Regulation insights

Report highlights

What this report is about

In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.

This analysis includes performance audits, compliance audits and the outcomes of financial audits.

Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.

The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.

Audit findings

The analysis of findings and recommendations is structured around four key themes related to effective regulation:

  • governance and accountability
  • processes and procedures
  • data and information management
  • support and guidance.

The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.

In this report, we also draw out insights for agencies that provide a public sector stewardship role.

The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.

The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.

1. Auditor-General’s foreword

Image
Picture of Margaret Crawford Auditor-General for New South Wales in a copper with teal specks dress with black cardigan.

I am pleased to present this report, Regulation insights. This report highlights themes and generates insights about effective regulation from the last six years of audit.

Effective regulation is necessary to ensure compliance with the law. Effective regulation also promotes social, economic, and environmental outcomes, and minimises risks or negative impacts associated with certain activities. But regulation can be challenging and costly for governments to implement. It can also involve costs and impact on the regulated parties, including other public sector and private entities, and individuals. As such, effective regulation needs to be administered efficiently, and with integrity.

Having a clearly articulated and communicated regulatory approach is essential to achieving this outcome, particularly when this promotes voluntary compliance and sets performance standards that are informed by community expectations. A consistent approach to exercising regulatory powers is important: it should be supported by robust information about regulatory risks and issues, and accompanied with timely, proportionate responses. Providing relevant support to the regulated parties and coordinating activities to facilitate compliance and performance can generate efficiencies.

Finally, transparency matters. It matters so that government has oversight of and can be held accountable for its leadership of public sector compliance, and in regulating the activities of third parties. Transparency also matters because it can provide insights into the effective exercise of government power. To achieve this, meaningful regulatory information needs to be reported.

While these issues are most pertinent for government agencies that exercise traditional regulatory functions, they are also relevant to lead government agencies that provide a stewardship role in promoting compliance and performance by other government agencies in relation to particular areas of risk.

Over the past six years, our audit work has found many common and repeat performance gaps, creating risks, inefficiencies, and limiting outcomes of regulatory activities. In considering these gaps, this report provides public sector leaders with insights into the challenges and opportunities they may encounter when aiming for more effective regulation, including the good governance of regulatory activities. This includes insights for lead agencies that provide a public sector stewardship role. Through applying these insights and maximising regulatory effectiveness, unintended impacts on the people and sectors government serves and protects can be avoided or at the very least minimised.

 

Margaret Crawford PSM
Auditor-General for NSW

2. About this report

This report brings together key findings and recommendations relevant to regulation from selected performance and compliance audits between 2018 and early 2024 (19 in total), and from two reports that summarise results of financial audits during the same period. It aims to provide insights into the challenges and opportunities the public sector may encounter when aiming to enhance regulatory effectiveness.

The report is structured in two sections, each setting out insights from relevant audits and providing summaries as illustrative examples.

Section 3 is focused on insights from audits of agencies that administer regulatory powers and functions over other entities or activities (typically known as 'regulators'). The powers and functions of regulators are defined in law, and often relate to issuing approvals (e.g., licensing) for certain activities, and/or monitoring allowable activities within certain limits. Regulators often have compliance and enforcement powers that can be exercised in particular circumstances, such as when a regulated entity has not complied with relevant requirements.

Agencies may be primarily established as regulators or perform regulatory activities alongside other functions. Depending on the context, the regulated activity may relate to other state agencies, local government entities, non-government entities or individuals.

Section 4 summarises insights from a selection of audits of agencies that provide a stewardship role in promoting compliance by and performance of other state agencies and local government entities in relation to specific regulations or policies. These policies may or may not be mandatory and, unlike a more traditional regulator, the coordinating agency may not have enforcement powers to ensure compliance.

These policies, and accompanying guidelines and frameworks, are typically issued by ‘central agencies’ such as the Premier's Department that have a public sector stewardship role. They can also be issued by agencies with a leadership role in particular policy areas ('lead agencies'). While individual agencies and local government entities implementing these policies are responsible for their own compliance and performance, lead and central agencies have an oversight role including by promoting accountability and coordinating activities towards achieving compliance and performance outcomes across the public sector.

Readers are encouraged to view the full reports for further information. Links to versions published on our website are provided throughout this document, and a full list is in Appendix one. An overview of the rationale for selecting these audits and the approach to developing this report is in Appendix two.

The status of agencies' responses to audit recommendations

Findings from the audits referred to in this report were current at the time each respective report was published. In many cases, agencies accepted audit recommendations, as reflected in the letters from agency heads that are included in the appendix of each audit report.

The Public Accounts Committee of the NSW Parliament has a role in reporting on and ensuring that agencies respond appropriately to audit recommendations. Readers are encouraged to review the Public Accounts Committee's inquiries on agencies' implementation of audit recommendations, which can be found on the Committee's website.

3. Effective administration of regulatory powers and functions

Administering regulation to ensure compliance and deliver outcomes

Regulators are agencies that exercise regulatory powers and administer regulatory functions under law. Some state agencies are primarily established as regulators, and others undertake regulatory activities alongside other functions. Regulatory decisions include approving or licensing an activity, and decisions to take or not to take certain investigatory, compliance and enforcement action. The regulated parties can be other government agencies including local government entities, non-government entities and individuals.

Expectations have been established for regulators in the NSW Government’s ‘Guidance for regulators to implement outcomes and risk-based regulation’. This guidance aims to provide regulators with a consistent and transparent framework to proactively respond to the challenge of delivering ‘more with fewer resources’, while also increasing their effectiveness in achieving regulatory outcomes. It sets out an outcomes-based regulatory approach that involves assessing the efficiency and effectiveness of regulatory action and outcomes. It also emphasises understanding and assessing risks, and using this information to inform strategic regulatory approaches and specific regulatory actions. Such expectations are now well established and widely recognised as part of better regulatory practice: similar themes are reflected in the UK National Audit Office's Good practice guidance - principles of effective regulation. Importantly, effective outcomes and risk-based regulation requires that robust information and data is collected, managed and used by regulators — particularly to support monitoring and early interventions.

Agencies with regulatory powers and functions are also expected, like any agency, to manage integrity risks and have clear procedures for decision-making. Because regulatory decisions can enable or prohibit certain activities, or lead to compliance and enforcement action that affects rights and interests, it is all the more important that agencies exercise these powers within the law and with transparency.

Finally, to support not only compliance but broader outcomes, there is an important role for regulators to build capacity for voluntary compliance by providing adequate support and guidance to the regulated parties. Regulatory objectives are most efficiently achieved with a high level of voluntary compliance.

