What the report is about

This audit assessed the effectiveness of NSW Government agencies’ coordination of the response to COVID-19, with a focus on the Delta variant outbreak in the Dubbo and Fairfield Local Government Areas (LGA) between June and November 2021. We audited five agencies - the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service.

The audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

What we found

Prior to Delta, agencies developed capability to respond to COVID-19 related challenges.

However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

Gaps in emergency management plans affected agencies' ability to support individuals, families and businesses impacted by restrictions to movement and gathering such as stay-at-home orders. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

On 23 July 2021, the NSW Government established a cross-government coordinating approach, the Delta Microstrategy, which complemented existing emergency management arrangements, improved coordination between NSW Government agencies and led to more effective local responses.

Where possible, advice provided to government was supported by cross-government consultation, up-to-date evidence and insights. Public Health Orders were updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The NSW Government could provide greater transparency and accountability over decisions to apply Public Health Orders during a pandemic.

What we recommended

The audit made seven recommendations intended to improve transparency, accountability and preparedness for future emergency events.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (Fairfield City Council and Dubbo Regional Council) between June and November 2021.

As noted in this report, Resilience NSW was responsible for the coordination of welfare services as part of the emergency management arrangements. On 16 December 2022, the NSW Government abolished Resilience NSW.

During the audited period, Resilience NSW was tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions and it provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC was, and remains, responsible for the coordination and oversight of emergency management policy and preparedness.

Our work for this performance audit was completed on 15 November 2022, when we issued the final report to the five audited agencies. While the audit report does not make specific recommendations to Resilience NSW, it does include five recommendations to the State Emergency Management Committee. On 8 December 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

The community of New South Wales has experienced significant emergency events during the past three years. COVID-19 first emerged in New South Wales after bushfire and flooding emergencies in 2019–20. The pandemic is now into its third year, and there have been further extreme weather and flooding events during 2021 and 2022.

Lessons taken from the experience of these events are important to informing future responses and reducing future risks to the community from emergencies.

This audit focuses on the NSW Government's response to the COVID-19 pandemic, and in particular, the Delta variant (Delta) that occurred between June and November 2021. The response to the Delta represents six months of heightened challenges for the NSW Government.

Government responses to emergencies are guided by legislation. The State Emergency and Rescue Management Act 1989 (SERM Act) establishes emergency management arrangements in New South Wales and covers:

• coordination at state, regional and local levels through emergency management committees
• emergency management plans, supporting plans and functional areas including the State Emergency Management Plan (EMPLAN)
• operations centres and controllers at state, regional and local levels.

This audit focuses on the activities of five agencies during the audit period:

• The NSW Police Force led the emergency management response and was responsible for coordinating agencies across government in providing the tactical and operational elements that supported and enhanced the health response to the pandemic. The NSW Police Force also led the compliance response which enforced Public Health Orders and included household checks on those required to isolate at home after testing positive to COVID-19. In some parts of NSW, they were supported by the Australian Defence Force in this role.
• NSW Health was responsible for leading the health response which coordinated all parts of the health system, initially to prevent, and then to manage, the pandemic.
• Resilience NSW coordinated welfare services as part of the emergency management arrangements and provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC is responsible for the coordination and oversight of emergency management policy and preparedness. Resilience NSW was also tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions.
• The Department of Customer Service (DCS) was responsible for the statewide strategic communications response.
• The Department of Premier and Cabinet (DPC) held a key role in providing policy and legal services, as well as supporting the coordination of activity across a range of functional areas and decision-making by our State’s leaders.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (LGA) (Fairfield City Council and Dubbo Regional Council) after June 2021.

The audit investigated whether:

• government decisions to apply LGA-specific Public Health Orders were supported by effective crisis management governance and planning frameworks
• agencies effectively coordinated in the communication (and enforcement) of Public Health Orders.

While focusing on the coordination of NSW Government agencies’ response to the Delta variant in June through to November 2021, the audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

This audit does not assess the effectiveness of other specific COVID-19 responses such as business support. It refers to the preparedness, planning and delivery of these activities in the context of supporting communities in selected LGAs. NSW Health's contribution to the Australian COVID-19 vaccine rollout was also subject to a separate audit titled 'New South Wales COVID-19 vaccine rollout' tabled in NSW Parliament on 7 December 2022. 

This audit is part of a series of audits which have been completed, or are in progress, regarding the New South Wales COVID-19 emergency response. The Audit Office of New South Wales '2022–2025 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

In this document Aboriginal refers to the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.

