Previous Page

Reports and attestations

Annual Report 2022-2023

The objective of the Audit and Risk Committee (ARC) is to provide independent assistance to the Chief Executive Officer and Board by monitoring, reviewing and providing advice about Legal Aid NSW governance processes, risk management and control frameworks, and its external accountability obligations.

The committee comprised the following independent members in 2022–2023.

  • Michael Coleman – Chair.
  • Peter Whitehead – Committee Member.
  • Leah Fricke – Committee Member.
  • Nicola Davis – Committee Member.

The CEO; Director, Legal Service & In-house Counsel (who is also the Chief Audit Executive); Executive Director, Digital Transformation; Director, Finance; Senior Internal Auditor and representatives from the NSW Audit Office attend each meeting. The committee also invites other key Executive staff and external service providers to attend as necessary.

The committee met on seven occasions in 2022–2023 and reviewed a range of operational matters

  • Monitoring the Strategic Plan Year Five 2022–2023.
  • Consultation on draft the Legal Aid NSW Strategic Plan 2023–2028.
  • Monitoring the organisation’s financial position, trends, variations, carry forwards and budget compliance.
  • Monitoring compliance with circulars, guidelines and policies from the NSW Treasury, Department of Customer Service (Cybersecurity) and Independent Commission Against Corruption (Fraud and Corruption), and sector-wide performance reports of the NSW Audit Office as applicable.
  • Administering the external examination, law practice declaration and trust money.
  • Auditing of the Legal Aid NSW trust account.
  • Completing the engagement closing report and end of financial year reports.
  • Completing the NSW Audit Office’s Management letter and Annual Engagement Plan (AEP) to audit financial statements for the year ending 30 June 2023.
  • Producing statutory financial statements for the year ended 30 June 2023.
  • Compiling the financial acquittal reports relating to the Australian Government grant funding relating to the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability and the Royal Commission into Defence and Veteran Suicide.
  • Certification of internal controls.
  • Appointment of ARC members.
  • Recording Board resolutions concerning financial impacts, policy changes and the introduction of initiatives.
  • Review of and compliance with administrative arrangements under the ARC charter, internal audit charter and internal audit manual.
  • Review of internal audit function.
  • Audit plan for 2022–23 and monitoring of internal and external audits.
  • Monitoring of internal audit budget.
  • Review of the flexible work policy and assessment of the impact of a hybrid working environment.
  • Compliance with conflict of interest policy.
  • People Matter Employee Survey results – including summary and action planning.
  • Six-monthly review of risk management framework and risk maturity.
  • Enterprise risk maturity assessment and updating of enterprise risk framework and strategic risks.
  • Implementing a COVID risk register.
  • Planning for service disruptions. 
  • Business continuity planning.
  • Gifts and benefits policy.
  • Fraud and corruption control framework. 
  • Legal compliance framework.
  • Project Respect and risk register.
  • Work health and safety and excess recreation leave balances.
  • Updating progress on cyber security including risk maturity assessment under NSW cyber security policy and the essential eight.
  • Panel lawyer audits by the Legal Aid NSW Private Lawyer Quality Standards Unit.
  • Drafting a quality framework for legal services.
  • Plan for improvement of record management maturity.
  • Reviewing operations and service delivery.
  • Reviewing payroll processes.
  • Reviewing the Client and Case Management System (CCMS) post implementation.
  • Reviewing the status of implementation of ICT projects under the digital transformation project.

During the year 2022–2023, there were ten audits, which were included in the plan. Nine audits were either completed or in an advanced stage of completion. One audit relating to handling vicarious trauma was postponed as the tender was unsuccessful. It is now proposed to be included in the following year. Audits covered:

  • ATLAS debtors and contributions
  • review of recruitment processes
  • review of compliance with the conflict of interest policy
  • review of processes for private duty lawyers
  • review of processes for record management
  • review of processes for grants to community legal centres and Women’s Domestic Violence Advocacy Services
  • review of our Information Security Management System (ISMS) for conformance with ISO 27001 controls and compliance with the NSW government’s cyber security policy
  • audit of access to Transport for NSW (TFNSW) DRIVES
  • cybersecurity recertification audit by the ISO 27001 certifying agency.
Performance audits completed
2017–186
2018–195
2019–204
2020–219
2021–229
2022–239

Target for 2023–2024: 10

Cherie Pittman
Director Legal Service & In-house Counsel
Chief Audit Executive
30 June 2023

I, Monique Hitter, am of the opinion that Legal Aid NSW has internal audit and risk management processes in operation that are, excluding the exemptions or transitional arrangements described below, compliant with the seven (7) Core Requirements set out in the Internal Audit and Risk Management Policy for the General Government Sector, specifically:

Core requirementsStatus*
Risk management framework
1.1 The Accountable Authority shall accept ultimate responsibility and accountability for risk management in the agencyCompliant
1.2 The Accountable Authority shall establish and maintain a risk management framework that is appropriate for the agency. The Accountable Authority shall ensure the framework is consistent with AS ISO 31000:2018Compliant
Internal audit function
2.1 The Accountable Authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purposeCompliant
2.2 The Accountable Authority shall ensure the internal audit function operates consistent with the International Standards for Professional Practice for Internal AuditingCompliant
2.3 The Accountable Authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the 'model charter'Compliant
Audit and Risk Committee
3.1 The Accountable Authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks and its external accountability obligationsNon-Compliant with respect to a) core requirement 3.1.16, which provides a maximum term of 5 years for the Chair of the Audit and Risk Committee (ARC) and b) core requirement 3.1.14 which provides a maximum term of 8 years for the members of the ARC
3.2 The Accountable Authority shall ensure the Audit and Risk Committee has a Charter that is consistent with the content of the 'model charter'Compliant

* For each requirement, please specify whether compliant, non-compliant, or in transition.
** Core requirement 3.1.13 as per TPP 15-03.

