First, Property NSW has not comprehensively reviewed many agency property portfolios to help agencies identify assets, including commercial office properties, that could be better utilised or recycled. Second, the Government Property Register is not being actively maintained and contains incomplete and inaccurate information, limiting Property NSW’s ability to use it to support strategic decisions about the use of government property assets. Third, Property NSW's decisions are not well documented and its processes to reach decisions are not transparent to stakeholders. That said, property utilisation has improved by about 14 per cent since 2012, and Property NSW is actively moving properties out of the Sydney CBD in line with the ‘Decade of Decentralisation’ policy.

Property NSW’s role is to provide a strategic approach to property asset management. Under the 2012 Premier’s Memorandum, this includes a requirement that Property NSW undertake regular reviews of agency property portfolios to identify efficiencies to improve service delivery. Property NSW completed one comprehensive review of an agency, limited reviews of four other agencies, and some reviews of government property in regional towns, prior to 2017.

In December 2017, Property NSW started working across the NSW Government to help agencies identify real property assets, including commercial office properties, that are under-utilised or surplus and that could be recycled, repurposed, or vested to Property NSW.

Following the Memorandum, agencies were directed to vest their commercial office properties to Property NSW. However, without more comprehensive reviews, Property NSW does not know how many commercial properties are yet to be vested. Agencies can approach Property NSW for assistance in managing their property portfolios, and Property NSW arranges the recycling of under utilised and surplus properties that are brought to its attention. Property NSW is improving utilisation of government office space, according to agency self-reported information which Property NSW uses to calculate utilisation rates. 

The Property Asset Utilisation Taskforce report (2012) recommended that the NSW Government needed a ‘single source of truth’ to inform asset retention and disposal decisions, leasing decisions and ongoing strategic property decisions. It concluded that the Government Property Register (GPR) could perform this function ‘if populated appropriately’. However, the GPR is not comprehensively performing this function because it is still incomplete and out of date. Property NSW manages the GPR and NSW Government agencies are required to supply ‘accurate, relevant and useful information’ to populate it. Agencies are not always doing so in a timely manner, limiting its usefulness to support strategic decision making. Property NSW supplements the GPR with information from multiple other sources to assist its decisions, however, there is still no single, complete and accurate picture of the NSW Government property portfolio. 

The work Property NSW does to identify, shortlist and propose new lease and agency relocation options is not well documented. Property NSW records the outcome of the process without detailing how and why decisions were made. There is limited transparency in this process for stakeholders. Record keeping is also inconsistent and many of Property NSW’s divisions do not have procedures or guidelines.

In December 2017, the NSW Government announced the Property Infrastructure Policy to create a more collaborative approach between Property NSW and NSW Government agencies to review and identify efficiencies in their property portfolios. Before this, Property NSW did not have a plan to assist agencies to identify under-utilised properties for recycling or repurposing. It still does not know how many under-utilised properties exist and will not know until it has completed all of the portfolio reviews it is currently carrying out under the Property Infrastructure Policy.

Between 2013 and 2017, Property NSW had only completed one comprehensive review of an agency, limited reviews of four other agencies, and some regional towns. Outside this process Property NSW chose to rely on other agencies to identify surplus property for recycling, repurposing or vesting ownership to Property NSW.

Property NSW has a role to provide a strategic approach to property asset management and is required to undertake regular reviews of agency property portfolios under the Premier's Memorandum. Property NSW only recently started working to assist agencies to identify under-utilised and surplus properties, or properties to be vested. These reviews should improve the identification of surplus and under-utilised real property assets and assist whole-of-government decisions on the recycling, repurposing of under-utilised assets and vesting of owned office accommodation to Property NSW.

Recommendations
By December 2019, Property NSW should:

1. combine the results of property portfolio reviews to produce a whole-of-government picture of the NSW Government property portfolio 
2. devise a strategy and plan to recycle or repurpose under-utilised properties using a whole-of-government picture of the NSW Government property portfolio
3. develop and report on indicators for progress in reducing the number and value of under-utilised properties at the whole-of-government level, referencing progress against an accurate baseline stocktake.

Property NSW needs to be more proactive in its management of the GPR and in encouraging agencies to provide the information needed to improve this register. In 2012, the Property Asset Utilisation Taskforce report recommended there be a single source of truth on property assets owned by the NSW Government. The GPR is intended to fulfil this role but it is out of date and incomplete.

Without a complete and accurate central register of property, Property NSW cannot provide the NSW Government with a comprehensive picture of its property portfolio, or make whole-of-government decisions about the property portfolio. Property NSW currently supplements the GPR with information from other systems in order to make decisions about leasing, relocations, and property recycling and repurposing. Agencies are required to provide ‘accurate, relevant and useful information’ but are not consistently doing so.