3.1. Governance and accountability

Governance arrangements support a clear regulatory approach where responsibilities are well-defined, and activities and roles are aligned to priorities

Our audit reports have identified numerous examples where agencies with regulatory powers and functions have not defined, or are not implementing, a clear regulatory approach. This includes instances where regulatory activities are implemented across levels of government or through devolved governance arrangements, and where multiple agencies are involved in regulating different aspects of the same entity or activity. An unclear regulatory approach can mean that the regulated entities lack certainty about the priorities of government, and how to meet their obligations most effectively.

Establishing effective governance in devolved systems 

The 2018 Regulation of water pollution audit found that the Environment Protection Agency’s (EPA) regulatory framework includes elements of good practice, but that it was not able to demonstrate that it has effective governance and oversight of its regulatory operations. The EPA was found not to have balanced its devolved regulatory structure, in which regionally-based offices operate with broad discretions, with an effective governance approach. For example, gaps were identified in the EPA’s internal reporting framework to the executive and board, in its performance framework and indicators, and in guidance to regulatory officers at the regional level. 

The importance of aligning a devolved structure with effective governance is also covered in Section 4.1, such as in the summary of the 2019 Governance of Local Health Districts audit. 

Coordinating regulatory activities with other regulators 

The 2020 Support for regional town water infrastructure audit found that the former Department of Planning, Industry and Environment’s1 (DPIE) regulation of council-owned and run Local Water Utilities (LWUs) was poorly defined, and that DPIE lacked governance arrangements to coordinate the relevant strategic and regulatory activities. The report noted that DPIE is the primary regulator of LWUs and aims to adopt a collaborative approach to LWU sector regulation, but that it had not documented a regulatory policy, strategy or operational plan as required by departmental policy. DPIE had not established a formal approach to coordinating with other sector regulators such as the Office of Local Government (OLG), NSW Health, the EPA and the Natural Resources Access Regulator. Relatedly, the 2023 Regulation and monitoring of Local Government audit found that the OLG lacked a structured and well communicated approach to delivering its sector engagement and support activities. This is covered in more detail in Section 4.3

Regulating alongside customer service focused priorities 

The 2023 State heritage assets audit found that Heritage NSW had not adequately mitigated risks to its regulatory role associated with an increased focus on customer service. Noting Heritage NSW’s activities to improve timeliness and streamline approvals for works on state heritage listed assets, gaps were found in their quality assurance mechanisms over assessments and decisions. The audit also found that core activities to address key regulatory risks were not sufficiently considered in Heritage NSW’s strategic planning documents.

Meaningful reporting on regulatory performance for accountability and continuous improvement

Our audit reports have identified weaknesses in how agencies report on their regulatory activities, including the contributions that these activities make to overall regulatory and broader policy outcomes. Indicators have been poorly defined and do not provide adequate information to executives with oversight or decision-making responsibilities. Meaningful public reporting that provides sufficient transparency has also been a common weakness: done well, reporting can ensure that regulated parties are aware of what responses to expect in cases of poor performance or non-compliance, and how to meet community expectations. An outcomes-based regulatory approach requires that agencies define regulatory outcomes clearly, and with reference to their mandate, core purpose and options available.

Ensuring adequate reporting on regulatory operations for executive oversight and accountability

The 2019 Firearms regulation audit found that the Firearms Registry executive, part of the NSW Police Force, did not receive adequate information on the performance of key Registry operations. The audit noted that the Registry made its monthly executive reporting less detailed in 2017, removing transactions, performance and trend information – such as detail on the numbers of licence applications, permits, unauthorised possession, prohibition orders, suspension and revocation decisions, and firearms seized. The Registry advised at the time of the audit that its executive were still able to access this information, but the report found the available information lacked indicators that would assist the Registry executive to more effectively manage its operations and performance.

Measuring success and reporting regulatory performance

The 2019 Managing native vegetation audit found that Local Land Services (LLS) had not developed measures of success for the Native Vegetation Code to gauge whether the Code is facilitating native vegetation management and efficient farming while responding to environmental risks. LLS is responsible for administering the land management framework, including processing notifications and issuing certificates to clear land under the Code. To help assess the impact of the Code, the report noted that, at the time of the audit, LLS was developing a predictive model to estimate its social, economic and environmental outcomes.

Similar gaps were also reflected in the following audit reports.

  • The 2018 Regulation of water pollution audit found that the EPA had not set outcomes-based measures to assess its performance in protecting the environment and trends over time.
  • The 2023 Regulation of public native forestry audit found that the EPA developed a new set of performance indicators in 2022–23 for a more detailed understanding of its performance in regulating native forestry. The report also found that the Forestry Corporation set a target of ‘zero non-compliance’ but that it was not measuring performance against this target, and noted that it is good practice to set performance indicators that are achievable.
  • The 2024 Effectiveness of SafeWork NSW in exercising its compliance functions audit found that the Department of Customer Service did not measure or report on whether SafeWork NSW achieved its intended outcomes. The performance information that was available was mostly activity-focused, and spread across different reporting entities, including the Department's annual report and in Safe Work Australia’s national Comparative Performance Monitoring Report.

Reporting arrangements that provide for effective oversight and accountability is also a key insight in Section 4. For example, the importance of defining an adequate performance measurement framework and relevant public reporting on regulatory effectiveness was identified in the Regulation and monitoring of local government audit.

Managing risks to the integrity of regulatory functions, such as tensions between duties and conflicts of interests

Our audit reports have identified that tensions or conflicts in duties can arise for officers who are undertaking regulatory functions and other activities. In addition, audits have found that probity risks can arise when third-parties provide expert advice to processes that inform regulatory decisions. It is important that officers can demonstrate their compliance with obligations under departmental codes of conduct and ethics. Examples of these risks and issues are listed below.

Managing tensions between duties to regulate and support

The 2020 Support for regional town water infrastructure audit could not conclude on whether tensions in officers’ duties to provide advice on and issue approvals in relation to town water infrastructure were effectively managed. This was in the context of the former Department of Planning, Industry and Environment’s2 poorly defined regulatory role. Officers’ roles included reviewing and approving Local Water Utilities’ (LWUs) Integrated Water Cycle Management documents, and providing advice to LWUs on their funding applications and cost benefit analyses for water infrastructure projects.
Having a clear regulatory approach assists agencies to manage tensions between regulatory and customer service-focused activities. This issue is also reflected in the findings of the 2023 Regulation and monitoring of local government audit and the 2023 Cyber Security NSW: governance, roles and responsibilities audit, in Section 4.3.

Managing conflicts of interest among staff, including with respect to advisors and consultants

The 2022 Biodiversity offsets scheme audit found that the former Department of Planning and Environment3 (DPE) had established a code of conduct for its Accredited Assessors (ecological consultants) but did not collect information on their conflicts of interests. The report noted the potential for conflicts of interests created by the fact that Accredited Assessors could be engaged by development proponents to calculate offset requirements, and by landholders to calculate the credits that their site can generate. The report also found potential for conflicts if Accredited Assessors also act as credit brokers but that DPE had not regulated the provision of brokerage services, which is allowed under relevant legislation.