Membership

The chair and members of the Audit and Risk Committee are:

  • Mr Michael Coleman – Independent Chair
    29 June 2016 to 26 September 2025
  • Mr Peter Whitehead – Independent Member
    28 October 2014 to 28 October 2023
  • Ms Leah Fricke – Independent Member
    1 March 2022 to 28 February 2025
  • Ms Nicola Davis – Independent Member
    28 June 2023 to 28 June 2026.

Monique Hitter
Chief Executive Officer
17 August 2023 

I, Monique Hitter, advise that the internal audit and risk management processes for Legal Aid NSW depart from the following Core Requirement set out in the Internal Audit and Risk Management Policy for the General Government Sector:

1. The circumstances giving rise to these departures have been determined by the Responsible Minister and Legal Aid NSW has implemented the following practicable alternative measures to meet the Core Requirements:

DepartureReason for departure and description of practicable alternative measures implemented/being implemented
Non-compliance

3.1.16 of TPP 20-08

“The chair of the ARC shall be appointed for one (1) term only for a period of at least three (3) years, with a maximum period of five (5) years. The term of appointment for the chair can be extended but any extension shall not cause the total term to exceed five (5) years as a chair of the ARC.”

The Chair of ARC. whose maximum term of office of 5 years expired on 23 June 2021 had been given three extensions one in February 2021 for the term up to 2 September 2022, the second in November 2022 for the term up to 28 October 2023 and the third in July 2023 for the term up to 26 September 2025.

Legal Aid NSW maintains a practice where a Board member is Chair of the ARC. Legal Aid NSW’s Audit and Risk Committee Charter provides that an exemption from TPP 20-08 3.1.16 should be sought to ensure alignment

between Board appointments and appointments to the ARC.

Mr Coleman was reappointed to the Board in accordance with the Legal Aid Commission Act for a term up to 26 September 2025.

Mr Coleman is a highly respected member of the Board and has performed outstandingly as Chair of the ARC. He has significant expertise and experience as a director and chairman in various organisations. His corporate experience in managing risk and finance would be very difficult to replicate. An exemption from the TPP 20-08 has been approved by the Attorney General to extend Mr Coleman as Chair of the ARC until the expiry of his Board appointment on 26 September 2025.

3.1.14 of TPP 20-08

“Members can be reappointed or extended for further term(s) but the total period of continuous membership on the Committee shall not exceed eight (8) years (inclusive of any term as chair of the Committee).”

Mr Whitehead, whose maximum term of office 8 years, expired on 28 October 2022 had been given extension in November 2022 for the term up to 28 October 2023.

Mr Peter Whitehead was appointed member of the ARC from 28 October 2014 to 28 October 2022. Mr Whitehead’s maximum 8-year term expired on 28 October 2022. Ministerial exemption was obtained on 21 November 2022 for extension of his term to 28 October 2023.

Mr Whitehead is a lawyer and the former Public Trustee of NSW. Mr Whitehead was part of the original committee reviewing the role of audit within NSW Government. He has since chaired a number of Audit and Risk Committees including for the NSW Department of Premier and Cabinet, what was then the Attorney General’s Department, the NSW Crime Commission and the Judicial Commission of NSW. He currently works in the financial services industry.

Mr Whitehead was reappointed as a member for a term up to 28 October 2023.

These processes, including the practicable alternative measures implemented, demonstrate that Legal Aid NSW has established and maintained frameworks, including systems, processes and procedures for appropriately managing audit and risk within Legal Aid NSW.

Monique Hitter
Chief Executive Officer
17 August 2023

I, Monique Hitter, CEO of Legal Aid NSW, am of the opinion that Legal Aid NSW has managed cyber security risks in a manner consistent with the mandatory requirements set out in the NSW Government Cyber Security Policy.

Governance is in place to manage the cyber security maturity and initiatives of Legal Aid NSW.

Risks to the information and systems of Legal Aid NSW have been assessed and continue to be reviewed and managed.

There exists a current cyber incident response plan for Legal Aid NSW which has been tested during the reporting period.

Legal Aid NSW has an ISO 27001-certified Information Security Management System (ISMS) in place for four offices across Legal Aid NSW:

  • 323 Castlereagh Street Sydney, NSW 2000 Australia (Central Sydney Office)
  • Level 1, 160 Marsden Street Parramatta, NSW 2150
  • Level 4, 128 Marsden Street Parramatta, NSW 2150
  • 73 Church Street Wollongong, NSW 2500.

Legal Aid NSW is doing the following to continuously improve the management of cyber security governance and resilience.

  • Maintaining a certified ISMS that aligns to the ISO27001:2013 standard, with the objective of continual information security improvements while supporting security policies and objectives.
  • Progressing a Cyber Security Uplift Program to improve cyber security maturity at Legal Aid NSW.
  • Escalating cyber security incidents, should they occur, to Cyber Security NSW as required.

An independent audit of the ISO 27001-recertified Legal Aid NSW Information Security Management System was undertaken during the reporting period by ISO-accredited auditors and found to be adequate.

Monique Hitter
Chief Executive Officer
August 2023