What the report is about

The Transport Asset Holding Entity (TAHE) is the State's custodian of rail assets. It is a state owned corporation and commenced operating on 1 July 2020.

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. We audited TAHE, Transport for NSW (TfNSW) and NSW Treasury.

Separate and related audits on TAHE are reported in 'State Finances 2022', 'State Finances 2021' and 'Transport and Infrastructure 2022' reports.

What we found

The design and implementation of TAHE, which spanned seven years, was not effective.

The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.

The benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose.

Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed.

Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.

What we recommended

We recommended that the audited agencies should:

• improve accountability and transparency for major new fiscal transformation initiatives
• ensure entities do not reflect the financial impact of significant initiatives in the Budget when there is uncertainty, or it creates perverse incentives
• review record keeping practices, systems and policies to ensure compliance with the State Records Act 1998, and the NSW Government Information Classification, Labelling and Handling Guidelines
• review procurement policies to ensure that consultant use complies with all NSW Government policy requirements.

The NSW Government established the Transport Asset Holding Entity (TAHE), a statutory State Owned Corporation (SOC), on 1 July 2020 to replace the former rail infrastructure owner – RailCorp. It is the State's custodian of rail network assets, including rail tracks and other infrastructure, rolling stock, land, train stations and facilities, retail space, and signal and power systems, within metropolitan and regional New South Wales. It is responsible for $2.8 billion of major capital projects in 2022–23.

TAHE was established under Part 2 of the Transport Administration Act 1988 and is governed by a decision-making board. The Treasurer and the Minister for Finance and Employee Relations are the Shareholding Ministers of TAHE, and they annually agree performance expectations articulated in a Statement of Corporate Intent.

Whereas TAHE is the custodian of rail assets, Sydney Trains and NSW Trains operate public rail services. TAHE does not have responsibility for the operation of the heavy rail network or train services, nor does it have network control functions. TAHE, Sydney Trains and NSW Trains are in the Transport and Infrastructure cluster in the public sector (formerly the Transport cluster and renamed in April 2022), which also includes Sydney Metro and Transport for NSW (TfNSW).

TfNSW leads the Transport and Infrastructure cluster. Its role is to set the strategic direction for transport across the State. This involves the shaping of planning, policy, strategy, regulation, resource allocation and other service and non-service delivery functions for all modes of transport.

TAHE's Operating Licence is granted by the Portfolio Minister and authorises the entity to perform the functions required to acquire, develop, finance, divest and hold assets, pursuant to the Transport Administration Act 1988. The Portfolio Minister also issues a Statement of Expectations which outlines the government’s expectation for the business for the next three to five years.

TAHE's original Portfolio Minister was the Minister for Transport who approved, on 30 June 2020, the issuing of an interim 12-month Operating Licence to enable TAHE to commence operating on 1 July 2020. The Portfolio Minister then granted TAHE's current Operating Licence in 2021. After TAHE requested a 12-month extension to its current Operating Licence, its next Operating Licence is due on 1 July 2024. The current Portfolio Minister is the Minister for Infrastructure, Cities and Active Transport.

About this audit

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. In making this assessment, we considered whether: 

• the process of designing and implementing TAHE was cohesive and transparent, and delivered an effective outcome
• agencies' roles and responsibilities were clear in the planning of TAHE
• agencies effectively identified and managed certain risks.

Appendix one – Responses from audited agencies, and Audit Office clarification of matters raised in the TAHE formal response 

Appendix two – Classification of government entities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #372 - released 24 January 2023

What the report is about

This audit assessed the effectiveness of NSW Government agencies’ coordination of the response to COVID-19, with a focus on the Delta variant outbreak in the Dubbo and Fairfield Local Government Areas (LGA) between June and November 2021. We audited five agencies - the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service.

The audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

What we found

Prior to Delta, agencies developed capability to respond to COVID-19 related challenges.

However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

Gaps in emergency management plans affected agencies' ability to support individuals, families and businesses impacted by restrictions to movement and gathering such as stay-at-home orders. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

On 23 July 2021, the NSW Government established a cross-government coordinating approach, the Delta Microstrategy, which complemented existing emergency management arrangements, improved coordination between NSW Government agencies and led to more effective local responses.

Where possible, advice provided to government was supported by cross-government consultation, up-to-date evidence and insights. Public Health Orders were updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The NSW Government could provide greater transparency and accountability over decisions to apply Public Health Orders during a pandemic.

What we recommended

The audit made seven recommendations intended to improve transparency, accountability and preparedness for future emergency events.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (Fairfield City Council and Dubbo Regional Council) between June and November 2021.

As noted in this report, Resilience NSW was responsible for the coordination of welfare services as part of the emergency management arrangements. On 16 December 2022, the NSW Government abolished Resilience NSW.

During the audited period, Resilience NSW was tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions and it provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC was, and remains, responsible for the coordination and oversight of emergency management policy and preparedness.

Our work for this performance audit was completed on 15 November 2022, when we issued the final report to the five audited agencies. While the audit report does not make specific recommendations to Resilience NSW, it does include five recommendations to the State Emergency Management Committee. On 8 December 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

The community of New South Wales has experienced significant emergency events during the past three years. COVID-19 first emerged in New South Wales after bushfire and flooding emergencies in 2019–20. The pandemic is now into its third year, and there have been further extreme weather and flooding events during 2021 and 2022.

Lessons taken from the experience of these events are important to informing future responses and reducing future risks to the community from emergencies.

This audit focuses on the NSW Government's response to the COVID-19 pandemic, and in particular, the Delta variant (Delta) that occurred between June and November 2021. The response to the Delta represents six months of heightened challenges for the NSW Government.

Government responses to emergencies are guided by legislation. The State Emergency and Rescue Management Act 1989 (SERM Act) establishes emergency management arrangements in New South Wales and covers:

• coordination at state, regional and local levels through emergency management committees
• emergency management plans, supporting plans and functional areas including the State Emergency Management Plan (EMPLAN)
• operations centres and controllers at state, regional and local levels.

This audit focuses on the activities of five agencies during the audit period:

• The NSW Police Force led the emergency management response and was responsible for coordinating agencies across government in providing the tactical and operational elements that supported and enhanced the health response to the pandemic. The NSW Police Force also led the compliance response which enforced Public Health Orders and included household checks on those required to isolate at home after testing positive to COVID-19. In some parts of NSW, they were supported by the Australian Defence Force in this role.
• NSW Health was responsible for leading the health response which coordinated all parts of the health system, initially to prevent, and then to manage, the pandemic.
• Resilience NSW coordinated welfare services as part of the emergency management arrangements and provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC is responsible for the coordination and oversight of emergency management policy and preparedness. Resilience NSW was also tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions.
• The Department of Customer Service (DCS) was responsible for the statewide strategic communications response.
• The Department of Premier and Cabinet (DPC) held a key role in providing policy and legal services, as well as supporting the coordination of activity across a range of functional areas and decision-making by our State’s leaders.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (LGA) (Fairfield City Council and Dubbo Regional Council) after June 2021.

The audit investigated whether:

• government decisions to apply LGA-specific Public Health Orders were supported by effective crisis management governance and planning frameworks
• agencies effectively coordinated in the communication (and enforcement) of Public Health Orders.

While focusing on the coordination of NSW Government agencies’ response to the Delta variant in June through to November 2021, the audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

This audit does not assess the effectiveness of other specific COVID-19 responses such as business support. It refers to the preparedness, planning and delivery of these activities in the context of supporting communities in selected LGAs. NSW Health's contribution to the Australian COVID-19 vaccine rollout was also subject to a separate audit titled 'New South Wales COVID-19 vaccine rollout' tabled in NSW Parliament on 7 December 2022. 

This audit is part of a series of audits which have been completed, or are in progress, regarding the New South Wales COVID-19 emergency response. The Audit Office of New South Wales '2022–2025 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

In this document Aboriginal refers to the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.

The COVID-19 pandemic arrived in Australia in late January 2020 as the bushfire and localised flooding emergencies were in their final stages. Between 2020 and mid-2021, agencies responded to the initial variants of COVID-19, managed a border closure with Victoria that lasted nearly four months and dealt with localised ‘flare-ups’ that required postcode-based restrictions on mobility in northern parts of Sydney and regional New South Wales. During this period, New South Wales had the opportunity to learn from events in Victoria which imposed strict restrictions on mobility across the State and the growing emergence of the Delta variant (Delta) across the Asia Pacific.

This section of the report assesses how emergency management and public health responses adapted to these lessons and determined preparedness for, and responses to, widespread community transmission of Delta in New South Wales.

The previous chapter discusses how agencies had refined the existing emergency management arrangements to suit the needs of a pandemic and describes some gaps that were not addressed. This chapter explores the first month of Delta (mid-June to mid-July 2021). It explores the areas where agencies were prepared and responses in place for the outbreak. It also discusses the impact of the gaps that were not addressed in the period prior to Delta and other issues that emerged.

NSW Health provided advice on the removal of restrictions based on up-to-date advice

The NSW Government discussed the gradual process for removing restrictions using the Doherty Institute modelling provided to National Cabinet on 10 August 2021. NSW Health highlighted the importance of maintaining a level of public health and safety measure bundles to further suppress case numbers. This was based on additional modelling from the Doherty Institute.

The Department of Regional NSW led discussion and planning around reopening with a range of proposal through August and September 2021. The Department of Premier and Cabinet and NSW Health jointly developed a paper to provide options on the restrictions when the State reached a level of 70% double dose vaccinations.

The roadmap to reopening was originally published on 9 September 2021. However, by 11 October 2021, the restrictions were relaxed when the 70% double dose threshold was reached to allow:

• up to ten fully vaccinated visitors to a home (increased from five)
• up to 30 fully vaccinated people attending outdoor gatherings (increased from 20)
• weddings and funerals limits increased to 100 people (from 50)
• the reopening of indoor pools for training, exercise and learning purposes only.

On the same day, the NSW Government announced further relaxation of restrictions once the 80% double dose threshold was reached. These restrictions were further relaxed on 8 November 2021. This included the removal of capacity restrictions to the number of visitors to a private residence, indoor pools to reopen for all purposes and density limits of one person for every two square metres, dancing allowed in nightclubs and 100% capacity in major stadia.