The 2023 State heritage assets audit noted that it is mandatory for Heritage NSW staff assessing applications for works on state heritage assets to declare that they do not have a conflict of interest for each application they assess, but found this did not remove the requirement for staff to make an annual declaration under the former Department of Planning and Environment's4 code. Nearly half of Heritage NSW staff had not submitted an annual conflict of interest declaration in February 2023. This fell to ten per cent in May 2023 following Heritage NSW taking steps to remind staff of their obligations.

The 2022 Building regulation: combustible external cladding audit reported that some fire experts, whose advice may have been relied on for cladding remediation, may have been responsible for the original certification of the non-compliant cladding at the time of construction. The report found that this highlights the potential value for peer review of any proposal to retain combustible external cladding.

The 2024 Effectiveness of SafeWork NSW in exercising its compliance functions audit found that while SafeWork NSW did have a framework to manage conflicts of interest, it was not consistently implemented. The audit found that of those annual declarations where staff reported an actual, potential or possible conflict of interest, in 60% of cases, no information was recorded in SafeWork NSW records about how those conflicts of interest were managed. This was identified as a risk given the discretionary authority that SafeWork NSW inspectors have to make regulatory decisions.


1 Since 1 January 2024, these functions are now undertaken by the Department of Climate Change, Energy, the Environment and Water.
2 Since 1 January 2024, these functions are now undertaken by the Department of Climate Change, Energy, the Environment and Water.
3 Since 1 January 2024, these functions are now undertaken by the Department of Climate Change, Energy, the Environment and Water.
4 Since 1 January 2024, these functions are now undertaken by the Department of Climate Change, Energy, the Environment and Water.

3.2. Data and information management

Collecting and maintaining quality information for regulatory oversight and the effective administration of regulatory activities

Our audits have identified gaps in the quality and completeness of information and data that agencies hold about regulated entities or activities, including in registers required to be maintained by law. This has limited regulatory agencies’ visibility of and ability to understand key features of the entities and activities that they regulate, as well as the ability to locate or contact the relevant parties. Such issues impede the timeliness and effectiveness of regulatory responses. Information on risks, accompanied by a transparent and consistent approach to risk assessment, is also needed for effective monitoring and risk-based compliance and enforcement.

Maintaining current and complete information and data

The 2019 Firearms regulation audit found that information in the firearms registry was not accurate or up to date, including firearm license holders’ addresses. It found that the Firearms Registry, part of the NSW Police Force, did not have processes to ensure data is accurate when added to the registry, or to efficiently identify changes in licence holders' addresses – exposing a critical gap in data on the location of some firearms. The audit reported that programs to check the accuracy of data in the registry had ceased or been curtailed, and backlogs were identified in correcting data integrity. These and related issues were found to reduce the Registry’s ability to carry out some of its regulatory responses, such as recovering firearms from owners with expired licences.

The 2022 Biodiversity offsets scheme audit found that, although the former Department of Planning and Environment (DPE) was responsible for processing credit requirements, it was not maintaining consolidated information on how developers were meeting their obligations. This means that DPE lacked assurance of whether developers were acquitting obligations as required under the offset scheme rules. Being able to match the site that created the credit and the development site against which it is acquitted is important for the transparency of the Scheme, particularly in providing assurance that the correct credits are retired to offset the relevant development impact.

The 2022 Building regulation: combustible external cladding audit observed that there was no reliable existing source to identify buildings that might have cladding immediately after the Grenfell Tower Fire in 2017. Government had recognised the risk of this cladding following the Lacrosse Tower fire in 2014. While the audit found that in 2022 most high-risk buildings have likely been identified, it also noted that information management was not sufficiently robust to reliably track all buildings through the process from identification, through to risk assessment, and where necessary, remediation. The audit concluded that the inherent difficulty in data matching across sources would have benefited from greater initial investment in data systems by the Department of Customer Service. The audit noted, at the time, that initial work had been undertaken to address some information management limitations.

The 2023 State heritage assets audit found that Heritage NSW has made limited progress to address data quality issues in the State Heritage Register. For example, only 151 records (nine per cent of listed assets) had been updated since 2015, and nearly 90% of listed assets did not contain a rating of the physical condition of the item. The report noted that data quality issues and other information gaps had arisen over the decades since the Register was established in 1999. The report also noted that the Heritage Act 1977 does not specify what information must be contained in the Register, but that Heritage NSW had not created clear and efficient administrative procedures to support routine updates of relevant information. Incomplete and out of date information was found to limit Heritage NSW’s visibility of listed assets, which is relevant for regulatory oversight and engagement purposes.

The 2024 Effectiveness of SafeWork NSW in exercising its compliance functions audit found that while SafeWork NSW had around 20 years of compliance information, it lacked adequate IT and data governance systems and processes. This meant that SafeWork NSW did not effectively interrogate this data to provide an evidence base for its regulatory functions and strategic decision making.

Quality compliance data and other information for monitoring and responding to risks

Our audits have identified instances where information about regulated parties’ compliance is not robust. This can occur when regulatory agencies lack reliable processes for proactive and risk-based compliance monitoring, and where self-reported compliance information is not adequately validated. Further, regulatory agencies have been found to lack structured approaches to using compliance and other information to inform risk assessments such that actual or potential compliance breaches are not being investigated or responded to in a timely way. Intervening early to support voluntary compliance can support regulatory efficiency.

Compliance with self-reporting requirements and validating this information

The 2018 Regulation of water pollution audit found that, in the context of licencing water discharges, the NSW Environment Protection Agency (EPA) did not have mandatory procedures for assessing licensees’ annual returns. At the time of the audit, each licensee was required to submit to the EPA an annual return that reports on its performance and compliance with licence conditions and other statutory requirements. The EPA used this information as a significant input to its risk-based approach (for example, to determine the inspection frequency), and to calculate licence fees. The audit concluded that the EPA was not able to provide assurance that instances of non-compliance are accurately and consistently identified. The report also found that the EPA was not effectively applying its available regulatory actions to respond to known cases of licensees providing false or misleading information.

The 2022 Biodiversity offsets scheme audit found that the Biodiversity Conservation Trust’s (BCT) oversight of management actions on Biodiversity Stewardship Agreement (BSA) sites was limited by low levels of landholder compliance with annual reporting requirements. The audit reported that the BCT's compliance policy requires that landholders of BSA sites, which are established to generate biodiversity credits, submit an annual report on the condition of the site and progress against agreed management actions. But in 2021, only around 58% of landholders with stewardship sites provided an annual report to the BCT. The audit also found that the BCT’s compliance monitoring was not based on an assessment of risk, but noted that the BCT had developed and was planning to implement a new risk-based approach.

