Report 10: 2020–21

Transport 2020

Audit objective

This report summarises our financial audit results of seven state-owned entities in Queensland’s transport sector for 2019–20.

Overview

The entities in Queensland’s transport sector work together to create an integrated transport network, connecting Queensland’s people and businesses. 

Tabled 2 February 2021. 

Elim Beach

Report on a page

This report summarises the audit results of seven entities in Queensland’s transport sector: Department of Transport and Main Roads, Queensland Rail, Cross River Rail Delivery Authority, Gladstone Ports, North Queensland Bulk Ports, Port of Townsville, and Ports North.

Financial statements are reliable, but some internal controls can be improved

All financial reports in the transport sector are reliable and comply with relevant laws and standards.

The systems and processes (internal controls) used by transport entities to prepare financial systems are generally effective. However, the entities need to strengthen their controls over procurement (documenting conflict of interest declarations) and expenditure, payroll processes, the security of their information systems, and supplier and employee information.

The most common internal control weakness we continue to identify across the public sector relates to security of information systems and controls over supplier and employee information. Transport entities must put strong controls in place to protect their information and assets.

Maintaining services during the pandemic

The transport sector was able to maintain services through the COVID-19 pandemic without significant additional costs or interruption. Transport entities implemented new technology, such as remote access and electronic signature approvals, so they could continue to operate effectively.

There were financial impacts on the entities—mostly due to decreased patronage of public transport, lower rent from tenants facing financial hardship, and lower revenue from vessel services relating to the tourism industry (like cruise ships). The ongoing impacts of the pandemic will continue to be a challenge to the transport sector.

Cross River Rail is underway

Cross River Rail is one of Queensland’s largest public transport projects under construction. The project is still in the early phases, with several contracts for major works packages recently finalised.

FIGURE A
Cross River Rail
Table showing Cross River Rail: Expenditure to 30 June 2020: $2.1 bil.; Total capital budget: $6.9 bil.; Ready for operations: Mid 2025; Three major packages: Tunnels, Stations, and Development; Rail, Integration, and Systems; European Train Controls System.

Compiled by the Queensland Audit Office.

1

No significant issues have been identified in our financial statement audit. Our future audits will continue to assess compliance with policies, the tendering process and evaluation of prospective bids, and contract signing and ongoing contractor and design management, including material variations. 

Elim Beach

Recommendations for entities

Improve procurement and expenditure processes (all entities)

REC 1

All entities should:

  • assess their compliance with conflict of interest processes
  • ensure supplier information and payments are appropriately authorised and independently reviewed.

Strengthen the security of information systems (all entities)

REC 2

We recommend all public sector entities strengthen the security of their information systems. They rely heavily on technology, and increasingly, they have to be prepared for cyber attacks. Any unauthorised access could result in fraud or error, and significant reputational damage.

Their workplace culture, through their people and processes, must emphasise strong security practices to provide a foundation for the security of information systems.

All entities across the public sector should:

  • provide security training for employees so they understand the importance of maintaining strong information systems, and their roles in keeping them secure
  • assign employees only the minimum access required to perform their job, and ensure important stages of each process are not performed by the same person
  • regularly review user access to ensure it remains appropriate
  • monitor activities performed by employees with privileged access (allowing them to access sensitive data and create and configure within the system) to ensure they are appropriately approved
  • implement strong password practices and multifactor authentication (for example, a username and password, plus a code sent to a mobile), particularly for systems that record sensitive information
  • encrypt sensitive information to protect it
  • patch vulnerabilities in systems in a timely manner, as upgrades and solutions are made available by software providers to address known security weaknesses that could be exploited by external parties.

Entities should also self-assess against all of the recommendations in Managing cyber security risks (Report 3: 2019–20) to ensure their systems are appropriately secured.