The NSW Government allowed workers in regional areas who received one vaccination dose to return to their workplace from 11 October 2021.

The Premier extended the date of easing of restrictions for unvaccinated people aged over 16 from 1 December to 15 December 2021.

Many agencies have undertaken reviews of their response to the Delta outbreak but a whole-of-government review has yet to be conducted

Various agencies and entities associated with the response to the Delta outbreak conducted after-action review processes. These processes assessed the achievements delivered, lessons learned and opportunities for improvement. However, a whole-of-government level review has not been conducted. This limits the New South Wales public service's ability to improve how it coordinates responses in future emergencies.

The agencies/entities that conducted reviews included:

• South West Metropolitan region, Western NSW region, Fairfield Local Emergency Management Committee (LEMC), Dubbo Local Emergency Operations Controller (LEOCON), which were collated centrally by the State Emergency Operations Centre (SEOC)
• Aboriginal Affairs NSW assessed representation and relevance of the emergency management arrangements for Aboriginal communities following the 2019 bushfires
• Resilience NSW developed case studies to capture improved practice with regard to food security and supply chains
• a community support and empowerment-focused after-action review undertaken by the Pillar 5 workstream of the Microstrategy.

Key lessons collated from the after-action reviews include:

• the impact of variation in capability across agencies on the management of key aspects of the response including welfare support and logistics
• issues with boundary differences between NSW Police Force regions, local government areas (LGA and local health districts (LHD) caused issues in delivering and coordinating services in an emergency situation 
• the need to improve relationships between state and local Government outside of acute emergency responses to improve service delivery 
• issues arising from impediments to information sharing between agencies and jurisdictions, such as:
  • timeliness and accuracy of data used to direct compliance activities
  • the impact of insufficient advance notice on changes to Public Health Orders
  • timely access to data across public sector agencies and other jurisdictions to inform decision-making, analysis and communications
  • gaps in data around ethnicity, geolocation of recent positive cases and infection/vaccination rates in Aboriginal communities.
• the lack of Aboriginal community representation on many LEMCs
• compared with the response to COVID-19 in 2020, improved coordination of communications with Culturally and Linguistically Diverse (CALD) populations with a reduction in overlapping messages and over-communication
• improved attendance from agency representatives in LEMCs, and regional emergency operations centres (REOC) to improve interagency communications, planning, capability development and community engagement issues
• deficiencies in succession planning and fatigue management practices
• the potential for REOC Welfare/Well-being subgroups to be included as part of the wider efforts to community needs during emergencies.

NSW Health commenced a whole of system review of its COVID-19 response in May 2022. At the time of writing, the completion due date for the debrief is 7 November 2022. This debrief is expected to explore:

• governance
• engagement 
• innovation and technology 
• community impact 
• workforce impact
• system impact and performance.

NSW Health is also undertaking a parallel Intra-Action Review that is focused on the public health aspects of the response with finalisation estimated for the end of November 2022. At the time of completing this performance audit report, NSW Health had not finalised these reviews and, as a result, we cannot validate their findings against our own observations.

Recent inquiries are likely to impact the governance of emergency management in New South Wales

In March 2022, the NSW Government established an independent inquiry to examine and report on the causes of, preparedness for, response to and recovery from the 2022 floods. The Flood Inquiry report made 28 recommendations, which the NSW Government supported in full or in principle. Some of the recommendations relate directly to the governance and leadership of emergency management arrangements in New South Wales. 

The State Emergency Management Committee (SEMC) will likely be involved in, and impacted by, the recommendations arising from the Flood Inquiry with potential changes to its membership and reshaping of functional areas and agencies. At the same time, the SEMC may have a role in overseeing the changes that emerge from the SEOC consolidated after-action reviews. This can also extend to ensuring local and regional bodies have incorporated the required actions. There is a risk that the recommendations from the pandemic-based after-action reviews may not be considered due to the priority of action resulting from the Flood Inquiry.

Furthermore, there is potential for the SEMC to work with NSW Health during its system-wide review. Such an approach is likely to improve preparedness for future events.

Appendix one – Response from agencies

Appendix two – Chronology 2020–2021

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #371 - released 20 December 2022

What the report is about

The Australian Government led and implemented the Australian COVID-19 vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

This audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine roll out in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over.

What we found

On 16 October 2021, NSW Health, in partnership with the Australian Government's vaccination program, achieved its first objective to fully vaccinate 80% of people in NSW aged 16 and over. Demand for the vaccine reduced in December 2021, and NSW Health did not reach its target of 95% fully vaccinated for people aged 16 and over until June 2022.

Despite challenges such as uncertain supply and changes to clinical advice affecting vaccine eligibility, NSW Health's overall delivery of vaccination services was effective and efficient.

During the audit period, NSW Health implemented effective strategies to allocate vaccines and reduce wastage to optimise the number of vaccines available.

NSW Health implemented its own booking system after it identified that the Australian Government's system would not manage bookings. There were problems with NSW Health's interim vaccine booking system, and NSW Health fully resolved these issues by September 2021.

As at 19 October 2022, vaccination rates for Aboriginal peoples and culturally and linguistically diverse people remained below the 95% target.

What we recommended

By June 2023, NSW Health should conduct a comprehensive review of the COVID-19 vaccine rollout and incorporate lessons learned into pandemic response plans.

The first three cases of COVID-19 in New South Wales were diagnosed in January 2020. By 30 June 2021, 128 people were being treated in hospital and one person was in intensive care. By the end of December 2021, 187,504 total cases and 663 deaths were reported in New South Wales. As at 27 October 2022, NSW Health reported more than three million total cases and 5,430 deaths.

The COVID-19 pandemic continues to have a significant impact on the people and the health sector of New South Wales. The Australian, state, territory, and local governments have directed significant resources towards health responses and economic recovery.

On 13 November 2020, National Cabinet (comprised of the Australian, state, and territory governments) endorsed the Australian COVID-19 Vaccination Policy. Australia's vaccination program was launched on 21 February 2021 with the goal of providing safe and effective vaccines to the people who most needed them as quickly as possible, to support the physical, mental and economic wellbeing of the nation.

The Australian Government led and implemented the Australian vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

The overall objective of this audit was to assess the effectiveness and efficiency of NSW Health’s contribution to the Australian COVID-19 vaccine rollout. It is important to note that in New South Wales, primary care providers (GPs and pharmacies) and aged care providers administered the majority of vaccines. Primary care providers and aged care providers are the responsibility of the Australian Government.

The audit had a particular focus on whether NSW Health:

• set clear vaccination targets underpinned and/or guided by evidence
• managed the rollout of the vaccination program effectively and efficiently
• managed demand of vaccines effectively and efficiently.

The audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine rollout in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over. We did not audit the subsequent rollout for ages five to 15, or the booster rollout (third and fourth doses) as these activities mostly occurred outside the date of our review.

This audit also did not assess the Australian Government’s allocation of vaccine supplies to New South Wales because we do not audit the Australian Government's activities. On 17 August 2022, the Australian National Audit Office completed a performance audit which assessed the Australian Department of Health and Aged Care's effectiveness in the planning and implementation of Australia's COVID-19 vaccine rollout.

This audit is one of a series of audits that have been completed or are in progress regarding the New South Wales COVID-19 emergency response. This includes the planned performance audit ‘Coordination of the response to COVID-19 (June to November 2021)’, and financial audit assurance activities focusing on Local Health District processes and controls to manage the receipt, distribution and inventory management of vaccine stock. The Audit Office New South Wales '2022–25 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

Appendix one – Response from agency

Appendix two – Australian audits on the vaccine rollouts

Appendix three – Committee members 

Appendix four – About the audit 

Appendix five – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #369 - released 7 December 2022

What the report is about

This audit assessed whether the NSW Police Force has effective systems, processes, resources, and capability to respond to domestic and family violence events in New South Wales.

What we found

The NSW Police Force has almost doubled its domestic violence specialist workforce in the past five years and is conducting higher levels of risk monitoring to check that frontline police comply with domestic and family violence policing procedures.

However, a lack of workload monitoring at a whole of agency level is limiting the ability of the NSW Police Force to assess whether specialist and frontline police are sufficient to manage domestic and family violence demands across all 57 local commands.

Rates of compliance checking of domestic violence events vary across local commands, and there is a lack of system level policy or oversight to guide this activity.

While the NSW Police Force has structured training for probationary constables on domestic and family violence policing practices, it does not monitor training or skill levels of the broader workforce to understand levels of expertise in domestic violence policing.

The NSW Police Force does not have regular or consistent methods for seeking feedback and it has a limited understanding of its service quality from the perspective of victim survivors of domestic and family violence.

Performance reporting on domestic and family violence is limited, with most measures focused on activity counts rather than service quality or outcomes.

What we recommended

Improve workforce and workload data collections, analysis and reporting on domestic and family violence workload volumes and allocations of specialist and frontline police to meet demands.

Structure and resource the domestic and family violence strategic policy function to a level commensurate with workload volumes and risks associated with domestic violence policing.

Review debriefing protocols, procedures, and resources for police after domestic and family violence incidents.

Improve databases and information systems for recording domestic violence events so that related events and individuals are automatically connected.

Design a procedure to collect, collate, and analyse service user and stakeholder feedback about police responses to domestic and family violence.

Review existing activity measures and targets for domestic and family violence and expand to include performance measures, service quality measures and outcomes reporting.

Review the process for investigating allegations of domestic and family violence against current and former serving police personnel and implement procedures to ensure processes are independent of interested parties and mitigate conflicts of interest.

The NSW Police Force describes domestic and family violence as a significantly under-reported and complex crime that is mainly perpetrated by men in intimate partner relationships. It is a crime that can include one or more of the following behaviours: emotional and psychological abuse, intimidation, harassment, stalking, physical and sexual assault.

The NSW Police Force responds to over 140,000 domestic and family violence calls for assistance every year. This equates to one call every four minutes. According to NSW Bureau of Crime Statistics and Research statistics, the number and volume of domestic and family violence crime types have increased from October 2016 to September 2021.