Proactive and risk-based monitoring or surveillance

The 2018 Regulation of water pollution audit report found that the NSW Environment Protection Agency (EPA) had not established reliable practices to detect non-compliance. It was noted that mandatory site inspections underpin the EPA’s proactive compliance monitoring approach but, in addition to a lack of mandatory procedures for the assessment of annual returns (discussed above), it was found that the EPA had not defined requirements for these site inspections. The EPA had not issued a policy or procedures to define what the mandatory inspections should cover and how they are to be conducted. Variations in how officers conducted inspections was also found.

The 2019 Managing native vegetation audit found that Local Land Services (LLS) conducted limited monitoring of set-aside areas, which are required under certificates issued by LLS. As a condition for approval to clear native vegetation, landholders can be required to make ‘reasonable efforts’ to maintain set-asides and keep records of this work. LLS advised that it was planning to use a risk-based approach to audit the maintenance of set-asides, although at the time of the audit LLS was yet to develop a program for this. The report also found that the former Office of Environment and Heritage’s5 processes at the time did not identify unlawful land clearing in a timely way, delaying the ability to reduce harm or take enforcement action. Very few prosecutions, penalties, remediation orders and stop work orders were issued for unlawful clearing. The issue of enforcement action is covered in more detail in Section 3.3.

The 2023 Regulation of public native forestry audit found that the NSW Environment Protection Agency (EPA) used a range of information sources to target its inspections in the Coastal Integrated Forestry Operations Approvals (IFOA) area including the Forestry Corporation operational plan and other relevant information to identify a risk rating for each of these harvest sites. It then targeted its proactive inspections to the highest risk sites. But this audit also found that the EPA did not conduct risk assessments for Western IFOA regions. As it had not determined whether there are high-risk sites, it had not conducted any proactive inspections in these regions in recent years.

The 2024 Effectiveness of SafeWork NSW in exercising its compliance functions audit found that SafeWork NSW did not have a strategic business intelligence function that was both recognised and understood across each directorate and team. The ability of its technology infrastructure to deliver sophisticated strategic and operational data intelligence was limited. As a result of this lack of central coordination and capability, directorates developed their own data analysis capability, with inconsistent, fragmented and potentially duplicative results. SafeWork NSW’s inadequate systems hindered how effectively it could identify and respond to emerging risks, such as respirable silica in manufactured stone. The audit found there was no reliable and efficient way to identify silica-related matters, potentially contributing to SafeWork NSW being slow to respond to this work health and safety risk.

The importance of collecting and maintaining robust information that is adequate for regulatory oversight is also a recurring theme in Section 4 of this report, such as with respect to data on the use of consultants and on cyber security resilience.


5 Since 1 January 2024, these functions are now undertaken by the Department of Climate Change, Energy, the Environment and Water.

3.3. Procedures and decision-making

Clear processes, procedures, and support to staff, to ensure robust and consistent approaches to regulatory approvals

Our audits have found weaknesses in quality assurance and controls when agencies are setting regulatory conditions, such as the conditions attached to a licence or approval. Appropriate records that document the reasons for decisions are not consistently kept. This creates risks that decisions lack merit or that the agency cannot demonstrate their considerations, advice and reasons for decisions. Clearly documented processes and procedures can support agencies to make regulatory decisions in consistent and proportionate ways, consistent with the law and policy. Audits have also found room for improvement in mechanisms to support staff to use technical expertise and professional judgement, such as adequate training, guidance and peer review.

Clear procedures for approvals

The 2019 Firearms regulation audit found that the Firearms Registry was not adequately assessing the validity of reasons provided by licence holders when acquiring firearm permits, creating a risk of inconsistent decisions. Under the Firearms Act 1996, when assessing a firearms permit, the Registry must be satisfied that an applicant has demonstrated a ‘good’ reason to apply. The audit reported that the Registry did not make this assessment because the application form involved the licence holder making a self-assessment. The audit reported that the Registry updated its form in November 2018, requiring the applicant to select a reason from a list. The audit reported that the Registry had no guidance for staff on how to assess whether the applicant had provided a good reason. The audit concluded that the Registry could not be assured that licence holders have a good reason for accumulating large numbers of firearms.

The 2020 Support for regional town water infrastructure audit found that the former Department of Planning, Industry and Environment’s (DPIE) procedures for reviewing and approving (giving ‘concurrence to’) Local Water Utilities’ (LWUs) planning documents were unclear, and practice varied. DPIE advised the audit, at the time, that it applied a checklist and best practice guidelines to inform its assessment of whether an Integrated Water Cycle Management (IWCM) strategy was ‘sound’. But DPIE had not documented its internal delegations, quality management practices and business rules for these review and approval functions. Comments on LWUs' documents varied widely in scope and focus, and requests for further information were made without a supporting rationale. This was found to limit procedural fairness and potentially adversely affect LWUs as the owners and implementers of these IWCM strategies.

Guidance when setting regulatory conditions

The 2018 Regulation of water pollution audit found that the NSW Environment Protection Agency (EPA) had an inconsistent approach to, and mixed adoption of, guidance to assist staff when setting licence conditions for discharge of pollutants into water. The audit reported that in August 2016, the EPA approved updated guidance to assist staff, but it was not mandated at the time. The EPA initially left discretion to its regional offices to decide on what guidance to use. The EPA mandated the guidance in 2018 with instructions on its use, but the audit found that the EPA could not demonstrate how it ensures its staff use the guidance, and that this resulted in inconsistent decisions when setting licence conditions.

The 2023 State heritage assets audit found there were gaps in Heritage NSW’s guidance to staff to support the quality of advice and decisions on works affecting assets listed on the State Heritage Register. The audit found that Heritage NSW’s guidance to staff was focused on delegations but lacked guidance to promote consistent approaches to decision-making. It also found that Heritage NSW did not conduct systematic quality assurance or random auditing to test the quality of decisions, and that opportunities for practice sharing and peer review were lacking. The audit report also found that Heritage NSW lacked a structured assurance process over delegated decisions made by external entities, to ensure that decisions were being made in line with requirements.

The 2024 Effectiveness of SafeWork NSW in exercising its compliance functions audit found that SafeWork NSW had developed guidance for its inspectors for the purpose of encouraging greater consistency in regulatory decision-making. However, achieving consistency remained an ongoing challenge for the regulator, especially given the statutory regulatory powers that are vested in individual inspectors. The audit found evidence of apparent differences in how regulatory functions are performed, both across work areas and between different groups of inspectors. For example, inspectors with fewer than two years’ experience issued an average of around 60 compliance notices per year, compared to 50 for inspectors with more than five years’ experience.