Property NSW documents the outcome of decisions about relocations, lease renewals, and utilisation but is unable to provide evidence of how these decisions are reached. Property NSW is also unable to provide evidence of documented guidance for its staff on how decisions should be made. Whilst some level of subjectivity will play a part in such decisions, the lack of documentation and guidance raises issues of consistency, accountability and transparency in decision-making. Property NSW states that it makes decisions based on whole-of-government outcomes rather than equitable and consistent outcomes for client agencies, which is inconsistent with the criteria it reports that it uses when making decisions about leases and relocations.

Recommendations
By December 2019, Property NSW should:
5. document and communicate to stakeholders how its assessment criteria inform key decisions including agency relocations, lease renewals and rectifying under-utilisation
6. include customer satisfaction measures in its annual reports and reviews, in accordance with the requirements set out in the Premier's Memorandum M2012-20
7. improve record-keeping and compliance with the State Records Act 1998 and the Department of Finance, Services and Innovation Records Management Policy.

Conclusion

The Department of Education effectively and efficiently allocates grants to non‑government schools. Clarifying the objectives of grants, monitoring progress towards these objectives, and improving oversight, would strengthen accountability for the use of public funds by non‑government schools.

We tested a sample of grants provided to non‑government schools under all major schemes, and found that the Department of Education consistently allocates and distributes grants in line with its methodology. The Department has clear processes and procedures to efficiently collect data from schools, calculate the level of funding each school or System should receive, obtain appropriate approvals, and make payments.

We identified three areas where the Department could strengthen its management of grants to provide greater accountability for the use of public funds. First, the Department’s objectives for providing grants to non‑government schools are covered by legislation, intergovernmental agreements and grant guidelines. The Department could consolidate these objectives to allow for more consistent monitoring. Second, the Department relies on schools or System Authorities to engage a registered auditor to certify the accuracy of information on their enrolments and usage of grants. Greater scrutiny of the registration and independence of the auditors would increase confidence in the accuracy of this information. Third, the Department does not monitor how System Authorities reallocate grant funding to their member schools. Further oversight in this area would increase accountability for the use of public funds.

The Department effectively and efficiently allocates grants to non‑government schools. Strengthening its processes would provide greater assurance that the information it collects is accurate.

The Department provides clear guidelines to assist schools to provide the necessary census information to calculate per capita grants. Schools must get an independent external auditor, registered with ASIC, to certify their enrolment figures. The Department checks a sample of the auditors to ensure that they are registered with ASIC. Some other jurisdictions perform additional procedures to increase confidence in the accuracy of the census (for example, independently checking a sample of schools’ census data).

The Department accurately calculates and distributes per capita grants in accordance with its methodology. The previous methodology, used prior to 2018, was not updated frequently enough to reflect changes in schools' circumstances. Over 2014 to 2017, the Department provided additional grants to non‑government schools under the National Education Reform Agreement (NERA), to bring funding more closely in line with the Australian Department of Education and Training's Schooling Resource Standard (SRS). From 2018, the Department has changed the way it calculates per capita grants to more closely align with the Australian Department of Education and Training's approach.

The Department determines eligibility for grants by checking a school's registration status with NESA. However, NESA's approach to monitoring compliance with the registration requirements prioritises student learning and wellbeing requirements over the requirement for policies and procedures for proper governance. Given their importance to the appropriate use of government funding, NESA could increase its monitoring of policies and procedures for proper governance through its program of random inspections. Further, the Department and NESA should enter into a formal agreement to share information to more accurately determine the level of risk of non‑compliance at each school. This may help both agencies more effectively target their monitoring to higher‑risk schools.

By December 2018, the NSW Department of Education should:

2. Strengthen its processes to provide greater assurance that the enrolment and expenditure information it collects from non‑government schools is accurate. This should build on the work the Australian Government already does in this area.
3. Establish formal information‑sharing arrangements with the NSW Education Standards Authority to more effectively monitor schools' eligibility to receive funding.
    

By December 2018, the NSW Education Standards Authority should:

5. Extend its inspection practices to increase coverage of the registration requirement for policies and procedures for the proper governance of schools.
6. Establish formal information‑sharing arrangements with the NSW Department of Education to more effectively monitor schools' continued compliance with the registration requirements.

The Department’s current approach to managing grants to non‑government schools could be improved to provide greater confidence that funds are being spent in line with the objectives of the grant schemes.

The NSW Government provides funding to non‑government schools to improve student learning outcomes, and to support schooling choices by parents, but does not monitor whether these grants are achieving this. In addition, each grant program has specific objectives. The main objectives for the per capita grant program is to increase the rate of students completing Year 12 (or equivalent), and to improve education outcomes for students. While non‑government schools publicly report on some educational measures via the MySchool website, these measures do not address all the objectives. Strengthened monitoring and reporting of progress towards objectives, at a school level, would increase accountability for public funding. This may require the Department to formalise its access to student level information.