The NSW Police Force's responses to domestic and family violence are prescribed in legislation and its own procedural guidance. Principally, the NSW Police Force is required to:

• investigate incidents of domestic and family violence
• take out Apprehended Domestic Violence Orders on behalf of victims and children
• provide safety and support to victims, including taking offenders away from victims
• place alleged perpetrators before the courts
• investigate breaches of Apprehended Domestic Violence Orders and target repeat offenders
• work with local service providers to reduce incidents of domestic and family violence.

Domestic and family violence incident dispatches are attended by general duties police – also described in this report as frontline police.

The objective of this audit was to assess the effectiveness of the NSW Police Force in responding to domestic and family violence. To do this, we assessed whether the NSW Police Force:

• conducts capability planning to ensure its workforce can effectively respond to domestic and family violence incidents and support victim-survivors
• resources its workforce with the required systems, skills, knowledge, and administrative support to monitor, record and respond to domestic and family violence events
• assesses the effectiveness of police responses to domestic and family violence events and the effectiveness of support for victim-survivors.

Where to get help

If you or someone you know is experiencing violence or abuse, you can contact 1800 RESPECT (1800respect.org.au or 1800 737 732).

Appendix one – Response from agency 

Appendix two – Workload and workforce numbers in 2020–21 supporting Exhibits 4, 6 and 7 

Appendix three – Key NSW Police Force initiatives, July 2016–present 

Appendix four – About the audit 

Appendix five – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #363 - released 4 April 2022.

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

The movement of freight contributes $66 billion annually to the NSW economy. Two thirds of all freight in NSW moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036.

This audit assessed the effectiveness of transport agencies in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

What we found

Transport agencies do not have strategies or targets in place to improve the efficiency or capacity of the metropolitan shared rail network for freight.

The transport agencies acknowledge that they do not have sufficient information to achieve the most efficient freight outcomes and they do not know how to use the shared rail network to maximise freight capacity without compromising passenger rail services.

The Freight and Ports Plan 2018-2023 contains one target for rail freight - to increase the use of rail at Port Botany to 28 per cent by 2021. However, Transport for NSW (TfNSW)'s data indicates this target will not be met.

Sydney Trains records data on train movements and collects some data on delays and incidents. TfNSW collects data for the construction of the Standard Working Timetable and third-party contracts.

However, a lack of clarity around what data is gathered and who has ownership of the data makes data sharing difficult and limits its analysis and reporting.

The Freight and Ports Plan 2018-2023 includes the goal of 'Reducing avoidable rail freight delays', but the transport agencies do not have any definition for an avoidable delay and, as a result, do not measure or report them.

TfNSW and Sydney Trains are appointed to manage and deliver the Transport Asset Holding Entity of New South Wales (TAHE)'s obligations to allow rail freight operators to use the shared rail network. There are no performance measures in rail freight operator contracts or inter-agency agreements. This limits transport agencies' ability to improve performance.

TfNSW’s Freight Branch is working on four freight-specific strategies; a review of the Plan, a freight rail strategy, a port efficiency strategy and a freight data strategy.

TfNSW has not yet determined the timeframes or intended outcomes of these strategies.

What we recommended

Transport agencies should:

• commit, as part of the review of Future Transport 2056, to delivering the freight-specific strategies currently in development and develop whole-of-cluster accountability for this work including timeframes, specific targets and clear roles and responsibilities 
• improve the collection and sharing of freight data
• develop a plan to reduce avoidable freight delays
• systematically collect data on the management of all delays involving and/or impacting rail-freight
• develop and implement key performance indicators for the agreements between the transport agencies.

The movement of freight contributes $66.0 billion annually to the New South Wales economy — or 13 per cent of the Gross State Product. Two thirds of all freight in New South Wales moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036. This increasing demand is driven by increasing population and economic growth.

The sequence of activities required to move goods from their point of origin to the eventual consumer (the supply chain) is what matters most to shippers and consumers. Road can provide a single-mode door-to-door service, whereas conveying goods by rail typically involves moving freight onto road at some point. In Greater Sydney, 80 per cent of all freight is moved on road. Freight often passes through intermodal terminals (IMTs) as it transitions from one mode of transport to the next.

In 2016, Transport for NSW (TfNSW) released Future Transport 2056 - the NSW Government's 40-year vision for transport in New South Wales, which is intended to guide investment over the longer term. In Future Transport 2056, TfNSW noted that New South Wales will struggle to meet increasing demand for freight movements unless rail plays a larger role in the movement of freight.

Sydney Trains manages the metropolitan shared rail network, which is made up of rail lines that are used by both passenger and freight trains. The Transport Administration Act 1988 requires that, for the purposes of network control and timetabling, NSW Government transport agencies give ‘reasonable priority’ to passenger trains on shared lines. As the Greater Sydney population and rail patronage continue to grow, so too will competition for access to the shared rail network. See Appendix two for details of the area encompassed by Greater Sydney.

Freight operators can also use dedicated rail freight lines operated by the Australian Rail Track Corporation (ARTC - an Australian Government statutory-owned corporation). As the metropolitan shared rail network connects with dedicated freight lines, freight operators often use both to complete a journey.

TfNSW, Sydney Trains and the Transport Asset Holding Entity (TAHE) work in conjunction with other rail infrastructure owners and private sector entities, including port operators, privately operated IMTs and freight-shipping companies. TfNSW and Sydney Trains are responsible for managing the movement of freight across the metropolitan shared rail network. TAHE is the owner of the rail infrastructure that makes up the metropolitan shared rail network. The NSW Government established TAHE, a NSW Government state-owned corporation, on 1 July 2020 to replace the former rail infrastructure owner - RailCorp. The Auditor-General for New South Wales has commenced a performance audit on TAHE which is expected to table in 2022.

On 1 July 2021, TAHE entered into new agreements with TfNSW and Sydney Trains to operate, manage and maintain the metropolitan shared rail network. Until 30 June 2021, and in accordance with TAHE's Implementation Deed, TAHE operated under the terms of RailCorp's existing arrangements and agreements.

This audit assessed the effectiveness of TfNSW, Sydney Trains and TAHE in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

The audit focused on:

• the monitoring of access to shared rail lines
• the management of avoidable delays of rail freight movements
• steps to increase the use of rail freight capacity in Greater Sydney.

Appendix one - Response from agencies

Appendix two - The Greater Sydney region

Appendix three - TfNSW strategic projects 

Appendix four - Sydney Trains path priority principles 

Appendix five - Sydney Trains delay management

Appendix six - About the audit 

Appendix seven - Performance auditing
 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #357 - released (19 October 2021).

What the report is about

This audit assessed whether adults in custody have effective access to health services. The audit examined the activities of Justice Health and Corrective Services NSW.

What we found

The majority of custodial patients receive timely health care, but a small proportion of patients are not receiving care within target timeframes.

Eleven per cent of scheduled health appointments are not attended, and agencies can do more to understand the reasons for non-attendance.

Demand for mental health care exceeds service capacity and some patients are held in environments not appropriate for their needs.

Justice Health's information systems do not support the effective transfer of medical records as patients move around the prison network.

Not all patients are released from custody with a discharge plan.

Justice Health's system managers do not receive sufficiently detailed reports to understand strategic risks or opportunities to improve access to health services.

Public and private prison health operators do not report against consistent performance measures.

Justice Health is mandated to assess health services in private prisons. This conflicts with its role as a contracted provider of health services in the private prison system.

What we recommended

Enhanced reporting on patient access to health services, to identify risks and challenges across key service areas.

Identification and implementation of the improvements required for information to be shared across the custodial network and with external health providers.

Development of a framework to govern and monitor costs for patient health escorts and movements.

Development of a framework to govern responsibilities for mental health services.

Progression of infrastructure plans that address the lack of specialist accommodation for mental health patients and aged and frail patients.

Collaboration to align the performance measures to enable benchmarking between public and private prison health services.

Action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Access to health services in custody

This audit examined whether adults in the New South Wales public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that patients have timely access to health services, systems and practices support continuity of care, and access to health services is monitored and reviewed.

As part of this audit, we assessed actions undertaken by Justice Health and Corrective Services NSW in managing the first COVID-19 outbreak in 2020. However, due to the timing of this audit report, this audit does not report on the agencies’ response to managing the current outbreak of COVID-19 in September 2021.

Health services in New South Wales prisons are delivered by both public and private operators. The public prison system is made up of 33 correctional centres and the Long Bay Hospital. All health services in the public prison system are delivered by the Justice Health and Forensic Mental Health Network (Justice Health).

In the public prison system, Justice Health is responsible for the clinical care of patients with physical and mental illnesses. Clinicians provide health assessments, treatments, medication management, and some counselling services in prison health clinics. Patients are triaged by primary health nurses and if they require treatments or medication, they are referred to prison‑based doctors including specialists or other clinicians. Patients requiring complex or emergency care are transferred to hospitals or other specialty services outside the prison complex.

Private operators deliver health services in three private prisons through contract arrangements with Corrective Services NSW. Justice Health delivers health care at one correctional centre via a contract arrangement with Corrective Services NSW. In total, contracted health service operators deliver health care to approximately 25 per cent of the New South Wales prison population.

Justice Health is required by law to monitor the performance of contracted health service providers in New South Wales prisons, including services provided at the John Morony Correctional Centre. The Auditor‑General’s mandate does not permit a direct examination of information held by private sector entities, however this audit does assess the effectiveness of Justice Health's role in monitoring health services in private prisons.

Corrective Services NSW is responsible for security in public prisons, including the facilitation of patient access to health care at prison health clinics and the transfer of patients to hospitals and other health services outside of the prison environment. Corrective Services NSW also delivers behaviour‑based psychology services. Some are delivered as behaviour modification courses that aim to reduce criminal and offending activity amongst the prison population. These programs may be linked to parole or other custodial conditions. Other psychology services include counselling for people with self‑harming or suicidal behaviours.

Research from the Australian Institute of Health and Welfare indicates that people in custody are more likely than the general population to be affected by chronic and acute illnesses, including higher rates of mental illness and communicable diseases¹. In March 2021, there were 13,063 adults in custody in New South Wales.

The objective of this performance audit was to assess whether adults in the public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that:

• patients have timely access to health services
• systems and practices support the continuity of health care
• access to health services is monitored, reviewed, and reported across the network. 