Clear escalation thresholds and enforcement policies promote credible and proportionate regulatory actions

Our audits have identified that some agencies lack compliance and enforcement policies, or that policies lack clear escalation thresholds to identify if further action, investigation or a particular enforcement response is appropriate. Where policies have been absent or inadequate, audits have also observed that enforcement responses are infrequent, or there is a lack of evidence that the range of available powers was considered. It can be unclear whether the level of enforcement action is consistent with the agency’s policy intent or reflects a failure to respond adequately to known breaches. An outcomes-focused regulatory approach requires that responses to non-compliance are tailored and that clear thresholds for different types of enforcement actions are established and understood.

Clear compliance and enforcement policies

The 2022 Building regulation: combustible external cladding audit found that the former Department of Planning and Environment6 did not have a policy for applying penalties for late registrations on the mandatory register. Amendments to the Environmental Planning and Assessment Regulation in 2018 required that owners of certain types of buildings register on an online database operated by the department if their building has combustible cladding. The objective of this regulation was to provide for the identification and collection of information on this cladding. The audit reported that around a fifth of buildings were registered late.

The 2019 Firearms regulation audit found that the Firearms Registry, part of the NSW Police Force, did not have adequate policies, guidance and supervision to support staff to make sound and consistent decisions when responding to breaches of the Firearms Act 1996 and Regulation 2017. The Act and Regulation provide for a wide range of discretions for suspending or revoking licenses, and other sanctions from penalty notices to court-imposed fines or imprisonment. The audit reported that the Registry had a policy for making revocation and suspension decisions, but it was issued in 2007, predating the 2017 regulation. It also reported that the Registry had no policy on using its powers to apply penalty notices or recommend court proceedings for breaches.

Procedures with thresholds for investigation and escalation

The 2023 Regulation and monitoring of local government audit found that the Office of Local Government’s (OLG) 2017 Improvement and Intervention Framework and its 2014 Framework for Implementing Early Intervention Orders had not been recently reviewed. For example, they had not been reviewed to reflect the OLG’s regulatory approach and legislative provisions at that time. The Local Government Act 1993 sets out requirements for councils, and includes discretionary powers for the Minster for Local Government and Departmental Chief Executive to respond with specific intervention and investigation actions. The audit reported that neither of the OLG’s frameworks provided staff with sufficient guidance, creating risks to the consistency and transparency of advice and recommendations relating to regulatory responses. The OLG’s planning documents for 2022–23 included actions to update its intervention tools, resources and frameworks.

The 2023 State heritage assets audit found that Heritage NSW lacked clear escalation processes to address identified non-compliance in a timely way. The audit noted that The Heritage Act 1977 controls certain activities affecting assets listed on the State Heritage Register, and asset owners and managers have certain responsibilities e.g., to ensure minimum standards of maintenance. The audit reported that Heritage NSW has a compliance and enforcement framework with strategies ranging from voluntary compliance to litigation and encourages non-compliance to be resolved at the lowest possible level. But the report found this framework lacked clear thresholds for investigating or escalating breaches and taking action. It was reported that, at the time of the audit, over 70% of compliance matters had been open for 270 days. The report also found that Heritage NSW did not provide its staff with sufficient guidance to appropriately escalate compliance breaches by state government entities.

The 2024 Effectiveness of SafeWork NSW in exercising its compliance functions audit found that SafeWork NSW has documented clear processes and procedures for determining matters that should proceed to investigation with a view to possible prosecution. These were captured in SafeWork NSW’s Investigation Decision Making Panel. The audit found an extensive range of formalised priority areas and guiding principles to inform escalation decisions. However, there was inadequate guidance on how they should be operationalised and applied, such as whether weightings apply or whether the prescribed elements are considered in isolation or combination. The audit found that while the presence of a framework may help to create the impression of objectivity in decision-making, the breadth of the guiding principles and the lack of direction about how they should be applied appeared to leave the process open to arbitrary and subjective decisions.

Use of regulatory powers

The 2023 Regulation of public native forestry audit found that the EPA utilised a range of regulatory interventions in response to identified non-compliances. The EPA was also found to be collecting the information that it needs from the Forestry Corporation of NSW to conduct inspections, and to be prioritising inspections of high and medium risk sites.

In contrast, audits have more often made observations about the use of compliance and enforcement powers in the context of poorly or undocumented policies and procedures. Examples are presented below.

  • The 2019 Firearms regulation audit found that the Firearms Registry, part of the NSW Police Force, did not issue any penalty notices to licensees over a five-year period for breaches relating to a failure to notify a change of address. In contrast and over this same period, local Police issued 111 enforcement actions including penalty notices, where licence holders failed to notify of a change in address.
  • The 2022 Building regulation: combustible external cladding audit found that the former Department of Planning and Environment issued no fines for late registrations on the mandatory register. The department advised the audit at the time, that the approach was to encourage registrations and that a penalty would be a disincentive, and so considered a last resort. In the absence of a written policy, the audit found it is unclear when such penalties would be applied.
  • The 2023 State heritage assets audit noted that no stop work orders, orders to remedy failure to maintain, or orders restricting harm were issued in relation to 56 non-compliance matters in 2019–20. The audit also reported an example of a state agency intentionally demolishing a building within a State Heritage Register listed item while being investigated for demolishing a different listed asset. The matter resulted in the agency making non-binding commitments to avoid future recurrence.

3.4. Support and guidance

Providing timely, relevant information and other supports to enable voluntary compliance, and promote the efficient achievement of regulatory objectives

Our audits have identified shortcomings in the effectiveness of support that agencies provide to regulated parties to enable and encourage their voluntary compliance. This has included guidance that is not timely or well-targeted to risks and needs, and support or other information not being readily accessible. At times, regulatory agencies have not maintained an effective distinction between prioritising positive customer service or sector engagement experiences – which are not regulatory activities – alongside delivery of authoritative guidance on requirements. Providing timely and relevant information can reduce the need for costly and time-consuming investigations and enforcement activities. It can also build understanding among regulated parties, stakeholders and the wider community about the intended outcomes and potential benefits of the regulatory activities.

Accessible and timely information and resources

The 2019 Firearms regulation audit found that the Firearms Registry’s information for firearm license holders about how to update address details was not prominent or accessible. The Firearms Act 1996 and Regulation have a strong emphasis on licence holders updating their personal details promptly, with penalties for non-compliance. However, the report noted that license holders may fail to notify address changes or incorrectly believe that this occurs when they update their driver’s license record. The audit reported that the link to update address details on the Registry website could be found through a search engine, but was not prominent on its website. It was also reported to be difficult to find on the Service NSW website. The audit found that as at October 2018, NSW Police could not recover a quarter of the 1,270 firearms in possession of persons with expired licences due to incorrect addresses in the Registry’s database.