Strengthen payroll processes and controls (all entities)

REC 3 All entities should ensure employee information, timesheets, and payments are recorded accurately, appropriately authorised, and independently reviewed.
1
Elim Beach

1. Overview of entities in this sector

FIGURE 1A
Key entities in the Queensland transport sector

Notes:

  • There are four port entities—Gladstone Ports Corporation Limited, North Queensland Bulk Ports Limited, Port of Townsville Limited and Far North Queensland Ports Corporation Limited (Ports North).
  • Queensland Rail is a statutory body and includes Queensland Rail Limited.

Compiled by the Queensland Audit Office.

1
Elim Beach

2. Results of our audits

This chapter provides an overview of our audit opinions for transport sector entities. It also provides conclusions on the effectiveness of the systems and processes (internal controls) entities use to prepare financial statements.

Chapter snapshot

Chapter snapshot_report 2020-21
1

Audit opinion results

We issued unmodified opinions, within the legislated timeframes, for the transport entities we audited. Readers can rely on the results in the audited financial statements. The audit opinions we issued are detailed in Appendix C.

Definition

We express an unmodified opinion when financial statements are prepared in accordance with the relevant legislative requirements and Australian accounting standards.

Entities not preparing financial statements

Not all Queensland public sector transport entities produce financial statements. Appendix D provides a full list of those not preparing financial statements, and the reasons.

Mature financial statement preparation processes are in place

We worked with the transport entities as they undertook a self-assessment of their financial statement preparation processes using the maturity model on our website. They assessed the majority of their processes as ‘integrated’ or ‘optimised’—the highest levels of maturity.

Entities in the sector have quality month-end processes, which help them to prepare financial statements. They also make good use of pro-forma financial statements, which show how the financial statements will look at the end of the year. These are prepared early in the year and updated as figures become available.

Most entities identified an opportunity to improve their use of specialised reporting software to prepare financial statements, but the electronic spreadsheets and word processing tools they currently use are still fit for purpose. The entities recognise that they need to balance the cost of investing in automation against the benefits to be derived.

Internal controls are generally effective

We found the internal controls entities use to prepare financial statements are generally effective but could be improved. We have reported any deficiencies in the design or operation of those internal controls to the management of the entities for their action. They are rated as either significant deficiencies (those of higher risk that require immediate action) or deficiencies (those of lower risk that can be corrected over time).

In 2019–20, we reported one significant deficiency and 32 deficiencies in internal controls across the sector. Figure 2A shows the areas in which we identified deficiencies.

FIGURE 2A
Overview of internal control issues raised in 2019–20
Image showing an overview of the 33 deficiencies (including 1 significant): 10 information systems policies, security, and user access controls; 10 procurement supplier, masterfile, and payment authorisation (including 1 significant); 8 payroll policies, masterfile changes, recording of timesheets, and payment processes; 5 other.

Compiled by the Queensland Audit Office.

1

We have received responses from each entity on their planned corrective action to the internal control issues raised. We are satisfied with the responses and proposed implementation time frames.

Improve procurement and expenditure processes

Each year, the transport sector spends billions of dollars on goods and services. Entities need to demonstrate their procurement decisions are in the best interests of the public and provide value for money. They do this by complying with Queensland Government procurement policies, as well as their own internal policies and processes.

Identifying conflicts of interest

To ensure the integrity of procurement decisions, people who are involved in the procurement process are required to report any conflicts of interest that might influence their decisions.

We identified a significant deficiency for one entity, as not everyone involved in a procurement process had documented whether they had any conflicts of interest. There was no evidence of inappropriate influence in the procurement decision process. The entity has subsequently commenced actions to improve internal procedures, develop new policies and implement additional review processes.

Everyday controls need to be strengthened

We also found a number of weaknesses in everyday controls for expenditure processes that need to be strengthened. These included verifying changes to supplier information, and authorising and reviewing transactions for payments.

Recommendation for all entities
Improve procurement and expenditure processes (REC 1)

All entities should:

  • assess their compliance with conflict of interest processes
  • ensure supplier information and payments are appropriately authorised and independently reviewed.
1

Strengthen the security of information systems

Transport entities rely on information systems to operate their businesses and prepare financial statements, so they must have strong controls over who has access to the systems and the information in them.