1. Key findings

The majority of custodial patients receive timely health care, but a small proportion of patients with priority appointments are not receiving care within target timeframes

Approximately half of all health care provided by Justice Health is immediate. It is delivered to 'walk‑in' patients as soon as they present at prison health clinics. Most of these patients are receiving daily medications, while a small proportion require urgent or immediate care for injuries or illnesses. The other half of prison health care is delivered via scheduled appointments. Patients waiting for health appointments are given a priority rating according to the time within which they should be seen by a clinician.

Patients requiring the most time‑critical care are given a Priority 1 rating. These patients should receive treatment within one to three days. In December 2020, the average wait time for Priority 1 treatment was five and a half days, almost double the target. This is an improvement on wait times in June 2019, when the average wait time was just over 13 days. Justice Health does not assess or measure the impacts of delayed care on these patients.

According to Justice Health, the high numbers of ‘walk‑ins’ contribute to increased wait times for medical appointments. In addition, some specialty health clinics operate weekly, which means that patients cannot be seen by specialists within a one to three‑day timeline. Security events such as prison lockdowns can also contribute to increased wait times, as they limit the access that patients have to prison health clinics during out‑of‑cell hours.

If patients need emergency medical treatment, they are transferred to hospitals in line with Justice Health's policy. In 2020, just over 1,000 patients were transferred to hospital for emergency medical care.

A significant proportion of prison health appointments are not attended, and not enough is being done to understand the reasons, or to improve attendance rates

In 2020, 11 per cent of all scheduled health appointments in prison clinics were not attended. This amounts to approximately 60,000 appointments over the year. Non‑attended appointments have flow‑on impacts on wait times and backlogs for scheduled health appointments. Understanding why they occur is necessary to improve efficiencies in scheduling and patient access to health services.

In 2020, the most common reason for non‑attended health appointments was: 'patient unable to attend'. Justice Health clinicians use this when patients do not arrive at the prison health clinic at the scheduled time, and clinicians lack any other information to explain the non‑attendance.

The second most common recorded reason for non‑attended appointments was: 'cancelled by Corrective Services NSW'. These cancellations are due to operational or security reasons, including prison lockdowns. Data from Justice Health indicates that in 2020, there were an average of 12 lockdowns per week across New South Wales prisons.

A range of factors can impact on patient attendance at appointments, some of which are unavoidable. That said, more can be done to understand and reduce non‑attendance. For example, there is potential for Corrective Services NSW to implement tighter protocols to update information about patient availability on the daily movement lists. This might include checking whether patients are willing to attend appointments. Similarly, there is potential for Justice Health clinicians to implement tighter protocols to check patient lists ahead of scheduled appointments, and to re‑schedule appointments where patients are unavailable.

Demand for mental health care exceeds service capacity and some patients are held in environments that are not appropriate for their needs

There is a high demand for mental health services in New South Wales prisons. In March 2021, at least 143 mental health patients were waiting for access to an acute or sub‑acute mental health unit across the New South Wales prison system. The average wait time for a mental health facility was 43 days. Seventeen patients had wait times of over 100 days. Patients waiting for sub‑acute mental health services had longer wait times than those waiting for acute mental health services.

There are limited mental health beds for women across the New South Wales prison network. There are ten allocated beds for women at the Mental Health Screening Unit at Silverwater Correctional Complex, and no allocated beds for women at Long Bay Hospital.

A lack of bed availability in the Forensic Hospital means that, as of February 2021, 63 forensic patients were being held in mental health facilities in mainstream prisons, when they should have been accommodated in the Forensic Hospital. Some of these forensic patients have been held in mainstream prison facilities for decades.

Cross‑agency co‑operation and planning is required to identify and build infrastructure that will reduce wait times for mental health beds. Over several years, Justice Health has developed, reviewed, and worked to progress a strategic plan for NSW Forensic Mental Health that includes enhanced mental health bed capacity across the NSW system. The latest version of this strategic plan remains in draft and has yet to be approved by the NSW Ministry of Health.

In 2016, Corrective Services NSW commenced a Prison Bed Capacity Program. It was focussed on enhancing capacity across the prison system and did not include specialist health beds. More recently, Corrective Services NSW has been developing a business case to improve the provision of specialist health care facilities across the network, including mental health facilities.

Justice Health's clinical information systems do not support the effective transfer of health appointments or medication records as patients are moved to new prison locations

Justice Health's clinical information systems are multiple and complex. There are five health information systems that include a mix of electronic and paper‑based records. Information management systems contain clinical records, appointment information, medication records, dental records, and specialist health information. Corrective Services NSW maintain separate information systems relating to prison records and psychology treatment information.

The transfer of people across different correctional centres is a frequent occurrence. In 2020, there were over 41,000 movements between correctional centres. People are transferred for a range of reasons including for security purposes, or to be located closer to hospitals or specialist health services.

Justice Health receives a list of patient transfers one day prior to transfer. Nurses are required to prepare medications and clinical handovers for patients with complex health conditions. These handovers are verbal, however short timeframes mean that handover is not always possible.

While each patient's electronic health records are available across the network, transfer of appointment waitlists must be done manually. There is no automatic alert within the information systems to tell staff that a patient has been moved to another prison. There is a risk that if appointment records are not manually updated, or if staff at destination clinics are not contacted, then appointments will be overlooked.

Justice Health is working with eHealth NSW to develop an improved Electronic Medication Management (EMM) program with expected delivery in late 2021. The EMM has potential to improve the transfer of patient medication records, but it will not fully remediate all inefficiencies of the current systems.

Corrective Services NSW and Justice Health do not engage in sufficient joint planning to improve efficiencies in transports or escorts to health services

Corrective Services NSW and Justice Health do not engage in joint system‑level planning to mitigate the risks and the costs associated with transferring patients to health clinics in prisons, or non‑prison‑based health care. There are no protocols, and limited sharing of information to improve efficiencies in planning and coordinating patient transfers.

Corrective Services NSW does not collate or report on the costs of transporting patients to hospitals and specialist care. While there is data on the overall cost of medical escorts, estimated to be $19.9 million in 2020, Corrective Services NSW is not able to disaggregate this data to determine the reasons for transfers or the system‑level costs. For example, Corrective Services NSW does not know how many prison lockdowns occur when hospital transfers are required.

Medical escorts to specialist health services and hospitals increase the costs to the prison system and contribute to risks in prison management. Medical escorts contributed to 16 per cent of metropolitan prison lockdowns at the peak in 2018, though escort numbers have since been declining. Some Local Health Districts report significant concerns around safety incidents and assaults on staff during medical escorts to hospital.

Corrective Services NSW does not know if transport costs have increased since the 2016 Prison Bed Capacity Program which expanded prison beds in regional New South Wales. To date, there has been no assessment of the cost of taking patients to tertiary hospitals or specialist services. Corrective Services NSW has identified this as an area for improvement.

Justice Health's system managers do not receive sufficiently detailed reports on wait times for health care, to understand strategic risks or opportunities for system improvement

Justice Health's senior executives receive monthly reports on patient wait times for services in prison health clinics. These reports contain headline data about the numbers of days that patients wait for scheduled health appointments by their allocated priority level. Wait time data are averaged across all New South Wales prison health clinics. With some exceptions, almost all executive level reports describe system‑wide appointment wait times without offering further specific detail. For example, there is limited information which would allow managers to understand the performance of specialty health groups, or to make any comparative analysis of the performance of different prison facilities.

Executive reports are also not detailed enough to indicate whether prisons with particular security classifications offer greater or lesser access to health services. It is not possible to assess whether patients in metropolitan or regional prisons have different levels of health service access. This prevents managers from identifying strategic risks across the prison network, targeting resources to the areas of greatest risk, and making strategic improvements in system performance.

Trend data on wait times for the different health specialty areas is also required to enable senior managers to compare wait times across prison facilities, security classifications, and localities.

In response to the preliminary findings of this audit, Justice Health has made some improvements to its executive‑level wait time reports. This includes additional detail on health appointment wait times by prison facilities and wait times by health specialty areas.

It is not possible to compare or benchmark the performance of public and private prison health operators or to compare prison health against community health standards

It is not possible to compare or benchmark the performance of the public and private prison health operators in New South Wales using the current Key Performance Indicator (KPI) data. KPI data do not correlate across the public and private systems.

Justice Health reports to the Ministry of Health on 44 prison health KPIs. The 44 KPIs for the public prison system do not align with the seven KPIs the private health operators report against in their contracts with Corrective Services NSW. This means that public and private operators focus on different service areas. For example, private operators have a performance measure for ensuring that custodial patients are provided with release plans. Justice Health does not have a similar measure.

The KPI specifications for the private prison health system were developed by Corrective Services NSW with input from the Ministry of Health. The KPI specifications for the public prison health system were developed by the Ministry of Health in collaboration with Justice Health. There is no rationale for the difference in performance indicators across the public and private systems.

Private providers currently deliver prison services to 25 per cent of the prison population of New South Wales. This proportion has been increasing since 2016. Public and private health operators deliver comparable health services so there is scope to compare performance across the systems.

Justice Health aligns its standard for prison health services with a 'community’ standard of health care access. However, with existing health monitoring measures, it is not possible to assess how well Justice Health is tracking against community health standards with available data from most health specialties.

There is an inherent conflict of interest in Justice Health's monitoring role of health services in private prisons, as Justice Health is also a provider of health services in a private prison

There is a legislated requirement for Justice Health to monitor the performance of private health operators in New South Wales prisons. This monitoring role is described in the Crimes (Administration of Sentences) Act 1999.

Justice Health's monitoring role includes the collection and analysis of health performance data from private health operators, and periodic site visits to assess health service performance. Justice Health reports the findings of monitoring activities to Corrective Services NSW, the contract manager for private prisons.

Justice Health's monitoring role commenced in the late 1990s. In recent years, this role has expanded as the NSW Government has increased the number of privately managed prisons across the state. Justice Health now monitors health services in four private prisons, accounting for approximately one quarter of all custodial patients in the New South Wales prison system.

In 2018, Justice Health was awarded a contract to provide health services at the John Morony Correctional Centre. Justice Health also monitors the health services this Correctional Centre. The timing of the 1999 legislation did not anticipate that Justice Health would be a provider of the services it is required to monitor.

Justice Health has taken steps to maintain independence and transparency in its monitoring role by establishing a number of arms‑length governance arrangements. Justice Health set up a Commissioning Unit that operates independently from its service delivery operations. Justice Health also established an alternative reporting chain via a Board subcommittee to oversee the performance of health providers in private prisons.