The 2019 Managing native vegetation audit found that landholders did not have access to the full Native Vegetation Regulatory map to guide their land clearing decisions. The audit noted that the Local Land Services Act 2013 requires the environment agency head to prepare and publish native vegetation regulatory maps. The audit reported at the time, that two main map categories (exempt land and regulated land) were yet to be released. The audit found that in their absence, landholders were responsible for categorising their own land, but may have been less certain about land that requires approval to clear and areas that do not. The audit found that this increased the risk that land would be cleared unlawfully.

Targeted support and guidance

The 2020 Support for regional town water infrastructure audit found that the former Department of Planning, Industry and Environment’s (DPIE) assistance to Local Water Utilities (LWUs) for compliance and best practice town water planning had been limited overall, and not well targeted. The audit noted that DPIE developed an Integrated Water Cycle Management (IWCM) checklist but that this was widely considered as not fit-for-purpose, complex and prescriptive. Best practice seminars were reported to have occurred on two occasions, reaching about 50% of LWUs. The audit also reported that LWUs found that DPIE’s advice was useful when provided individually, especially face-to-face, but ad hoc in response to requests. In 2019, DPIE set out to achieve 100% of LWUs with a current approved IWCM strategy. Of 17 LWUs sampled in the audit, one had completed its strategy at the time of the audit.

The 2023 State heritage assets audit found that Heritage NSW had delivered initiatives in line with its customer service priorities, but these could be strengthened including with more targeted stakeholder education and engagement to promote good practice and voluntary compliance. The audit noted that Heritage NSW publications are a core source of guidance to asset owners and managers, industry professionals, and consultants. This audit reported that Heritage NSW has not updated most of its publications in ten years, and some in 20 years. Some publications that had had been updated had also been revised for a generalist audience. The audit found that there may be value in a tailored suite of publications to ensure sufficient information is available, particularly on technical details and policy expectations. The audit also found that Heritage NSW did not have programs providing targeted support or capability building for government entities, which make up the largest group of asset owners.

The 2022 Building regulation: combustible external cladding audit found that the former Department of Planning and Environment (DPE) undertook effective consultation and communication when developing a mandatory register for the owners of buildings with combustible cladding. In 2018, regulations were amended that required the owners of certain types of new or existing buildings to register on an online database operated by DPE if their building has such cladding. The audit reported that DPE consulted extensively in developing the regulation, and communicating it to its target audience. Activities included developing a communications strategy, inviting public comment, detailed acquittal of public submissions, stakeholder and industry roundtables and presentations, publishing amendments and FAQs, issuing direct correspondence to councils, and providing advice and correspondence to building owners.

The need for timely and relevant support to enable voluntary compliance, and promote the overall outcomes of regulatory activities, is also a recurring theme in Section 4 of this report.

3.5. Themes from recommendations to enhance the effective administration of regulatory powers and functions

Table 1 below presents a collated summary of recommendations made to agencies across the audits included in this section of the report. They are grouped under four key areas, reflecting the four sections included in this section of the report – governance and accountability, data and information management, procedures and decision making, and support for voluntary compliance.

Table 1: Common types of recommendations to agencies to improve their administration of regulatory powers and functions
Purpose of the recommendationsCommon types of recommendations
To improve the governance of, and accountability around, regulatory functions:
  • clarify and better communicate the regulatory approach and priorities
  • strengthen governance arrangements to ensure alignment between responsibilities, roles and activities
  • better define and measure against a regulatory performance framework
  • improve internal monitoring and reporting on regulatory operations and performance
  • improve public reporting to enhance transparency with respect to regulatory performance.
To improve the quality of information used to ensure oversight, and inform regulatory approaches:
  • ensure quality data on regulated activities and entities is collected and maintained, including where there are minimum statutory requirements
  • improve the collection and use of data and other information for monitoring purposes, including to support risk-based responses and early interventions
  • better define risk assessment frameworks and their application in regulatory responses.
To improve the robustness of regulatory decisions and to support transparent and consistent approaches:
  • enhance controls and quality assurance mechanisms over regulatory approvals and related decisions
  • enhance policies and procedures to support consistent approaches to and documenting of decisions
  • establish, document or clarify investigation procedures and escalation thresholds
  • ensure adequate staff training, support and resources for compliance and enforcement actions.
To improve the quality of support and guidance to promote voluntary compliance:
  • improve the timeliness of information and guidelines
  • provide more targeted or tailored resources as part of a strategic communications approach
  • ensure clear communications about the regulatory approach and expectations.

 

3.6. Summary of insights to improve performance of regulatory bodies

4. Stewardship of sector compliance and performance

Leading public sector compliance and performance

Central and lead agencies that administer policies and frameworks that promote compliance with rules and standards across the public sector have an opportunity to provide leadership through clear and cohesive approaches that hold responsible parties, such as the heads of other agencies, to account. These approaches should be clearly defined and align with policy priorities and levels of regulatory risk and capability.

Achieving this may be challenging, particularly when responsibilities are devolved, and where there are emerging risks or issues. But doing so is important for good governance, including meeting expectations with respect to transparency. Central and lead agencies may also have an oversight role in monitoring compliance and performance across the public sector. Effective oversight requires the collection and reporting of robust and timely information. Not only is this needed to manage and respond to risks, but it can also inform more tailored and strategic approaches that enable compliance and address repeat performance gaps.

Finally, central and lead agencies are in a position to coordinate responses to compliance and performance risks and issues, including by providing timely and relevant support that best enables the responsible parties to meet their obligations. In cases of non-compliance or poor performance, particularly when repeated or widespread across the public sector, it is important for lead and central agencies to take effective action that ensures accountability.

4.1. Governance and accountability

A cohesive approach which is strategically aligned to risk, where oversight is clear and is accompanied by meaningful performance reporting

Our audit reports have identified a lack of coherence in lead or central agencies’ approaches to promoting compliance and performance. In particular, when their level of oversight and the accompanying accountability mechanisms are not proportionate to risks or are not sufficiently strategic. Our reports have also observed that central and lead agencies can lack mechanisms to assess and report on their own performance and how well their activities contribute to sector-wide compliance and performance. This limits transparency and can mean that opportunities to refine and enhance their approaches are missed. Our annual internal controls and governance reports, which summarise the results of financial audits of the largest 25 NSW public sector agencies, have repeatedly highlighted weaknesses in governance arrangements across these agencies.

