maintain the integrity of data
    • robust policies and procedures, including appropriate financial delegations
    • regular monitoring by management and internal audit reviews.

    This chapter reports on the effectiveness of councils’ internal controls and highlights important challenges for the local government sector. Appendix J provides a more detailed assessment.

    Where we identify weaknesses in the controls, we categorise them as either ‘deficiencies’, which need to be addressed over time, or ‘significant deficiencies’, which are high risk and need to be addressed immediately.

    Chapter snapshot

    Local Government 2020_Chapter 3 snapshot
    1

    Strong governance is needed to resolve weaknesses in internal controls

    Between 2017 and 2019, councils made significant progress in addressing the weaknesses in their internal controls by reducing the number of unresolved significant issues.

    However, in 2020, we identified 228 significant issues, with 140 (2019: 133) of these issues yet to be resolved at 30 June 2020.

    We understand that the challenges imposed by COVID-19 may have made it more difficult to resolve these deficiencies. But the working from home arrangements required by COVID-19 make it more crucial that councils strengthen their oversight of internal controls and address the identified weaknesses.

    The local government elections in March 2020 resulted in turnover of approximately 50 per cent of the elected officials. Following the elections, there were also changes in chief executive officers (CEOs) at a number of councils. Elected officials and CEOs dictate the tone at the top and shape the culture of the organisation, which in turn drives the overall control environment.

    Having an effective audit committee and an active internal audit function can assist in providing the right advice to these elected officials and CEOs and help them resolve these significant issues in a timely manner.

    Figure 3A shows the total significant deficiencies we have identified in the sector and the number that have remained unresolved over the last five years.

    FIGURE 3A
    Total significant issues and unresolved significant issues
    Local government 2020_Figure 3A

    Queensland Audit Office.

    1

    Audit committees and internal audit

    In our previous reports, we have stressed the importance of audit committees and internal audit functions to the overall control environment of councils.

    An effective audit committee is an important element of good governance. It plays a pivotal role in ensuring management fulfils its responsibilities relating to financial reporting, internal control systems, risk management systems, and internal audit.

    Effective internal audit functions provide unbiased assessments of an organisation’s operations and continuous review of the effectiveness of governance, risk management, and control processes. Internal auditors evaluate risks and can assist in establishing effective fraud prevention measures by assessing the strengths and weaknesses of controls.

    As at 30 June 2020, 10 councils (2019: 12 councils) do not have either an audit committee nor an active internal audit function. In addition, a further:

    • six councils (2019: six councils) still do not have an audit committee
    • two councils (2019: one council) do not have an internal audit function or have had no internal audit activity during the year.

    In each case, this weakens the council’s governance, resulting in more internal control breakdowns, poor financial processes, and a higher risk of being financially unsustainable.

    Together, these councils accounted for more than 50 per cent of the unresolved significant deficiencies in the sector. Three of these councils have not met their statutory deadline for financial reporting for the last two years.

    Most of these councils are highly reliant on grants and are deemed to be at a higher risk of being financially sustainable. These councils are already under financial pressure and see the cost of establishing an audit committee and an internal audit function as additional burden on their already deteriorating financial results. Often located in remote areas of Queensland, these councils are challenged with sourcing:

    • independent audit committee members with the right skills and experience
    • internal audit service providers at a reasonable cost.

    Advancements in technologies such as videoconferencing and remote working capabilities now provide opportunities for these councils to engage the right candidates to establish an effective audit committee and internal audit function, at a lower cost.

    Recommendation for the Department of State Development, Infrastructure, Local Government and Planning

    Require all councils to establish audit committees (REC 6)

    We continue to recommend that the department requires all councils to establish audit committees and that the chairperson of this committee is independent of council and management.

    In light of the difficulties some councils have faced with internal control weaknesses, fraud, ransomware, and achieving financial sustainability, this is more important now than ever.

    1

    Common internal control deficiencies

    In this section of the report, we describe the common issues we have identified with internal controls at councils. 

    Security of information systems

    Each entity uses its information systems extensively to process the information for its financial statements. Weaknesses in controls over information systems increase the risk of undetected errors or financial loss, including from fraud.

    This year, there has been a significant increase in external attacks, as cyber criminals attempt to take advantage of changes in working arrangements necessitated by the COVID-19 pandemic.

    This year, weaknesses in one Queensland council’s internal controls meant its systems were not adequately protected, and a successful cyber attack had a significant impact on its operations. This is described in Case study 1 (Figure 3B).