Despite all actions to establish independence, the monitoring role confers dual responsibilities on the Chief Executive of Justice Health as both an operational manager of health services in a private prison and as a manager responsible for monitoring these same services. As a result, the Chief Executive of Justice Health has access to information about the overall performance of the private prison health system in New South Wales.

As a competitor for the provision of health services in privately operated prisons, Justice Health has access to information to which other private health providers do not. This potentially gives Justice Health a competitive advantage over other private health operators.

2. Recommendations

By December 2022, Justice Health should:

1. enhance reporting on patient access to health services to ensure that system managers can identify risks, challenges, and system improvements across key areas of its service profile

2. in collaboration with the NSW Ministry of Health, identify and implement the required improvements to its health information management systems that will enable effective transfers of patient clinical records and appointment information across the custodial network and with external health providers.

By December 2022, Justice Health and Corrective Services NSW should:

3. develop a joint framework to govern and monitor the costs of their common and connected responsibilities for patient health movements across the prison network and to external health services

4. develop a joint framework to govern their common and connected responsibilities for mental health services.

By December 2022, Justice Health and Corrective Services NSW, in collaboration with the NSW Ministry of Health, should:

5. progress infrastructure plans and projects that address the lack of specialist accommodation for mental health patients and aged and frail patients

6. standardise and align the key performance indicators that monitor the performance of health operators in public and private prisons so that system‑wide benchmarking is possible.

By December 2022, the NSW Ministry of Health should:

7. take action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #356 - released (23 September 2021).

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

What the report is about

The report examined whether Transport for NSW (TfNSW) and Infrastructure NSW (INSW) effectively assessed and justified major scope changes to the WestConnex project since 2014.

What we found

NSW Government decisions to fund WestConnex-related projects outside WestConnex's $16.812 billion budget have reduced transparency and understate the full cost of WestConnex.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency over the cost of the road component of Sydney Gateway. $1.76 billion of the cost to complete Sydney Gateway is funded outside the WestConnex budget.

Network integration costs, currently estimated at $2.3 billion, are also funded outside the WestConnex budget. Many of these costs are directly attributable to WestConnex and ought to be included in the reported budget.

The Parramatta Road Urban Amenity Improvement Program, costing $198 million, should also be included as part of the WestConnex reported budget.

Decisions to exclude or remove these elements from WestConnex without justification have seen $4.26 billion of projects funded outside the $16.8 billion budget.

Positively, robust analysis was used to develop and incorporate design improvements into the 2015 WestConnex Updated Strategic Business Case.

The separate components of WestConnex underwent all required assurance reviews. However, the NSW Government's assurance framework does not require ongoing ‘whole-of-program’ assurance for large and complex projects like WestConnex. The absence of a holistic review of WestConnex allows for some costs and benefits to avoid scrutiny.

What we recommended

TfNSW should:

• review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects
• ensure that estimated costs and benefits of works which are reasonably required to meet consent conditions are included in business cases for complex large infrastructure projects
• establish centralised and project specific record keeping for major infrastructure projects.

Infrastructure NSW should provide transparent whole of program assurance on total costs and benefits when complex projects are split into sub-projects.

Government should consider enhancing public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole-of-program level.

WestConnex

WestConnex is a 33 km motorway network that will link the western and south‑western suburbs with the Sydney CBD and the Airport and Port Botany precinct. It will also connect with proposed future motorway links to the north shore, northern beaches, and southern Sydney. The project is being delivered in three stages, with completion scheduled for 2023.

When first conceived by Infrastructure NSW (INSW) in 2012, WestConnex was described as a single integrated concept. In August 2013, government approved a business case for an integrated concept of WestConnex, with an estimated cost of $14.881 billion (in nominal outturn costs). Transport for NSW (TfNSW) is the government agency (sponsor agency) accountable for the delivery of WestConnex in accordance with the business case. In August 2014, the NSW Government established the Sydney Motorway Corporation to fund, deliver and operate WestConnex.

In November 2015, the NSW Government publicly released an updated WestConnex business case with greater detail and design enhancements, which increased the estimated cost to $16.812 billion.

Subsequent to this update, further changes were made to the design, including realignment of the M4 to M5 Link connection to the Western Harbour Tunnel project, an expanded interchange at Rozelle, the deletion of the Camperdown Intersection, and the addition of the Iron Cove Link. The reported budget for WestConnex was not changed as a result of these design updates.

To fund WestConnex, Sydney Motorway Corporation consolidated a concessional loan of $2 billion from the Australian Government, private sector debt and equity funding from the State. The Australian Government also provided a $1.5 billion contribution to the State to partially fund construction of WestConnex.

In August 2018, the NSW Government sold 51 per cent of its stake in Sydney Motorway Corporation for $9.26 billion. At the time of writing, the NSW Government is in the process of selling its remaining 49 per cent stake of Sydney Motorway Corporation.

About this audit

In the course of delivering a complex major infrastructure project, it is reasonable to expect changes to the original design and scope. Changes may occur as the design moves from a high‑level concept to a detailed design for project delivery, as new risks or issues are identified, as demands change, or as other interdependent projects are approved. Changes can also occur in response to potential cost or delivery overruns which arise as a result of planning deficiencies. Where design and scope changes significantly change the project costs and/or expected benefits, the justification for these changes should be robust and transparent.

Following our 2014 performance audit, 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF) to improve accountability and transparency over major projects that are developed, procured, or delivered by government agencies. Under the framework, TfNSW, as project sponsor, is responsible for ensuring the WestConnex project meets all IIAF requirements. These include ensuring the project remains strategically aligned and viable, and benefits are on track. INSW is responsible for coordinating the assurance review process and reporting directly to NSW Cabinet on project delivery against time, budget and risks to project delivery.

The objective of this performance audit is to assess whether TfNSW and INSW effectively assessed and justified major scope changes to the WestConnex project since 2014.

1. Key findings

Government decisions to fund WestConnex related projects outside of WestConnex's $16.812 billion reported budget have reduced transparency over costs and understate the full cost of WestConnex

In 2015, the work required to integrate WestConnex with existing roads ('network integration') was funded as a separate project with an estimated cost of $1.534 billion outside the 2015 WestConnex budget of $16.812 billion. TfNSW then created the Network Integration Program to respond to the conditions of planning approval for WestConnex. The current estimated cost to deliver all network integration works is $2.3 billion.

Since the 2015 WestConnex Business Case, the NSW Government has removed several elements from the scope of WestConnex and funded them as separate projects, while keeping the published WestConnex budget at an estimated $16.812 billion. Projects removed include:

• Sydney Gateway, currently costed at $2.56 billion (with an $800 million contribution from WestConnex)
• Parramatta Road Urban Amenity Improvement Program, costed at $198 million in late 2018 and funded though new funding to the Greater Sydney Commission.

Together, these projects represent costs of $4.26 billion that are not included in the WestConnex budget, but are required for WestConnex to achieve the objectives of the 2013 and 2015 WestConnex Business Cases. The costs of these elements in supporting the objectives of WestConnex is not tracked centrally, and there is no single point of oversight over them. Exhibit 1 compares total WestConnex forecast costs (including related projects) between November 2015 and April 2021.

Many network integration costs are directly attributable to WestConnex and ought to be included in the reported budget for WestConnex

Prior to 2015, the scope of WestConnex included enabling works needed before or during construction, as well as funding for future works to address any adverse traffic outcomes created by WestConnex which become apparent after its opening. These works are also known as network integration works.

When government approved the 2015 WestConnex Business Case, it noted that the project would require $1.534 billion for network integration works to address the impacts of WestConnex on the road network. However, the WestConnex project budget of $16.812 billion did not include funding for network integration works. Instead, Roads and Maritime Services (RMS, now TfNSW) was to fund network integration through its normal budget allocation.

It is important to recognise these costs as part of the total WestConnex project cost because:

• TfNSW created the Network Integration Program to respond to network traffic and transport elements of the planning conditions of approval for WestConnex granted by the then NSW Department of Planning and Environment under the Environment, Planning and Assessment Act 1979.
• NSW Treasury guidelines for business cases note that accurate cost estimates include assessment of the financial impact of meeting the conditions of planning approval.
• Travel time and vehicle operating cost benefits attributed to the WestConnex project in the 2015 WestConnex Business Case assume that some network integration works, then costed at $373 million, were in place.

Refer to Appendix two for more detail on network integration works.

Some of the projects in the WestConnex Network Integration Program provide community and place benefits, such as parklands and cycleways. These benefits have not been attributed to WestConnex. Additionally, some network integration works are likely to deliver additional traffic related benefits to WestConnex. As the Network Integration Program’s primary purpose is to meet the conditions of planning approval for WestConnex, TfNSW should attribute all the costs and benefits of the program to WestConnex.

To September 2021, the total funded cost of the Network Integration Program is approximately $2.077 billion. TfNSW estimates that it will need a further $222 million to complete all expected network integration works.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency and accountability for TfNSW's underestimation of the cost of the road component of Sydney Gateway

Sydney Gateway is a high‑capacity connection between the new St Peters Interchange and the Sydney Airport and Port Botany precinct. It includes a road and rail components. The road component was included in the scope of WestConnex in the 2015 WestConnex Business Case. The November 2015 design, which TfNSW costed at $800 million, involved separate roadways from the St Peters Interchange to the International terminal, and to the domestic terminals and Mascot airport precinct.

By October 2016, TfNSW was aware that the $800 million budget for Sydney Gateway was insufficient and revised the forecast cost for the road component to $1.8 billion. The original cost estimate did not sufficiently consider the cost of:

• constructing a complex design adjacent to the airport precinct
• obtaining access to land required for the project
• managing environmental contamination.

On 9 August 2017, the then Minister for WestConnex announced that the Sydney Gateway project was not part of WestConnex.

The 2015 WestConnex Business Case notes that material changes to the WestConnex budget, funding, scope, or timeframe are subject to Cabinet approval processes. It states that, when seeking approval for material changes, the portfolio Minister will make a submission to the relevant Cabinet Committee. Changes in project scope required the approval of the then Cabinet Committee on Infrastructure and should have been endorsed by the WestConnex Interdepartmental Steering Committee.