Setting a clear stewardship role against which performance is assessed

The 2023 Cyber Security NSW: governance, roles and responsibilities audit found that Cyber Security NSW, in the Department of Customer Service, had a clear purpose that was in line with wider government policy and objectives. But the audit also found that Cyber Security NSW had many objectives contained in a range of sources including strategy and planning documents and public communications. The audit also found that Cyber Security NSW had too few reliable and meaningful ways of measuring progress. Without a clear and consistent program logic, and sound performance management and reporting, the audit reported that it was difficult to determine whether the functions and services delivered by Cyber Security NSW were helping to achieve the level of cyber resilience required to meet increasing cyber threats faced by the NSW public sector.

The 2023 Regulation and monitoring of local government audit found that the Office of Local Government (OLG), in the former Department of Planning and Environment7 at the time of the audit, had not clearly defined and communicated its regulatory role. This lack of clarity was assessed as presenting a risk to its regulatory effectiveness. The audit also found that the OLG did not have an adequate framework to define, measure and report on its regulatory performance. Departmental performance measures for the OLG were found to not provide meaningful information about its regulatory activities and their contribution to departmental and state outcomes. The 2020 Support for regional town water infrastructure audit made similar findings with respect to the former Department of Planning, Industry and Environment having a poorly defined regulatory approach for council-run and managed Local Water Utilities. See Section 3.1 for detail.

Governance arrangements that facilitate strategic oversight

The 2019 Governance of Local Health Districts audit found that the Ministry of Health’s Health Performance Framework and service agreements with Local Health Districts (LHDs) had underpinned a cultural shift towards greater accountability and oversight. But the audit found areas for improvement, noting NSW Health is a large, complex and dynamic system. In particular, and to ensure good governance, the audit found a need for greater clarity in the nexus between LHDs’ under-performance and escalation decisions to help ensure that the Ministry’s performance monitoring and intervention is consistent in a devolved model. Rather than performance surveillance at the local level, the audit identified a clearer and more valuable role for the Ministry to intervene to assist in facilitating system-wide responses to emergencies.

Oversight that enables accountability, informed by risk

The 2021 NSW Cyber Security Policy: compliance audit noted that the NSW Cyber Security Policy allowed agencies to determine their own level of cyber security maturity, and the extent to which they implement policy requirements. The audit reported that determinations did not need to be justified. It found that, at the time of the audit, Cyber Security NSW did not require relevant decisions on risk tolerance, or the timeframes agencies have set to implement requirements, to be documented or formally endorsed by the agency head, or to be reported to Cyber Security NSW. The 2023 Internal Controls and Governance report, which covers the largest 25 agencies in the NSW public sector, found that over 80% of agency assessments of maturity levels against the NSW Cyber Security Policy reported that one or more self-assessed mandatory requirements are not practiced on a consistent and regular basis and Essential Eight cyber controls have not improved. The report made a number of recommendations to agencies to prioritise efforts to improve cyber security controls and cyber resilience measures.

The 2022 Building regulation: combustible external cladding audit observed that the Department of Customer Service and the former Department of Planning and Environment (through the Cladding Taskforce) initially adopted a ‘light touch’ approach to the oversight and coordination of compliance relating to government buildings. Departmental reporting to the Cladding Taskforce was initially limited and high-level, providing little insight into the relevant matters. The audit found that this reporting was also not scrutinised in line with requirements, and issues were identified with the completeness of departments’ reporting. The audit noted that a revised reporting approach was developed to improve the reliability of information in July 2021.

The 2023 NSW government agencies’ use of consultants audit noted that a devolved governance model for procurement means that agencies are responsible for developing and implementing their own systems that align with the NSW Government Procurement Policy Framework. The audit found examples of non-compliance with procurement rules, and that record keeping was inadequate in many cases, limiting transparency. Agency heads are responsible for demonstrating compliance. Previously, the 2018 Procurement and reporting of consultancy services audit concluded that the NSW Procurement Board was not fully effective in overseeing agencies’ procurement of consultancy services. None of the 12 agencies examined in the audit complied with all mandatory requirements of the relevant NSW Procurement Board Direction, and eight did not comply with annual reporting requirements. Audit sampling also noted three instances where suppliers did not comply with the Standard Commercial Framework and none of these engagements were reported on the Major Suppliers Portal as non-compliant. NSW Procurement had not enforced any penalties on suppliers for non-compliance, and the audit found that in the absence of sanctions for breaches, suppliers’ compliance with the Framework was unlikely to improve.

A central view of compliance to respond to repeat issues

Government advertising audits, required to be undertaken each year under the Government Advertising Act 2011, have identified repeat compliance and performance issues across advertising campaigns run by the audited agencies. The Department of Customer Service has policy responsibility for government advertising and is responsible for regulating the activity under the Act. Agencies not complying with cost-benefit analysis requirements, not meeting information substantiation and accuracy requirements, and using post-campaign evaluations for inappropriate purposes, have been identified as issues on multiple occasions.

The Government advertising 2021–22 audit recommended that the Department of Customer Service improve its whole of government monitoring processes to provide the NSW Government with a central view of compliance across all aspects of the government advertising framework.

4.2. Data and information management

Robust data and information management systems to monitor sector-wide risks and establish a reasonable level of assurance around compliance

Our audit reports have found that lead and central agencies can lack oversight of levels of compliance and performance across the public sector, and lack information about regulatory risks, issues or trends. Our reports have repeatedly highlighted shortcomings in the reporting that lead and central agencies require of the responsible parties. In some cases, there has been a lack of information for the agency to be assured that its approach is informed by or proportionate to risk and capability.

A key issue that has been repeatedly found is that agencies do not collect and maintain sufficient information to ensure effective oversight and coordination. Lead agencies have been found to not adequately assess self-reported information and lack the systems and processes to collate information in a way that provides a holistic picture. Where our audits have identified these shortcomings, they have also generally found that strategic risks or repeat issues are not being addressed.

Information management systems to effectively monitor sector-wide risks to compliance and performance

The 2023 Regulation and monitoring of local government audit found that the Office of Local Government (OLG), in the former Department of Planning and Environment at the time of the audit, did not have fit for purpose information management systems to support effective sector monitoring approaches. The audit found that the OLG collects various sources of information about council compliance and performance, but did not ensure the most relevant information is gathered and used to proactively develop responses. The audit found uncoordinated data sets and a high reliance on key personnel to share information. The audit found that projects in 2022 to consider the efficiency and productivity of the OLG’s digital systems had not resulted in substantial changes. The audit also found the OLG has lacked a framework for assessing risks, but started implementing a council risk assessment tool in March 2023.

The Local Government 2022 report, which summarises findings from financial audits of local councils, found that 93 high-risk matters were identified across the sector, mainly relating to asset management, information technology, financial accounting, and governance. It recommended that councils need to track progress of implementing audit recommendations, giving priority to high-risk areas and repeat issues.