The Department has listed five broad categories of acceptable use for per capita grants, however, provides no further guidance on what expenditure would fit into these categories. Clarifying the appropriate use of grants would increase confidence that funding is being used as intended. Schools must engage an independent auditor, registered with ASIC, to certify that the funding has been spent. The Department could strengthen this approach by improving its processes to check the registration of the auditor, and to verify their independence.

The Department has limited oversight of funding provided to System Authorities (Systems). The Department provides grants to Systems for all their member schools. The Systems can distribute the grants to their schools according to their own methodology. Systems are not required to report to the Department how much of their grant was retained for administrative or centralised expenses. Increased oversight over how the Systems distribute this grant could provide increased transparency for the use of public funds by systems.

By December 2018, the NSW Department of Education should:

1. Establish and communicate funding conditions that require funded schools to:
   • adhere to conditions of funding, such as the acceptable use of grants, and accounting requirements to demonstrate compliance
   • report their progress towards the objectives of the scheme or wider Government initiatives
   • allow the Department to conduct investigations to verify enrolment and expenditure of funds
   • provide the Department with access to existing student level data to inform policy development and analysis.

4. Increase its oversight of System Authorities by requiring them to:
   • re‑allocate funds across their system on a needs basis, and report to the Department on this
   • provide a yearly submission with enough detail to demonstrate that each System school has spent their State funding in line with the Department's requirements.

All four agencies examined in the audit are taking steps to strengthen their risk culture. In these agencies, senior management communicates the importance of managing risk to their staff. They have risk management policies and funded central functions to oversee risk management. We also found many examples of risk management being integrated into daily activities.

That said, three of the four case study agencies could do more to understand their existing risk culture. As good practice, agencies should monitor their employees’ attitude to risk. Without a clear understanding of how employees identify and engage with risk, it is difficult to tell whether the 'tone' set by the executive and management is aligned with employee behaviours.

Our survey of risk culture found that three agencies could strengthen a culture of open communication, so that all employees feel comfortable speaking openly about risks. To support innovation, senior management could also do better at communicating to their staff the levels of risk they are willing to accept.

Some agencies are performing better than others in building their risk capabilities. Three case study agencies have reviewed the risk-related skills and knowledge of their workforce, but only one agency has addressed the gaps the review identified. In three agencies, staff also need more practical guidance on how to manage risks that are relevant to their day-to-day responsibilities.

NSW Treasury provides agencies with direction and guidance on risk management through policy and guidelines. Its principles-based approach to risk management is consistent with better practice. Nevertheless, there is scope for NSW Treasury to develop additional practical guidance and tools to support a better risk culture in the NSW public sector. NSW Treasury should encourage agency heads to form a view on the current risk culture in their agencies, identify desirable changes to that risk culture, and take steps to address those changes. 

In assessing an agency’s risk culture, we focused on four key areas:

Executive sponsorship (tone at the top)

In the four agencies we reviewed, senior management is communicating the importance of managing risk. They have endorsed risk management frameworks and funded central functions tasked with overseeing risk management within their agencies.

That said, we found that three case study agencies do not measure their existing risk culture. Without clear measures of how employees identify and engage with risk, it is difficult for agencies to tell whether employee's behaviours are aligned with the 'tone' set by the executive and management.

For example, in some agencies we examined we found a disconnect between risk tolerances espoused by senior management and how these concepts were understood by staff.

Employee perceptions of risk management

Our survey of staff indicated that while senior leaders have communicated the importance of managing risk, more could be done to strengthen a culture of open communication so that all employees feel comfortable speaking openly about risks. We found that senior management could better communicate to their staff the levels of risk they should be willing to accept.

Integration of risk management into daily activities and links to decision-making

We found examples of risk management being integrated into daily activities. On the other hand, we also identified areas where risk management deviated from good practice. For example, we found that corporate risk registers are not consistently used as a tool to support decision-making.

Support and guidance to help staff manage risks

Most case study agencies are monitoring risk-related skills and knowledge of their workforce, but only one agency has addressed the gaps it identified. While agencies are providing risk management training, surveyed staff in three case study agencies reported that risk management training is not adequate.

NSW Treasury provides agencies with direction and guidance on risk management through policy and guidelines. In line with better practice, NSW Treasury's principles-based policy acknowledges that individual agencies are in a better position to understand their own risks and design risk management frameworks that address those risks. Nevertheless, there is scope for NSW Treasury to refine its guidance material to support a better risk culture in the NSW public sector.

Recommendation

By May 2019, NSW Treasury should:

• Review the scope of its risk management guidance, and identify additional guidance, training or activities to improve risk culture across the NSW public sector. This should focus on encouraging agency heads to form a view on the current risk culture in their agencies, identify desirable changes to that risk culture, and take steps to address those changes.