TfNSW and the NSW Department of Premier and Cabinet (DPC) assert that there is no documentation to support the government’s decision to separate Sydney Gateway from the WestConnex Program, or the WestConnex Interdepartmental Steering Committee's endorsement of a submission to Cabinet seeking approval for the separation.

The established governance processes for major scope changes were not followed in this instance. The lack of transparency regarding government's decision to separate Sydney Gateway from WestConnex also reduces visibility of TfNSW's underestimation of the cost of delivering the road component of Sydney Gateway.

The November 2018 Final Business Case for Sydney Gateway, which was approved by the government, included an estimate of $2.45 billion (nominal outturn cost) for the road component. This estimate included an $800 million contribution from WestConnex. A more recent estimate (late 2020) for this project is $2.56 billion (nominal outturn cost).

The Parramatta Road Urban Amenity Improvement Program should be included as part of the WestConnex budget

A specific objective of the 2015 WestConnex Business Case was the creation of opportunities for urban renewal along and around Parramatta Road. The business case included an allocation of $198 million in the $16.812 billion WestConnex budget for the Parramatta Road Urban Amenity Improvement program, designed to implement aspects of the objective. In November 2018, the NSW Government removed the Parramatta Road Urban Amenity Improvement Program from the WestConnex program of works and reallocated the $198 million (inside the $16.812 billion WestConnex budget) for urban renewal works around the Rozelle Interchange. As part of this decision, government approved new funding of $198 million to the Greater Sydney Commission for the urban amenity program, outside the $16.812 billion WestConnex budget. This understates the cost of WestConnex meeting its objectives by $198 million.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

In August 2015, INSW conducted its first Gateway Review of WestConnex as a program consisting of composite projects. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or mega‑project. This is not inconsistent with the IIAF and all WestConnex related projects, including Sydney Gateway and the Network Integration Program, have undergone independent assurance reviews as individual projects under the IIAF.

Once a program like WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to provide independent assurance on the program as a whole until it is completed. This is then done as part of the Gateway review for benefits realisation, which examines whether project benefits are being measured and meet expectations. These individual projects are, in themselves, significant in scale and complexity. While addressing them as discrete components for the purposes of the assurance review process can be justified, the absence of strategic, holistic reviews of WestConnex allows for total costs and benefits to become opaque and avoid scrutiny. Programs of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

There is a lack of public transparency on the total costs and benefits of the WestConnex project

Prior to 2018, the Audit Office provided assurance on costs borne and levied by Sydney Motorway Corporation and its controlled entities. Since the NSW Government sold 51 per cent of its stake in WestConnex in August 2018, the Auditor‑General no longer has the mandate to provide this assurance. The Audit Office is also unable to provide any assurance regarding the performance of tolling concessions.

This means that the total costs of WestConnex, including those levied on road users through tolling, are not reported alongside the full cost of delivering the project. This information, and independent assurance over that information, would provide transparency and context to the outcome of government's sale of its interest in WestConnex.

To enhance the transparency of existing infrastructure assurance processes, government could consider requiring large and complex infrastructure programs to undergo periodic review at a whole‑of‑program level. This could take the form of annual reports to Parliament on the total costs and benefits of selected large and complex projects by the responsible agency. The reports could include an assessment of the cost to government and cost to the community of funding and financing. Independent assurance of the agency report would provide Parliament with greater confidence that infrastructure is delivered economically and providing value for money for the people of NSW.

The Australian National Audit Office provides similar assurance on selected Department of Defence acquisition projects as part of its annual Major Projects Report.

Design enhancements included in the 2015 WestConnex Updated Strategic Business Case were supported by robust analysis

The 2015 WestConnex Business Case contained more detail than the 2013 WestConnex business case. Design enhancements were made as a result of modelling analysis conducted over the two years since the 2013 business case. Enhancements included a full underground link between Kingsgrove and St Peters as part of the New M5 and re‑alignment of the M4‑M5 link tunnel (Stage 3) to include the Rozelle Interchange. The Rozelle Interchange will provide a direct connection to the Anzac Bridge and Victoria Road, and will enable a connection to the proposed Western Harbour Tunnel and Beaches Link. A map and description of these elements can be found at Exhibits 2 and 3 of this report.

In 2016, TfNSW revised the design of the M4‑M5 Link and Rozelle to address traffic and integration issues

As part of preparing the 2015 WestConnex Business Case, TfNSW prepared a Project Definition and Delivery Report (PDDR) for the M4‑M5 Link. This report describes the scope of the project, including a high‑level concept design. TfNSW identified limitations with the proposed design of the M4‑M5 in the PDDR, which it would need to address as the project moved to a detailed design stage. In particular, these limitations included:

• poor integration with the Bays Precinct masterplan
• traffic capacity constraints on Victoria Road and Anzac Bridge
• construction complexity.

Following a comprehensive review in mid‑2016, TfNSW changed the design of the M4‑M5 Link and Rozelle Interchange to address these limitations. These changes included:

• deletion of the Camperdown intersection to improve traffic conditions on Parramatta Road
• a fully underground and larger Rozelle Interchange with 10‑hectare dedicated parklands
• a toll‑free tunnel link from Iron Cove Bridge to Anzac Bridge
• increasing the lanes in the dual tunnels from three to four each way.

TfNSW documented, but did not publish, the rationale for the design changes, including how the changes addressed the limitations of the previous design while providing increased community benefit through the creation of open space. TfNSW undertook cost comparison studies which estimated that these changes would have a neutral impact on the estimated project cost while achieving the same or improved benefits.

TfNSW's record‑keeping systems for large infrastructure investments negatively impact accountability and transparency

In response to our formal requests for relevant information, made during the conduct of this audit, TfNSW advised that complete and valid records of key decision‑making processes, analysis and advice were unavailable. Additionally, TfNSW often provided information that was incomplete or unverifiable (for instance, unsigned briefing notes). This is not consistent with accepted governance practices and does not comply with the requirements of the State Records Act 1998.

We also requested that TfNSW provide a list of relevant documents held by the Sydney Motorway Corporation (SMC). While TfNSW acknowledged that SMC may hold material relevant to the audit, TfNSW did not have a list or description of these documents. As SMC is now a majority privately held entity, both the Audit Office and TfNSW have limited power to require SMC to provide documentation.

The delivery timeframe for large and complex infrastructure projects such as WestConnex frequently exceeds five years, and some projects can take over a decade to deliver. These projects represent a significant investment of public resources and government agencies should expect independent review and assurance activities such as performance audits. The establishment of dedicated record keeping facilities for major infrastructure projects, such as data rooms, would improve transparency and accountability. This would ensure that the use of public resources is fully auditable in line with public expectations and the requirements of the Government Sector Finance Act 2018, the State Records Act 1998 and the Public Finance and Audit Act 1983.

2. Recommendations

By December 2021, TfNSW should:

1. review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects

2. when preparing business cases for complex large infrastructure projects, ensure that the estimated costs and benefits of works which are reasonably expected to meet consent conditions are included in the overall project cost and its benefits (as per Treasury guidelines)

3. establish and maintain centralised and project‑specific record keeping, including through dedicated project data rooms, to ensure major infrastructure projects can readily be subject to external oversight and assurance.

By June 2022, INSW should:

4. provide transparent whole‑of‑program assurance on total costs and benefits throughout the project life‑cycle when complex projects are split into sub‑projects.

By June 2022, NSW Government should:

5. consider enhancing the public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole‑of‑program level. This could take the form of reports to Parliament on the total costs and benefits on selected large and complex projects by the responsible agency, including cost to government and cost to community of funding and financing, as well as an accompanying independent assessment of the agency report.

Following our 2014 performance audit report 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF). INSW is responsible for the development, implementation and administration of the IIAF. The assurance framework involves gateway reviews, health checks, deep dive reviews, and project monitoring and reporting at various stages in the lifecycle of a project. The main aims of the IIAF are to help ensure major infrastructure projects are delivered on time and on budget, and to ensure that reports are regularly monitored by the Cabinet of the NSW Government. The IIAF gateway review process is compulsory for all significant investments and expenditure under the NSW Treasury Gateway Policy.

In accordance with the IIAF, INSW is responsible for the following:

• providing a dedicated Assurance Team including Gateway Review Managers to coordinate Reviews
• determining appropriate expert reviewers, and manages scheduling, commissioning and administration of Assurance Review reports. Infrastructure NSW is independent of the Expert Review Team
• monitoring Tier 1 – High Profile/High Risk projects, Tier 2 and Tier 3 (if required) project performance through independent Assurance Reviews
• providing independent analysis and advice on key risks and any corrective actions recommended for Tier 1 – High Profile/High Risk, Tier 2 and Tier 3 projects
• escalating projects to Infrastructure Investor Assurance Committee (IIAC) and Cabinet where projects present ‘red flag issues’ and where corrective action is needed
• working with delivery agencies to register all capital projects with an estimated cost greater than $10.0 million and ensures they are risk profiled and assigned a risk‑based project tier with an endorsed IIAF Project Registration report
• preparing forward looking annual Cluster Assurance Plans
• maintaining and continuously improves the IIAF process
• reporting to the IIAC, Cabinet and Infrastructure NSW Board
• regularly report to NSW Treasury on the performance of the IIAF.

In relation to WestConnex, TfNSW is the sponsor agency responsible for meeting relevant IIAF requirements, including:

• registering and risk profiling projects
• IIAF gateway, health check, and deep dive assurance reviews
• regular reporting.

Under the IIAF, it is mandatory for all capital projects valued over $10.0 million to be registered with INSW. Capital projects can be registered either as a program (comprising of a group of related projects or activities) or as a project (which may or may not be part of a program).

According to the IIAF, programs tend to have a lifespan of several years and aim to deliver outcomes and benefits related to an organisation's strategic objectives. Projects tend to have a shorter lifespan, and deal with outputs. Projects can, however, be grouped under a single program if they are similar in nature or if they are aimed at collectively achieving a strategic objective. Complex projects can be delivered in multiple stages, under different contracts, and across different time periods.