The COVID-19 pandemic arrived in Australia in late January 2020 as the bushfire and localised flooding emergencies were in their final stages. Between 2020 and mid-2021, agencies responded to the initial variants of COVID-19, managed a border closure with Victoria that lasted nearly four months and dealt with localised ‘flare-ups’ that required postcode-based restrictions on mobility in northern parts of Sydney and regional New South Wales. During this period, New South Wales had the opportunity to learn from events in Victoria which imposed strict restrictions on mobility across the State and the growing emergence of the Delta variant (Delta) across the Asia Pacific.

This section of the report assesses how emergency management and public health responses adapted to these lessons and determined preparedness for, and responses to, widespread community transmission of Delta in New South Wales.

The previous chapter discusses how agencies had refined the existing emergency management arrangements to suit the needs of a pandemic and describes some gaps that were not addressed. This chapter explores the first month of Delta (mid-June to mid-July 2021). It explores the areas where agencies were prepared and responses in place for the outbreak. It also discusses the impact of the gaps that were not addressed in the period prior to Delta and other issues that emerged.

NSW Health provided advice on the removal of restrictions based on up-to-date advice

The NSW Government discussed the gradual process for removing restrictions using the Doherty Institute modelling provided to National Cabinet on 10 August 2021. NSW Health highlighted the importance of maintaining a level of public health and safety measure bundles to further suppress case numbers. This was based on additional modelling from the Doherty Institute.

The Department of Regional NSW led discussion and planning around reopening with a range of proposal through August and September 2021. The Department of Premier and Cabinet and NSW Health jointly developed a paper to provide options on the restrictions when the State reached a level of 70% double dose vaccinations.

The roadmap to reopening was originally published on 9 September 2021. However, by 11 October 2021, the restrictions were relaxed when the 70% double dose threshold was reached to allow:

• up to ten fully vaccinated visitors to a home (increased from five)
• up to 30 fully vaccinated people attending outdoor gatherings (increased from 20)
• weddings and funerals limits increased to 100 people (from 50)
• the reopening of indoor pools for training, exercise and learning purposes only.

On the same day, the NSW Government announced further relaxation of restrictions once the 80% double dose threshold was reached. These restrictions were further relaxed on 8 November 2021. This included the removal of capacity restrictions to the number of visitors to a private residence, indoor pools to reopen for all purposes and density limits of one person for every two square metres, dancing allowed in nightclubs and 100% capacity in major stadia.

The NSW Government allowed workers in regional areas who received one vaccination dose to return to their workplace from 11 October 2021.

The Premier extended the date of easing of restrictions for unvaccinated people aged over 16 from 1 December to 15 December 2021.

Many agencies have undertaken reviews of their response to the Delta outbreak but a whole-of-government review has yet to be conducted

Various agencies and entities associated with the response to the Delta outbreak conducted after-action review processes. These processes assessed the achievements delivered, lessons learned and opportunities for improvement. However, a whole-of-government level review has not been conducted. This limits the New South Wales public service's ability to improve how it coordinates responses in future emergencies.

The agencies/entities that conducted reviews included:

• South West Metropolitan region, Western NSW region, Fairfield Local Emergency Management Committee (LEMC), Dubbo Local Emergency Operations Controller (LEOCON), which were collated centrally by the State Emergency Operations Centre (SEOC)
• Aboriginal Affairs NSW assessed representation and relevance of the emergency management arrangements for Aboriginal communities following the 2019 bushfires
• Resilience NSW developed case studies to capture improved practice with regard to food security and supply chains
• a community support and empowerment-focused after-action review undertaken by the Pillar 5 workstream of the Microstrategy.

Key lessons collated from the after-action reviews include:

• the impact of variation in capability across agencies on the management of key aspects of the response including welfare support and logistics
• issues with boundary differences between NSW Police Force regions, local government areas (LGA and local health districts (LHD) caused issues in delivering and coordinating services in an emergency situation 
• the need to improve relationships between state and local Government outside of acute emergency responses to improve service delivery 
• issues arising from impediments to information sharing between agencies and jurisdictions, such as:
  • timeliness and accuracy of data used to direct compliance activities
  • the impact of insufficient advance notice on changes to Public Health Orders
  • timely access to data across public sector agencies and other jurisdictions to inform decision-making, analysis and communications
  • gaps in data around ethnicity, geolocation of recent positive cases and infection/vaccination rates in Aboriginal communities.
• the lack of Aboriginal community representation on many LEMCs
• compared with the response to COVID-19 in 2020, improved coordination of communications with Culturally and Linguistically Diverse (CALD) populations with a reduction in overlapping messages and over-communication
• improved attendance from agency representatives in LEMCs, and regional emergency operations centres (REOC) to improve interagency communications, planning, capability development and community engagement issues
• deficiencies in succession planning and fatigue management practices
• the potential for REOC Welfare/Well-being subgroups to be included as part of the wider efforts to community needs during emergencies.