There is no whole‑of‑government capability to detect and respond effectively to cyber security incidents. There is limited sharing of information on incidents amongst agencies, and some of the agencies we reviewed have poor detection and response practices and procedures. There is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost.

Given current weaknesses, the NSW public sector’s ability to detect and respond to incidents needs to improve significantly and quickly. DFSI has started to address this by appointing a Government Chief Information Security Officer (GCISO) to improve cyber security capability across the public sector. Her role includes coordinating efforts to increase the NSW Government’s ability to respond to and recover from whole‑of‑government threats and attacks.

Some of our case study agencies had strong processes for detection and response to cyber security incidents but others had a low capability to detect and respond in a timely way.

Most agencies have access to an automated tool for analysing logs generated by their IT systems. However, coverage of these tools varies. Some agencies do not have an automated tool and only review logs periodically or on an ad hoc basis, meaning they are less likely to detect incidents.

Few agencies have contractual arrangements in place for IT service providers to report incidents to them. If a service provider elects to not report an incident, it will delay the agency’s response and may result in increased damage.

Most case study agencies had procedures for responding to incidents, although some lack guidance on who to notify and when. Some agencies do not have response procedures, limiting their ability to minimise the business damage that may flow from a cyber security incident. Few agencies could demonstrate that they have trained their staff on either incident detection or response procedures and could provide little information on the role requirements and responsibilities of their staff in doing so.

Most agencies’ incident procedures contain limited information on how to report an incident, who to report it to, when this should occur and what information should be provided. None of our case study agencies’ procedures mentioned reporting to DFSI, highlighting that even though reporting is mandatory for most agencies their procedures do not require it.

Case study agencies provided little evidence to indicate they are learning from incidents, meaning that opportunities to better manage future incidents may be lost.

Recommendations

The Department of Finance, Services and Innovation should:

• assist agencies by providing:
  • better practice guidelines for incident detection, response and reporting to help agencies develop their own practices and procedures
  • training and awareness programs, including tailored programs for a range of audiences such as cyber professionals, finance staff, and audit and risk committees
  • role requirements and responsibilities for cyber security across government, relevant to size and complexity of each agency
  • a support model for agencies that have limited detection and response capabilities
     
• revise the Digital Information Security Policy and Information Security Event Reporting Protocol by
  • clarifying what security incidents must be reported to DFSI and when
  • extending mandatory reporting requirements to those NSW Government agencies not currently covered by the policy and protocol, including State owned corporations.

DFSI lacks a clear mandate or capability to provide effective detection and response support to agencies, and there is limited sharing of information on cyber security incidents.

DFSI does not currently have a clear mandate and the necessary resources and systems to detect, receive, share and respond to cyber security incidents across the NSW public sector. It does not have a clear mandate to assess whether agencies have an acceptable detection and response capability. It is aware of deficiencies in agencies and across whole‑of‑government, and has begun to conduct research into this capability.

Intelligence gathering across the public sector is also limited, meaning agencies may not respond to threats in a timely manner. DFSI has not allocated resources for gathering of threat intelligence and communicating it across government, although it has begun to build this capacity.

Incident reporting to DFSI is mandatory for most agencies, however, most of our case study agencies do not report incidents to DFSI, reducing the likelihood of containing an incident if it spreads to other agencies. When incidents have been reported, DFSI has not provided dedicated resources to assess them and coordinate the public sector’s response. There are currently no formal requirements for DFSI to respond to incidents and no guidance on what it is meant to do if an incident is reported. The lack of central coordination in incident response risks delays and increased damage to multiple agencies.

DFSI's reporting protocol is weak and does not clearly specify what agencies should report and when. This makes agencies less likely to report incidents. The lack of a standard format for incident reporting and a consistent method for assessing an incident, including the level of risk associated with it, also make it difficult for DFSI to determine an appropriate response.

There are limited avenues for sharing information amongst agencies after incidents have been resolved, meaning the public sector may be losing valuable opportunities to improve its protection and response.

Recommendations

The Department of Finance, Services and Innovation should:

• develop whole‑of‑government procedure, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including follow-up and communicating lessons learnt
• develop a means by which agencies can report incidents in a more effective manner, such as a secure online template, that allows for early warnings and standardised details of incidents and remedial advice
• enhance NSW public sector threat intelligence gathering and sharing including formal links with Australian Government security agencies, other states and the private sector
• direct agencies to include standard clauses in contracts requiring IT service providers report all cyber security incidents within a reasonable timeframe
• provide assurance that agencies have appropriate reporting procedures and report to DFSI as required by the policy and protocol by:
  • extending the attestation requirement within the DISP to cover procedures and reporting
  • reviewing a sample of agencies' incident reporting procedures each year.