A reasonable level of assurance over data quality

The 2023 Cyber Security NSW: governance, roles and responsibilities audit found that Cyber Security NSW did not provide assurance of the cyber security maturity self-assessments performed by individual agencies. The audit noted that the mandatory administrative requirements circular issued by the Secretary of the Department of Customer Service in 2020 stated that clusters and agencies would be subject to audits to test compliance, with outcomes reported. The audit recommended that Cyber Security NSW implement an approach that provides reasonable assurance that agencies are assessing their compliance with the Cyber Security Policy in a way that is consistent and accurate. Previously, in the 2021 NSW Cyber Security Policy: compliance audit we noted the importance of Cyber Security NSW seeking its own assurance because agencies’ maturity reporting is the main source of knowledge about public sector cyber security resilience. That audit also found, that among the nine agencies included in the audit, attestations on cyber security in agency annual reports did not accurately reflect their cyber security situations.

The 2018 Procurement and reporting of consultancy services audit found that NSW Procurement’s compliance monitoring depended on the reliability of agency self-reporting, including reporting non-compliances. NSW Procurement was found to rely on agencies’ internal assurance activities to check compliance, and performed limited checks against the relevant mandatory NSW Procurement Board Direction. The report also found that NSW Procurement’s assurance activity with respect to the completeness and accuracy of suppliers’ data had been limited. The 2023 NSW government agencies’ use of consultants audit continued to find gaps in agency compliance with the NSW Government Procurement Policy Framework, and compliance gaps with state record keeping requirements.

Data that enables strategic responses to risk

The 2023 NSW government agencies’ use of consultants audit found that NSW Procurement had made some improvements to the information about agencies’ spending on consultants, but that there was still no single data source that accurately captures all relevant spending. The audit reported that there were four different data sources that contain information about spending by agencies on consultants. Analysis showed that agencies were overly reliant on selected consultancy firms, creating strategic risks, and that it was unlikely that agencies would meet the government commitment to reduce spending on consultants. The audit also found that most agencies did not have a clear strategic approach to when and how consultants were used, or systems for managing or evaluating their performance. The previous 2018 Procurement and reporting of consultancy services audit had recommended that NSW Procurement enhance the quality of data collection, and report on the outcomes and analysis of their monitoring activities.

4.3. Support and coordination

Strategic and timely support to enable voluntary compliance and address repeat risks and issues

Our audit reports have consistently found shortcomings in the guidance and other forms of support that central and lead agencies provide to the public sector, including local government entities. Gaps have been identified in the timeliness and relevance of support, and in how clear and well targeted the information is. These issues represent a missed opportunity to address risks early and achieve efficiencies, and may be limiting the effectiveness of regulatory and associated policy outcomes. These practical challenges were also found to increase compliance costs and risks, and mean intended benefits may not be achieved.

Strategic engagement and communication to promote compliance and performance

The 2023 Regulation and monitoring of local government audit noted that the Office of Local Government (OLG), in the former Department of Planning and Environment at the time of the audit, had undertaken a range of sector support activities, consistent with its sector improvement and intervention framework. However, the audit found the OLG lacked a structured and well communicated approach to delivering these activities. The audit also reported that the OLG was slow to finalise guidance for the sector on key issues such as cyber security, risk management and internal audit. The Local Government 2022 report, which summarises findings from financial audits of local councils, made a series of recommendations intended to further improve financial management and reporting capability across the sector, and encourage sound governance arrangements and cyber resilience. The report also noted that 2021–22 had been a challenging year for many councils recovering from the impact of emergency events, and facing cost and resourcing pressures.

The 2023 State heritage assets audit found that Heritage NSW’s initiatives could have been strengthened with more targeted outreach and engagement with government entities that own or manage heritage listed (regulated) assets. The audit noted that government entities make up the largest group of state heritage asset owners. Audit consultation identified varying levels of heritage management capability in government entities. The audit also found that Heritage NSW’s activities to support these entities to comply with the requirement to maintain a heritage and conservation register had limited success.

The 2023 Cyber Security NSW: governance, roles and responsibilities audit noted that Cyber Security NSW, in the Department of Customer Service, has a remit to assist local governments to improve cyber resilience, although it cannot mandate action. The audit found that the results of its engagement with the local government sector had been mixed. The audit found at the time of reporting, that Cyber Security NSW did not have a strategic approach to guiding its efforts with the sector, for example, through establishing a local government engagement plan or strategy.

Timely and targeted guidance to address common risks and repeat issues

The 2022 Building regulation: combustible external cladding audit found that the Department of Customer Service and former Department of Planning and Environment did seek to work constructively with councils and provided high level advice on requirements. But the audit also found that it took more than two years before a model process and detailed advice was provided to councils to encourage consistent processes. The audit reported that advice to councils, and to state government building owners, should have been more timely on key issues to help avoid inconsistencies and weaknesses in the different processes adopted by the nine audited councils.

In the Government advertising 2021–22 audit, we recommended that the Department of Customer Service review its guidance and process to ensure they support agencies to comply with requirements especially in common areas of deficiency, such as with respect to cost benefit analyses. Audited agencies not complying with cost-benefit analysis requirements under the NSW Government Advertising Guidelines has been the main repeat issue: this was found in seven of the eight advertising campaigns audited since 2018, and was reported as an issue in previous years’ audits.

The 2018 Procurement and reporting of consultancy services audit observed that agencies rely on NSW Procurement to provide timely and tailored procurement guidance and support, but found that agencies could benefit from more targeted support depending on the level of risk and size of procurement engagements. The audit also found that NSW Procurement provided insufficient time for agencies to implement certain policy changes. In addition, instances of inconsistent or out-of-date guidance were found, such as the definition of ‘consultants’ and thresholds for reporting on consultancy services. The 2023 NSW government agencies’ use of consultancy services audit found that NSW Procurement’s guidance for classifying and reporting on consulting expenditure remained ambiguous. Audit sampling indicated that agencies were not interpreting the definition of consultant consistently, reducing data quality about spending on consultants.

4.4. Themes from recommendations to enhance stewardship of public sector compliance and performance

Recommendations have been made to agencies in our audit reports to improve how effectively they lead and coordinate public sector agencies and local government entities to meet their obligations. In summary, looking across the audits referred to in this section of this report, we have made recommendations along the following lines:

  • clarify the overall approach with respect to policy priorities, strategic risks and capabilities
  • improve oversight, particularly with more meaningful reporting on performance and robust accountability mechanisms
  • establish effective approaches to monitoring entities' compliance and performance, including reasonable assurance of self-reported data including through clear procedures for responding to risks, repeat under-performance and non-compliance
  • improve the relevance and timeliness of support that promotes promote voluntary compliance and the achievement of objectives.