Weaknesses in information technology controls increase the risk of undetected errors or potential financial loss, including fraud.

For some years, the most common internal control weakness across the public sector has related to the security of information systems. All entities across the public sector need their people and processes to have strong security practices. They must update their systems promptly to respond to changes within entities and to remain protected from external threats.

This year, we recommended four of the seven transport entities strengthen the security of their information systems, particularly their management of who can access the system, how they access it, and what they can do in it.

Recommendation for all entities
Strengthen the security of information systems (REC 2)

We recommend all public sector entities strengthen the security of their information systems. They rely heavily on technology, and increasingly, they have to be prepared for cyber attacks. Any unauthorised access could result in fraud or error, and significant reputational damage.

Their workplace culture, through their people and processes, must emphasise strong security practices to provide a foundation for the security of information systems.

All entities across the public sector should:

  • provide security training for employees so they understand the importance of maintaining strong information systems, and their roles in keeping them secure
  • assign employees only the minimum access required to perform their job, and ensure important stages of each process are not performed by the same person
  • regularly review user access to ensure it remains appropriate
  • monitor activities performed by employees with privileged access (allowing them to access sensitive data and create and configure within the system) to ensure they are appropriately approved
  • implement strong password practices and multifactor authentication (for example, a username and password, plus a code sent to a mobile), particularly for systems that record sensitive information
  • encrypt sensitive information to protect it
  • patch vulnerabilities in systems in a timely manner, as upgrades and solutions are made available by software providers to address known security weaknesses that could be exploited by external parties.

Entities should also self-assess against all of the recommendations in Managing cyber security risks (Report 3: 2019–20) to ensure their systems are appropriately secured.

1

Strengthen payroll processes and controls

Entities are responsible for ensuring their employees are paid correctly. They need to make sure the payroll function has strong governance and controls, supported by the right technology.

This year, we made eight recommendations on improving the performance of manual controls (those that rely on people to undertake) for updating employee information, recording of timesheets, and making payments to employees.

Recommendation for all entities
Strengthen payroll processes and controls (REC 3)

All entities should ensure employee information, timesheets, and payments are recorded accurately, appropriately authorised, and independently reviewed.

1

Changed governance of Cross River Rail Delivery Authority

The governance structure of Cross River Rail Delivery Authority changed on 28 February 2020. The chief executive officer now reports directly to the Minister for Transport and Main Roads (previously the Minister for State Development, Tourism and Innovation) (the minister) rather than through the board. The board remains in an advisory capacity, providing support to the minister and chief executive.

We understand that the change was in response to the former minister wanting more oversight on the project and to ensure delivery remained on time and on budget.

Cross River Rail Delivery Authority project summary

The Project Assessment Framework, together with the Queensland Procurement Policy (QPP), require the Queensland Government to prepare a Project Summary report following the financial close of publicprivate partnership (PPP) projects to promote transparency and accountability. This Project Summary report was prepared for the Tunnel, Stations and Development (TSD) PPP.

The report includes information on:

  • background of the project
  • information relating to the procurement model and process, key milestones and policy requirements
  • contract overview-contractual arrangements, key agreements and summary of key obligations and terms of the Project Agreement.

In performing our limited assurance procedures, we did not identify any instances of material non-compliance with the Project Summary guidelines and issued an unmodified limited assurance report on 3 June 2020.

Elim Beach

3. Financial results and challenges

This chapter analyses the key financial results and challenges faced by the sector.

Chapter snapshot

Chapter snapshot image showing the main points in the chapter
1

Dealing with the impacts of COVID-19

Financial impacts

The most notable impact of COVID-19 has been on fare revenue collected at the Department of Transport and Main Roads from the bus, ferry, light rail, and train services.

Fare revenue decreased by 20 per cent to $288.7 million, and patronage across the services in the June quarter decreased by 62 per cent from the March quarter. The decline coincided with travel restrictions and greater adoption of working from home arrangements.