The last assurance review of the entire WestConnex program of works as a whole was in 2015

INSW conducted the first IIAF gateway review of WestConnex in August 2015. TfNSW developed a draft WestConnex Updated Strategic Business Case to consolidate the latest analysis on WestConnex, and to confirm that the project remained fit for purpose, economically viable, and financially deliverable. The review followed a recommendation in our 2014 performance audit report that business cases be thoroughly revisited.

During September 2015, INSW conducted additional informal reviews to identify strategic risks associated with public release of the WestConnex business case. Subsequently, INSW gave the Premier of NSW its views on the draft business case, including the following points:

• The $398 million budget for Sydney Gateway was insufficient to meet the benefits claimed in the business case for a ‘functional’ connection to Sydney Airport and Port Botany. INSW studies indicate a future‑proof solution would require a minimum spend of $755 million.
• Enabling works for WestConnex estimated at $1.534 billion were excluded from the cost of WestConnex. Significant work remained for RMS to identify mitigation measures to address planning approvals and network performance issues.
• Enabling works (a Southern Connector), an access ramp and surface road improvements within St Peters were excluded from the draft 2015 business case despite their inclusion in the WestConnex scope in the 2014–15 State Budget.
• The overall cost of works not funded within the WestConnex budget ranged from $2.011 billion to $2.196 billion. This included the enabling works, access ramp and surface road improvements and the shortfall for Sydney Gateway.

All WestConnex related projects, including Sydney Gateway have undergone independent assurance reviews under the IIAF

Since INSW submitted the first WestConnex progress update report to Cabinet in June 2015, INSW has been reporting monthly on the different stages of the WestConnex Program, including Sydney Gateway, as the projects were registered with INSW as High‑Profile, High‑Risk projects. Separate reporting enabled INSW to report and review each stage with more detailed scrutiny, compared to the reporting and reviewing at a program level.

WestConnex Stage 2 (New M5) underwent both mandatory and non‑mandatory reviews at key points in the project lifecycle. Three mandatory gateway reviews – at Gate 2 (Final business case), Gate 3 (Readiness for market), and Gate 4 (Tender evaluation) – were conducted by TfNSW before the introduction of IIAF. Four non‑mandatory health check reviews and one non‑mandatory deep dive review were conducted after the introduction of the IIAF managed by INSW.

Similarly, WestConnex Stage 3 projects – M4‑M5 link, M4‑M5 Tunnels, and Rozelle Interchange – also underwent mandatory and non‑mandatory reviews at key points in their lifecycle under IIAF.

The M4‑M5 Link had two mandatory gateway reviews and one non‑mandatory health check review under IIAF. These reviews were conducted before Stage 3 was split into two stages, due to major design changes to the Rozelle Interchange and the M4‑M5 tunnels.

The M4‑M5 tunnels had two mandatory gateway reviews (at Gates 3 and 4), one non‑mandatory health check review, and one non‑mandatory deep dive review under IIAF.

Rozelle Interchange also underwent three mandatory gateway reviews at Gate 3 (part 1), Gate 3 (part 2), and Gate 4, two non‑mandatory health check reviews, and one non‑mandatory deep dive review under IIAF.

Since mid‑2017, the Sydney Gateway project has undergone required independent assurance reviews, as well as a number of optional assurance reviews

In November 2016, INSW conducted a mandatory Gate 1 gateway review on a strategic business case for the Sydney Gateway Project. TfNSW did not proceed with this business case. Following the separation of Sydney Gateway from WestConnex in mid‑2017, TfNSW developed a new business case for Sydney Gateway. It has undergone the required Gate 1, Gate 2, and Gate 3 gateway reviews, as well as two non‑mandatory health check reviews, and three non‑mandatory deep dive reviews under IIAF.

Network integration works have undergone all IIAF required assurance reviews

TfNSW completed a strategic business case for the Network Integration Program in August 2020, and INSW completed a gateway review in November 2020. This is despite network integration projects starting as early as 2015, with $645 million having been spent by June 2020. The strategic business case included a prioritisation process for completing remaining works in the program. Prior to November 2020, TfNSW registered individual network integration projects with INSW, and these projects have undergone gateway reviews where required.

The Network Integration Program strategic business case does not include Rozelle interchange network integration works ($353 million) and additional network integration works to settle a contractor claim adjacent to St Peters Interchange ($190 million). These were excluded from the business case on the basis they had already been approved by government, and as such were not subject to the prioritisation elements of the business case. TfNSW has not developed separate business cases for these works, although the scope of the St Peters Interchange works was developed through a negotiated process.

TfNSW did not prepare business cases for some network integration works which have commenced, including the $323 million Campbell Road/Euston Road works

Prior to its development of the August 2020 strategic business case, TfNSW did not prepare business cases for many network integration works that have commenced, and in some instances were completed, before 2019. Significantly, TfNSW did not prepare a business case for the Campbell Road/Euston Road works, which cost $323 million and have been completed.

In 2016, TfNSW’s Business Case Policy requires the creation of business cases for capital projects costing over $1.0 million. At the time of writing this report, TfNSW’s draft policy requires full business cases for capital projects costing $10.0 million or more.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

INSW conducted its first gateway review of WestConnex (as a program, which consisted of composite projects) in August 2015. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or complex project. The IIAF allows this to occur.

Separate registration enabled INSW to report and review each stage with more scrutiny compared to whole‑of‑program level review.

Such an approach has merit, considering the individual stages (and components of these stages) are multi‑million dollar works in their own right. Each project has its own timing for gateway reviews at stages such as 'Readiness for Market' and 'Tender Evaluation'.

Once a program such as WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to conduct independent assurance on the program of works as a whole until the whole program is completed as part of the Benefits Realisation (Gate 6) gateway review. The absence of strategic, holistic reviews of projects of the scale and complexity such as WestConnex during their delivery allows for total costs and benefits to become opaque and avoid scrutiny. Projects of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

INSW has advised us that it has prepared a proposal to expand its assurance function to include whole‑of‑program review of inter‑related infrastructure projects.

Appendix one – Responses from agencies

Appendix two – Network integration works

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #351 - released (17 June 2021).

What the report is about

The report assessed how effectively the Department of Communities and Justice is responding to homelessness through the NSW Government’s Homelessness Strategy.

It also assessed the effectiveness of the department’s efforts to address street homelessness in its COVID-19 response.

What we found

The strategy was designed to build evidence to inform future state-wide action rather than to end homelessness.

The department received significantly less funding than it sought for the strategy.

Actions delivered under the strategy have a narrow reach in terms of locations and number of people targeted for assistance.

The strategy will have limited short-term impact on homelessness across NSW, but it is building evidence on what works to prevent and reduce homelessness.

The department effectively implemented a crisis response to assist over 4,350 people sleeping rough into temporary accommodation during the pandemic.

While there was an effective crisis response to assist people sleeping rough during the pandemic, more will need to be done to ensure a sustainable response which prevents people returning to homelessness.

What we recommend

The department should:

• provide advice to the NSW Government on sustainably addressing demand and unmet need for homelessness supports
• commence development of a comprehensive strategy to address homelessness, linked to the government’s 10-year plan for social housing and 20-year housing strategy
• enable input to key decisions on homelessness policy from partner agencies, the specialist homelessness services sector, the community housing sector, Aboriginal people, and people with lived experience of homelessness
• partner with Aboriginal stakeholders and communities to design and implement a strategy for early identification and responses to the needs of Aboriginal people vulnerable to homelessness; and build the capacity and resourcing of the Aboriginal Community Controlled Sector to deliver homelessness services
• evaluate the homelessness response to COVID-19, integrate the lessons learned into future practice, and develop protocols to inform actions in future emergencies or disasters
• regularly collect client outcomes data and feedback and use this to drive improvements to responses to homelessness.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

Homelessness exists when a person does not have suitable accommodation alternatives. A person is considered to be experiencing homelessness if their current living arrangement:

• is in a dwelling that is inadequate; or
• has no tenure, or if their initial tenure is short and not extendable; or
• does not allow them to have control of, and access to space for social relations.

The number of people experiencing homelessness in New South Wales increased by 37 per cent between the last two censuses, from 27,479 in 2011, to 37,715 in 2016. New South Wales recorded the largest increase of all the states and territories in both the number of people experiencing homelessness and in the homeless rate (from 40.8 to 50.4 persons per 10,000).

The NSW Government's primary service response to homelessness is crisis, temporary and transitional accommodation, and support services, funded at more than $1.0 billion over four years from 2018–19. These are ‘commissioned services’ delivered by non‑government organisations under contracts with the Department of Communities and Justice (the Department) and out of scope for this audit. We assessed how the Department manages contracts for specialist homelessness services in our 2019 audit 'Contracting non‑government organisations'.

The policy framework for the NSW Government's response to homelessness is the NSW Homelessness Strategy 2018–23 (the Strategy), which is examined in this audit. The Department is responsible for the development, implementation, monitoring and evaluation of the Strategy. The Strategy comprises 21 actions, ten of which directly target people at risk of, or already experiencing, homelessness through measures such as:

• screening high school students for the risk of homelessness and providing supports
• assisting vulnerable people to maintain their tenancies in social housing or the private rental market
• providing purpose‑built social housing.

These ten actions comprise $160 million of the Strategy's $169 million funding.

In December 2019, the first evidence of the COVID‑19 virus emerged. People sleeping without shelter or in public places (sleeping rough) typically live in communal arrangements, with some having limited access to basic hygiene supplies or showering facilities. These factors may increase the risk of transmission of COVID‑19 amongst this population.

In response to the pandemic, the NSW Government provided additional funding for the Department to institute a range of actions aimed at preventing vulnerable people from becoming homeless, and people sleeping rough from contracting or transmitting the virus. These were informed by, but separate to, actions under the Homelessness Strategy.

This audit focused on the temporary accommodation provided to individuals experiencing street homelessness during the pandemic, and the new 'Together Home' program established in 2020 to transition people with experience or history sleeping rough from temporary accommodation into more sustainable longer‑term housing.

This audit assessed how effectively the Department is implementing the Homelessness Strategy and addressing street homelessness in its COVID‑19 response. In making this assessment, the audit examined whether the Department:

• has effectively developed an evidence‑based Strategy and established supporting arrangements to implement it
• is ensuring the Strategy is achieving its objectives and outcomes
• is effectively supporting people sleeping rough into temporary accommodation during COVID‑19 and to transition into more sustainable longer‑term housing.