    FIGURE 3B
    Case study 1
    Impact of cyber attack on a council

    This year, one regional council was subject to a ransomware attack. A ransomware attack is a form of a cyber attack where the attacker gains access to information systems and demands a ransom to return the information. 

    The cyber attacker gained access to all council systems, including the backup data that was stored on the council’s network.

    The impacts of this attack were:

    • the council was unable to access systems and information, with full restoration taking an extended period (for example, payroll and creditors had to be paid manually for five weeks)
    • normal activities could not be performed or were delayed (for example, the council was unable to prepare monthly financial management reports)
    • key staff, including information technology staff and contractors, needed to work extended hours to resolve the situation
    • significant time was spent by council staff in dealing with various parties and investigating the source of the data breach.

    The council has now taken action to strengthen its controls, including:

    • understanding the ways that external parties (such as suppliers, banks, and the public) access the council’s network, and what opportunities this could provide to external attackers
    • strengthening its password controls
    • increasing staff training on the risks associated with emails, and opening attachments and clicking links
    • engaging independent professional experts to periodically test the security controls on its information systems and provide recommendations for improvements.

    This matter was reported to the Queensland Government Cyber Security Unit of the Queensland Government Customer and Digital Group (formerly the Queensland Government Chief Information Office). 

    This incident highlights the importance of cyber security for all councils, not just large or higher-profile councils.

    Queensland Audit Office.

    1

    Cyber threats will continue and are likely to increase. Councils need to remain vigilant in managing their cyber security risks, which means promptly addressing internal control weaknesses.

    As of 30 June 2020, 32 councils did not have sufficient controls in place to protect their information systems. Common weaknesses we identified in the security of information systems this year include the following:

    • Access to systems was not restricted to current employees.
    • Employees were given access to perform multiple activities in a process (meaning there was not enough segregation of responsibilities at different stages of the process), or activities beyond what they needed to perform their job.
    • The activities of employees with privileged access (allowing them to access sensitive data and create and configure within the system with no restrictions) were not monitored to ensure they were appropriately approved.
    • Employees were assigned incorrect delegations in the finance system, increasing the risk of unauthorised transactions.
    • Security settings allowed unapproved applications to be installed on council networks, increasing the risk of malware and cyber attacks.
    • Passwords were not sufficiently complex (so could be easily guessed) or were not required to be changed regularly.

    Recommendation for all councils

    Strengthen security of information systems (REC 3)

    We recommend all councils strengthen the security of their information systems. Councils rely heavily on technology, and increasingly, they have to be prepared for cyber attacks. Any unauthorised access could result in fraud or error, and significant reputational damage.

    Councils’ workplace culture, through their people and processes, must emphasise strong security practices to provide a foundation for the security of information systems.

    All entities across the local government sector should:

    • provide security training for employees so they understand the importance of maintaining strong information systems, and their roles in keeping them secure
    • assign employees only the minimum access required to perform their job, and ensure important stages of each process are not performed by the same person
    • regularly review user access to ensure it remains appropriate
    • monitor activities performed by employees with privileged access (allowing them to access sensitive data and create and configure within the system) to ensure they are appropriately approved
    • implement strong password practices and multifactor authentication (for example, a username and password, plus a code sent to a mobile), particularly for systems that record sensitive information
    • encrypt sensitive information to protect it
    • patch vulnerabilities in systems in a timely manner, as upgrades and solutions are made available by software providers to address known security weaknesses that could be exploited by external parties.

    Councils should also self-assess against all of the recommendations in Managing cyber security risks (Report 3: 2019–20) to ensure their systems are appropriately secured.

    1

    Risk management

    Councils operate in a complex environment and are subject to risks from internal and external forces. We found that 29 councils do not have sufficient risk management processes in place to identify and manage these risks. As a result, they face a greater likelihood of loss, or of failing to achieve their objectives.

    Common issues relating to risk management include the following:

    • Councils either do not have a risk management framework or have one that is very outdated. 
    • Councils do not have a complete risk register that captures the risks they are exposed to.
    • Councils either have no business continuity and disaster recovery plans, or these plans are in draft that have neither been approved nor tested to confirm they would be effective in the event of a disaster.
    • Councils have either not completed a fraud risk assessment or have not adequately assessed their risk of fraud.