Figure 3A details the quarterly change in the number of total passenger trips for bus, ferry, light rail, and train services and the percentage change from the previous quarter.

FIGURE 3A
Number of total passenger trips

Department of Transport and Main Roads (Translink Public Transport Performance Dashboard).

1

As most funding for passenger services is received from the state government, this has not had as much impact as it would have otherwise.

The performance of the port entities’ imports and exports operations has remained stable, mostly due to the continuing demand and ongoing ‘take-or-pay’ arrangements with customers. Under these arrangements, customers are contractually required to purchase a minimum number of goods or services or pay a charge.

The port entities’ revenues from property rentals were lower, as they charged less rent to tenants who were facing financial hardship. Shipping vessel income from the tourism sector (for cruise ships and charter boats) was also lower due to travel restrictions impacting demand for services.

As a result, shareholder returns to the Queensland Government decreased by 5.7 per cent from last year. Shareholder returns were made up of $229.2 million in dividends (a share of profits paid to shareholders) and $94.8 million in income tax equivalents (which are paid by commercial operations in government instead of tax).

Responsiveness of transport entities

COVID-19 has been testing the resilience and agility of the transport sector. In line with social and physical distancing rules, entities continue to use work-from-home arrangements for their staff. They have adapted their processes to suit the increased reliance on technology—for example, allowing remote access, and using electronic signatures.

During the pandemic, the transport sector mostly provided the full public transport timetable and services to customers and industry. In some areas, additional transport and freight services were provided to assist with the changing transport needs of the Queensland community.

There were no significant increases in costs, but the ongoing impacts of the global pandemic will continue to be a challenge to the transport sector.

Cross River Rail is underway

Cross River Rail is one of Queensland’s largest transport projects currently under construction. This project aims to provide high-frequency train services and to revitalise a number of precincts across Brisbane.

FIGURE 3B
Cross River Rail project
Image showing: $6.9 bil. total capital budget; Mid 2025 operational service date; $2.1 bil. capital spend-to-date (30 June 2020); State contribution $5.4 bil. (20% capital budget spent); Private finance contribution $1.5 bil. (69% capital budget spent); Total capital works: 31% capital budget spent.

Note: Capital spend to date ($2.1 billion) includes expenditure relating to the three major works packages (see Figure 3C), land acquisitions, and related project costs. The Cross River Rail project is being fully funded by contributions from the state and private finance contributions.

Compiled by the Queensland Audit Office.

1

The Cross River Rail project is being delivered by Cross River Rail Delivery Authority. It will deliver a new 10.2 kilometre rail line from Dutton Park to Bowen Hills, including 5.9 kilometres of twin tunnels under the Brisbane River and central business district, and four new underground stations. Figure 3C summarises each of the three major contracts/work packages.

FIGURE 3C
Summary of Cross River Rail major works packages
Tunnel, Stations and Development: description of work (underground section of the project); total package value ($4.2 billion); spend at 30 June 2020 ($1.0 billion); supplier (PULSE consortium, led by CIMIC Group companies). Rail, Integration, and Systems: description of work (design, supply, and installation of supporting rail systems); total package value (not publicly available); spend at 30 June 2020 (not publicly available); supplier (UNITY Alliance, led by CPB Contractors). European Train Control Syst

Note: * The Rail, Integration, and Systems total package value is currently commercially sensitive in line with Queensland Procurement Policy and supporting guidelines.  
** The European Train Control System forms part of the Queensland Rail capital works program and is excluded from the amounts shown in Figure 3B.

Compiled by the Queensland Audit Office.

1

No significant issues have been identified in our financial statement audit. Our future audits will continue to assess the initial procurement activities of Cross River Rail and will include tendering, evaluation of prospective bids, contract signing, and ongoing contractor and design management, including the approval for material variations.

Given the significance of the Cross River Rail project, the results of future audit activity will be reported to parliament.