1. Key findings: the Homelessness Strategy

The Strategy's geographical and client reach is limited because it is building the evidence base on what works

The Department's objectives to intervene early, provide effective supports and create an integrated person‑centred system to address homelessness are clear, but are not being pursued state‑wide.

There were existing gaps in the available evidence which made it difficult for the Department to develop a holistic, state‑wide, long‑term solution to homelessness. Some of the actions under the Strategy have a degree of supporting evidence. Other actions are intended to generate evidence through pilots and by evaluating existing programs more robustly.

At least one Strategy action is available in each of the Department's 16 districts, and there are examples of the Department rolling out practice changes from Strategy pilots across the state. However, progress towards the Strategy aims is confined to pockets where actions are being trialled.

Once fully implemented, Strategy actions will be available in only a quarter of the state's 128 local government areas and will support approximately 8,200 people ‑ which equates to around 22 per cent of the number of people who were experiencing homelessness at the time of the last census in New South Wales in 2016 more than 37,000 people. This does not include the number of people at risk of homelessness.

A key gap in Strategy actions is addressing Aboriginal homelessness.

The Department received significantly less funding than sought and designed the Strategy to build the evidence base rather than eliminate homelessness

The Department could not meet the evidence threshold for a cost benefit analysis required by a Treasury business case, given the limited evidence available locally and internationally on what works to prevent homelessness or intervene earlier. The Department sought new, targeted investment to extend a small number of initiatives with proven effect, and to build the evidence base about other measures that work, rather than the quantum of funding required to end homelessness in New South Wales.

Even so, approved funding was significantly less than that sought by the Department. It repurposed existing resources, dropped some proposed actions and scaled others down to fit within the final funding envelope. It directed 95 per cent of the total Strategy funding to supports and accommodation for people at risk of or experiencing homelessness.

The Department intends to use the gathered data from implementation of the Strategy to expand effective prevention and early intervention measures after it concludes, subject to budget approval. It expects that, over time, these initiatives will reduce the demand for crisis services.

Actions may not be scaled up at the end of the Strategy's term, perpetuating the Strategy's limited reach and narrow impact on homelessness

The Department's approach of testing interventions and building the evidence base through the Strategy was well described and provided a clear rationale in its original advice to government. An evaluation framework has been designed to generate sufficient evidence on the overall Strategy and its individual actions for a cost benefit analysis to support a future budget bid.

The Department intends to use the findings from interim evaluation reports, due by September 2021, to determine the programs and pilots with promising evidence that should continue to the end of the Strategy term. It expects this to enable more qualitative and quantitative data to be available to the evaluations, as well as to support service continuity.

However, delays in delivery of some actions under the Strategy, and the time taken for outcomes to be achieved and show up in the data, will impact on the strength of the evidence available at the mid‑term and final Strategy evaluation points. This raises a risk that future funding for a comprehensive Strategy will not be secured ‑ and prevention and early intervention activities not continued or scaled up beyond pilot sites ‑ if the evidence on effectiveness is incomplete, mixed or unclear when the Strategy concludes.

Given its limited reach, even if the existing Strategy actions were retained, and no expansion occurred, it would continue to have a narrow impact on homelessness in New South Wales. This sits against a backdrop of increasing need for housing and homelessness supports in the state that may become more acute once the full economic impacts of the COVID‑19 pandemic are felt.

2. Key findings: the COVID‑19 response to homelessness

The Department effectively planned and implemented its homelessness response to the pandemic and reduced the risk of transmission of COVID‑19 for people sleeping rough

The Department's crisis response focused on people sleeping rough due to the public health risk of COVID‑19 transmission amongst this group.

The Department engaged with the specialist homelessness services sector from mid‑March 2020 to modify service delivery, advise on infection control and plan extra supports. It explored options with temporary accommodation providers to support self‑isolation for clients, and scaled up its assertive outreach patrols by staff, specialist caseworkers and health professionals to support people sleeping rough into crisis or temporary accommodation for safety.

The Minister directed the Department to address street homelessness in the COVID‑19 response using the Government’s second stage of stimulus funding. The Department procured hotel, motel or serviced apartment accommodation for 400 people who were sleeping rough, or unable to physically distance in large crisis accommodation centres, within a week of the ministerial direction, building on existing programs. The Department provided advice to the Minister on the need to adjust existing policy settings to meet the forecast demand for temporary accommodation services.

The Department secured additional temporary accommodation when and where it was required, to accommodate the number of people sleeping rough who wanted support. Between 1 April 2020 and 31 January 2021, the Department provided temporary accommodation to 32,158 individuals, of which 4,355 people were sleeping rough, totalling more than 70,000 nights of temporary accommodation and services.

The Department met regularly with NSW homelessness peak organisations and established a Taskforce involving other government agencies, peak organisations, and service providers, to assist in quickly executing the measure and resolving issues arising. The Taskforce built on existing collaborative arrangements in place to support cross‑sectoral coordination, enabling it to respond quickly to COVID‑19.

The Department worked with NSW Health and health providers to ensure its COVID‑19 response to homelessness was in line with health guidelines. As of May 2021, just one participant in the Department's enhanced temporary accommodation program had contracted COVID‑19.

The Department does not know how many people sleeping rough who were assisted with enhanced temporary accommodation have returned to homelessness

Within metropolitan Sydney, the Department established a specialist housing team, and contracted a non‑government provider, to connect people placed in hotels with support services, provide tailored support, and to assist and monitor their transition to longer‑term housing.

The Department’s data indicates that between May 2020 and 31 January 2021, over 1,800 people who had previously been sleeping rough had been engaged in this program, more than four times the expected client numbers. Almost half moved into further accommodation when they left the program, including people supported with longer‑term housing such as social housing, community leasing under the Together Home program, and private rental arrangements.

However, the Department did not track the housing outcomes for clients who were not provided with this support, or who disengaged from services. The Department advises that this would have required additional resourcing to do so.

The Department offers assistance to people in temporary accommodation to find longer term options, and has a policy to not knowingly exit someone from temporary accommodation into homelessness. However, it does not track housing outcomes for every client if they do not engage with the Department's housing or funded support services. It intends to conduct research in the future to better understand what happens to people who leave temporary accommodation without seeking further assistance from the Department.

The Department cannot identify precisely how many people sleeping rough who were assisted during COVID‑19 have returned to rough sleeping or other forms of homelessness. The Department’s data suggests that 72 per cent of the approximately 4,000 people formerly sleeping rough who left temporary accommodation between April 2020 and April 2021 left with an unknown housing outcome. This includes people who were not eligible for social housing, were stranded due to border closures, or who disengaged from the Department or funded support services.

The Department also has limited data to understand whether the enhanced temporary accommodation program was more effective in helping to connect participants with services and support them into stable accommodation, than previous approaches.

The Together Home program was established quickly to assist people into more permanent accommodation but will not meet demand as a standalone response

The Department established the Together Home program in September 2020 to provide longer‑term accommodation to people who were sleeping rough during the pandemic. Community housing providers head‑lease properties in the private rental market for two years and sub‑lease these to clients, while ensuring they receive additional support, such as health services, to help them maintain the lease.

Under the initial tranche of funding, the Together Home program aimed to support 400 people sleeping rough. This target was met by April 2021. Due to increased rental demand in many areas of the state, there were some delays in securing properties in certain areas. In addition, people on temporary visas, or with existing public housing debt, are ineligible for this program.

A further $29.0 million was provided to this program through the 2020–21 NSW Budget, creating 400 additional program places. However, the total number of 800 Together Home places will not be sufficient to provide housing for the more than 4,000 individuals who were sleeping rough prior to entering enhanced temporary accommodation.

The Department advises it is using a range of ‘business‑as‑usual’ options to assist other people sleeping rough into stable accommodation outside of the Together Home program. These options include social housing, supported transitional accommodation, subsidised private rental, boarding houses, and referral to mental health and substance addiction rehabilitation facilities.

The Department’s latest annual state‑wide street count suggested that the number of people sleeping rough across New South Wales decreased by 13 per cent between February 2020 and February 2021. The Department has acknowledged that it could do more to monitor and support the housing outcomes for people in temporary accommodation after they exit.

The Department has plans to secure longer‑term housing options for Together Home clients after the two‑year program, through commissioned community housing and private rental assistance. However, it is not clear how this will overcome existing housing challenges given the complexity of needs amongst this client group, the limited availability of affordable rental properties and the existing scale of unmet need for social housing.

3. Recommendations

By July 2022, the Department of Communities and Justice should:

1. use data and analysis identified through the Homelessness Strategy 2018–2023 and provide advice to the NSW Government on sustainably addressing demand and unmet need for homelessness supports

2. use the evidence obtained through the Homelessness Strategy 2018–2023 to commence development of a comprehensive strategy to address homelessness, linked to the government’s ten‑year plan for social housing and 20‑year housing strategy

3. establish and sustain governance arrangements that enable input to key decisions on homelessness policy from partner agencies, the specialist homelessness services sector, the community housing sector, Aboriginal people and people with lived experience of homelessness

4. in partnership with Aboriginal stakeholders and communities, design and implement a strategy for early identification and responses to the needs of Aboriginal people vulnerable to homelessness; and build the capacity and resourcing of the Aboriginal Community Controlled Sector to deliver homelessness services

5. evaluate the homelessness response to COVID‑19 and integrate the lessons learned into future practice; and develop protocols to inform actions in future emergencies/disasters

6. establish and sustain a means to regularly collect client outcomes data and feedback; and use this to drive improvements to responses to homelessness.

This chapter considers how effectively the NSW Homelessness Strategy was developed and is currently being implemented by the Department of Communities and Justice.

This chapter examines how effectively the Department of Communities and Justice addressed homelessness in its response to the COVID‑19 pandemic, and how well it is applying lessons learned from the pandemic to future policy and service development.

Appendix one – Response from agency

Appendix two – Actions within the NSW Homelessness Strategy 2018–23

Appendix three – Reported progress on Homelessness Strategy actions to date (unaudited)

Appendix four – Key homelessness data collections

Appendix five – Temporary accommodation for people sleeping rough standard practice vs COVID 19 response

Appendix six – Key measures in the COVID 19 response to homelessness

Appendix seven – About the audit

Appendix eight – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #350 - released (4 June 2021).