    Recommendation for all councils

    Improve risk management processes (REC 4)

    Councils should have a complete and up-to-date risk management framework including:

    • comprehensive risk registers that identify risks (including the risk of fraud) and appropriate risk mitigation strategies
    • current and relevant business continuity and disaster recovery plans and that these plans are tested periodically.
    1

    Procurement and contract management

    Over the last five years, on average, councils spent approximately $7.7 billion on goods and services each year. This year, we identified deficiencies in procurement and contract management controls in 32 councils. We recommend that these councils strengthen their internal controls to ensure they achieve value for money for their communities in their purchasing activities. The common deficiencies we identified this year include the following:

    • Councils were unable to demonstrate they obtained value for money from their procurement process. This was generally due to
      • not obtaining sufficient tenders/quotes for the purchase of goods or services
      • insufficient documentation resulting in perceived transparency issues for supplier tendering and selection processes.
    • Councils approved the purchase of goods and invoices after they were received, instead of before they were ordered.
    • Councils either did not have a contract register or did not have a complete contract register that would enable them to effectively manage their contracts.

    A contract register is a list of all contracts that a council has entered into with its vendors and contains important information such as:

    • start and end date of the contract
    • total contracted amount and annual amounts
    • contract manager assigned to the contract
    • link to or reference to a copy of the contract
    • trigger date for renewal of the contract.

    Recommendation for all councils

    Enhance procurement and contract management practices (REC 5)
    • Councils need to ensure they obtain value for money for the goods and services they procure and that they have the appropriate approvals to procure the goods and services. 
    • To effectively manage their contractual obligations, councils should ensure their contract registers are complete and contain up-to-date information.
    1
    Elim Beach

    4. Councils' financial performance

    This chapter analyses the financial performance of councils, with emphasis on their financial sustainability.

    Chapter snapshot

    Image showing highlights for Chapter 4. 'Expenses and liabilities have increased at a higher rate than revenues and assets ($12.9 bil. revenue (up 1% from 2019); $11.2 bil. expenses (up 3% from 2019); $129.2 bil. assets (up 6% from 2019); $10 bil. liabilities (up 16% from 2019) - note: the implementation of new accounting standards contributed to an 11 per cent increase in the sector's total liabilities.). The risk to financial sustainability is greater (Figure 4A shows the change in financial sustainabili
    1

    How is financial sustainability assessed?

    A council’s financial sustainability is linked to the sustainability of its local community. A sustainable community is one where local businesses are economically viable, environmentally sound and socially responsible, and people have access to basic services, such as education and healthcare. As much as growing and maintaining a sustainable community requires participation from all sectors of the community, it is also heavily reliant on population and employment opportunities.

    Councils in areas with a strong economy (which usually means a larger population and good job opportunities) are more likely to be able to generate their own revenue and attract and retain qualified staff. This in turn leads to them establishing good processes and managing their finances well.

    Since 2013, the Department of State Development, Infrastructure, Local Government and Planning (the department) has required councils to measure their financial sustainability using three audited ratios:

    • operating surplus ratio—the extent to which operating revenues cover operating expenses
    • net financial liabilities ratio—the extent to which the operating revenues can meet the liabilities
    • asset sustainability ratio—the extent to which assets are replaced as they reach the end of their useful lives.

    Councils are expected to meet certain benchmarks against these ratios, which are detailed in Appendix I

    While all councils are required to use the same ratios to measure their financial sustainability, the challenges faced by each council vary significantly, and are strongly influenced by each local economy.

    Councils with smaller populations and smaller local economies are more dependent on government grants to provide basic services, and build and maintain essential community assets (such as roads). These councils receive grants from both the state and federal governments for supplementing their day-to-day operations (for example, through financial assistance grants) and for building and maintaining community assets (also known as capital grants). However, these grants typically provide funding for a single year with little certainty whether the funding will continue in subsequent years. 

    Such uncertainty makes it difficult for councils that are highly reliant on grants to make longer‑term plans to create jobs in the community and attract residents.

    To highlight the different challenges these grant-dependent councils face, this year we have analysed councils’ financial sustainability risk by their reliance on grants instead of grouping them into segments as defined by the Local Government Association of Queensland, as we have in previous years. Appendix I shows the results by those individual council segments.

    Figure 4B shows the financial sustainability risk of councils categorised by their reliance on grant revenue.

    FIGURE 4B
    Risk of financial sustainability increases with a council’s reliance on grant revenue
    Three graphs showing: Low reliance category ((Less than 25% grant revenue to total revenue) 9 low risk; 10 moderate risk); Moderate reliance category ((More than 25% but less than 50% grant revenue to total revenue) 14 low risk; 9 moderate risk; 7 high risk); High reliance category ((More than 50% grant revenue to total revenue) 5 low risk; 6 moderate risk; 17 high risk).

    Queensland Audit Office.

    1

    Generally, as a council’s reliance on grants increases, so too does its financial sustainability risk. There are, however, exceptions to this. We note that five councils with a high reliance on grant revenue have a low risk of being financially unsustainable. These councils have prioritised financial governance by recruiting and retaining appropriately skilled staff, who have established good financial and budgeting processes. These councils also have strong leadership and governance, and a strong internal control environment and oversight function, including effective audit committees and internal audit functions.

    How have councils fared this year?

    The financial sustainability of most councils deteriorated this year, with the sector’s expenses and liabilities increasing faster than its revenues and assets. The financial sustainability risk rating for 12 councils has increased to either moderate or high. The sustainability ratios for another 64 councils also deteriorated but did not result in a change in their financial sustainability risk rating. One council, Charters Towers Regional Council, improved its sustainability risk rating from moderate to low.

    Generating operating surpluses has been a challenge for the sector

    This year, 70 per cent of Queensland councils spent more than they earned, which is a 25 per cent increase compared with last year.

    Figure 4C aggregates the operating results for councils, grouped by their reliance on grants over the last five years. The operating result for a council is the difference between the revenue generated from its activities and the cost of running the business.

    FIGURE 4C
    Aggregate operating results of councils grouped by their reliance on grants
    Local government 2020_Figure 4C

    Queensland Audit Office.

    1

    As a group, the councils highly reliant on grants have collectively made losses each year for the last five years. Individually however, there are five councils in this group that have consistently generated operating profits.

    Uncertainty over future funding and their limited ability to generate their own revenue in the short term makes it difficult for most of these councils to have good strategic planning, asset management, and financial management practices. Having some certainty over long‑term funding would enable them to develop strategies to attract new industries and people to their areas, maximise any investment that is made in community assets, and minimise operating losses.

    We consistently find councils that regularly incur operating losses have deficiencies in these areas, preventing them from improving their long-term financial sustainability. While it is each council’s responsibility to find ways to improve its financial sustainability, we encourage the department to continue providing guidance to build capability in these areas.

    This year, councils with low or moderate reliance on grants have generated operating losses for the first time in five years. These council categories have experienced a substantial increase in their operating expenses. Several councils brought forward their capital projects at the peak of the COVID-19 pandemic with the aim of retaining their workforce, resulting in higher employee costs. In addition, councils also incurred new costs to maintain quarantine facilities, enforce border restrictions, and sanitise council buildings and public areas.

    At the same time, council operating revenues have only increased by one per cent. Several council revenue streams have decreased, particularly from March to June 2020, with significantly less visitors to council areas due to travel restrictions and community lockdown. This resulted in lower revenue from public services such as car parks, airports, and council‑owned accommodation. Councils also provided support to communities in the form of discounts and waivers of fees such as food licenses, and rental concessions for tenants of council‑owned buildings. 

    Figure 4D shows the sector’s expenses have steadily increased over the last five years, while revenue has not increased at the same rate. This year, for the first time in five years, total expenses of the sector exceeded total revenue.

    FIGURE 4D
    Operating revenue and expense—2016–2020
    Local government 2020_Figure 4D

    Queensland Audit Office.

    1

    While some councils made operating profits in 2020, the majority of councils face the dual challenges of not being able to contain the cost of services provided to the community, and of generating sufficient revenue to fund these services.

    Councils in general, and especially those that are unable to increase revenue, must consider the services and service levels they provide to their communities—specifically in terms of their importance to the community and the cost of delivery.

    In our report Managing the sustainability of local government services (Report 2: 2019–20), we recommended that all councils consider whether the services they provide meet the current and future needs of their communities and whether these services are affordable.

    To assist with this, we have also published several fact sheets and a cost allocation tool that councils can use to inform their decision making. These fact sheets and tool are available on our website.

    The sector’s debt levels have increased in line with assets

    The debt levels of the sector have increased by five per cent this year. This increase is in line with the increase in the value of community assets. Over the last five years, the sector’s debt remained steady at five per cent of assets.

    Of the total sector debt, 68 per cent is held by councils that have a low reliance on grant revenue, and 31 per cent held by councils with a moderate reliance on grants. These councils typically have larger populations, larger asset bases and a history of modest operating surpluses, giving them the ability to repay their debts. The councils holding the remaining one per cent are highly reliant on grants. These councils are currently managing their obligations and paying down their debt.

    Councils continue to invest in community assets

    This year, the sector has spent $4.3 billion (2019: $4.3 billion) on replenishing and/or constructing new assets (capital projects) to meet community needs.

    Currently, councils measure their asset sustainability as a ratio that approximates the extent to which they are replenishing assets as they reach the end of their useful lives. Figure 4E shows this asset sustainability ratio for councils categorised by their reliance on grant funding.

    FIGURE 4E
    Asset sustainability ratio by council category
    Local Government 2020_Figure 4E

    Queensland Audit Office.

    1

    Councils with a high reliance on grant revenue typically have what looks like a good asset sustainability ratio, as they have received significant grant funding over the last five years to replace assets.

    These 28 high-reliance councils combined received $720 million in disaster relief funding over the last five years (2016–20). The 49 councils in the other two categories combined received $814 million over the same period.

    The current asset sustainability ratio does not take into account the age of the assets and whether the councils are maintaining them at an optimum level. 

    The asset sustainability ratio is calculated by dividing the amount of money spent on replacing assets each year by the annual estimated value of depreciation (or gradual ‘wearing out’) of the assets. This is expressed as a percentage, and the department’s guidelines require this to be 90 per cent or more.

    While this is intended to indicate whether a council is renewing its assets at a sufficient rate, it can be misleading. For example, councils with growing populations build new assets to keep up with the demand of their communities. These new assets do not require much maintenance or any replacement early in their life cycle. However, these councils also have older assets in established areas that need regular maintenance and replacement.   

    The existing ratio, which is calculated for the council as a whole, does not distinguish between the age of these assets (that is, new assets versus old assets). Consequently, councils cannot rely on this ratio to assess whether they are managing their portfolio of assets appropriately. They need robust asset management plans in place to ensure they are renewing their assets at the right times and to the right standard (or service level) across their communities.

    With most councils now having an asset management plan and better asset data than they had when the asset sustainability ratio was introduced in 2013, it is time for the department to consider if one or more of the following ratios would enhance asset sustainability reporting:

    • Asset consumption ratio—this ratio measures the current value of assets in use relative to what it would cost to build a new asset with the same benefits to the community.
    • Asset renewal funding ratio—this ratio measures the ability of a council to fund its projected asset renewal/replacements in the future. 
    • Asset maintenance ratio—this ratio compares planned maintenance of assets with required maintenance (which is what should be spent to maintain assets to a satisfactory standard) to indicate the extent to which a council is investing to stop its infrastructure backlog growing.
    • Average useful life ratio—this ratio compares the actual average useful life of a council’s infrastructure assets to the expected average useful life as per the council’s asset management plan.

    In our report Forecasting long-term sustainability of local government (Report 2: 2016–17), we recommended the department review the sustainability ratios and make these more fluid to address the changing needs of councils. The department is currently in the process of establishing new financial sustainability ratios.

    Recommendation for the Department of State Development, Infrastructure, Local Government and Planning

    Make changes to sustainability ratios (REC 7)

    We recommend that the department develops new financial sustainability ratios for Queensland councils. In developing these ratios and associated targets, we recommend that the department considers the different sizes, services, and circumstances of the various councils.

    We also recommend that the new financial sustainability ratios be established in time for the year ending 30 June 2022.
    1

    Recommendation for the Department of State Development, Infrastructure, Local Government and Planning

    Provide greater certainty over long-term funding (REC 8)

    We recommend that the department reviews its current funding model to identify opportunities to provide funding certainty to councils beyond one financial year. A three- to five-year funding model would assist councils, especially those heavily reliant on grants, to develop and implement more sustainable medium- to long-term plans.

    1

    Recommendation for the Department of State Development, Infrastructure, Local Government and Planning

    Provide training to councillors and senior leadership teams around financial governance (REC 9)

    We recommend that the department provides periodic training to councillors and the senior leadership team for councils that are highly reliant on grants. The training should focus on helping these councils:

    • establish strong leadership and governance
    • enhance internal controls and oversight
    • improve financial sustainability in the long term.
    1
    Elim Beach

    2020 local government financial information dashboard

    2020 local government financial information dashboard

    Our interactive map of Queensland allows you to search and compare councils to view their financial performance and sustainability indicators. This tool includes information on revenue, expenses, operating costs, assets, liabilities and sustainability indicators.