NSW Health commenced a whole of system review of its COVID-19 response in May 2022. At the time of writing, the completion due date for the debrief is 7 November 2022. This debrief is expected to explore:

• governance
• engagement 
• innovation and technology 
• community impact 
• workforce impact
• system impact and performance.

NSW Health is also undertaking a parallel Intra-Action Review that is focused on the public health aspects of the response with finalisation estimated for the end of November 2022. At the time of completing this performance audit report, NSW Health had not finalised these reviews and, as a result, we cannot validate their findings against our own observations.

Recent inquiries are likely to impact the governance of emergency management in New South Wales

In March 2022, the NSW Government established an independent inquiry to examine and report on the causes of, preparedness for, response to and recovery from the 2022 floods. The Flood Inquiry report made 28 recommendations, which the NSW Government supported in full or in principle. Some of the recommendations relate directly to the governance and leadership of emergency management arrangements in New South Wales. 

The State Emergency Management Committee (SEMC) will likely be involved in, and impacted by, the recommendations arising from the Flood Inquiry with potential changes to its membership and reshaping of functional areas and agencies. At the same time, the SEMC may have a role in overseeing the changes that emerge from the SEOC consolidated after-action reviews. This can also extend to ensuring local and regional bodies have incorporated the required actions. There is a risk that the recommendations from the pandemic-based after-action reviews may not be considered due to the priority of action resulting from the Flood Inquiry.

Furthermore, there is potential for the SEMC to work with NSW Health during its system-wide review. Such an approach is likely to improve preparedness for future events.

Appendix one – Response from agencies

Appendix two – Chronology 2020–2021

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #371 - released 20 December 2022

What the report is about

Local councils in New South Wales are responsible for assessing local and regional development applications.

Most development applications are assessed and determined by council staff under delegated authority. However, some development applications must be referred to independent local planning panels or Sydney and regional planning panels for determination.

Councils provide support to local planning panels. The Department of Planning and Environment provides support to Sydney and regional planning panels.

This audit assessed whether Byron Shire Council, Northern Beaches Council and The Hills Shire Council had effectively assessed and determined development applications in compliance with legislative and other requirements.

It also assessed whether The Hills Shire Council, Northern Beaches Council and the Department of Planning and Environment had provided effective support to relevant independent planning panels.

What we found

All councils had established clear roles, responsibilities and delegations for assessment and determination of development applications and had also established processes to ensure quality of assessment reports.

Northern Beaches Council and The Hills Shire Council have established comprehensive approaches to considering and managing risks related to development assessment.

Northern Beaches Council's approach to publishing its assessment reports promotes transparency.

Across a sample of development applications assessed and determined between 2020–22:

• Northern Beaches Council and The Hills Shire Council had assessed and determined applications in compliance with legislative and other requirements. However, The Hills Shire Council could do more to transparently document any conflicts of interest within assessment reports.
• Byron Shire Council had assessed most applications in compliance with legislative and other requirements. However, we found opportunities for the Council to:
  • ensure determinations were made in line with delegations
  • strengthen its approach to transparent management of conflicts of interest and quality review of assessments.

The Hills Shire Council and Northern Beaches Council had effectively supported their respective local planning panels.

The Department of Planning and Environment had processes that meet requirements for supporting regional planning panels but could do more to promote consistency in approach, share information across panels and measure the effectiveness of its support.

What we recommended

We made recommendations to Byron Shire Council, The Hills Shire Council and the Department of Planning and Environment to address the gaps identified and improve the transparency of processes.

Local councils in New South Wales are responsible for assessing local and regional development applications under the Environmental Planning and Assessment Act 1979 (EP&A Act).

In assessing development applications, councils consider:

• whether the proposed development application is compliant with legislation and environmental planning instruments
• whether the proposed development meets local planning controls and objectives
• any environmental, social and economic impacts
• any submissions from impacted properties, neighbours and interested parties
• the public interest.

Once assessed, a development application will be determined by council staff under delegated authority, the elected council, or an independent planning panel.¹ 

The involvement of a particular independent planning panel is established under legislative and policy instruments, and depends on the type and value of the proposed development. Most development applications are assessed and determined by council staff under delegated authority.

In determining development applications, independent planning panels must manage any potential, real or perceived conflicts of interest of panel members for a given development application, meet and vote on development applications, and publish their decisions and reasons.

Under the EP&A Act, and as required by statutory instruments and procedures, councils and the Department of Planning and Environment (DPE) must provide secretariat and other support functions to independent planning panels.

Previous reviews and inquiries have identified several significant risks that are present within the processes involved in the assessment and determination of development applications. These risks include possible non-compliance with complex legal and policy requirements, potential improper influence from developers and other stakeholders, and a perceived lack of transparency within the planning system and planning outcomes.

There are several planning pathways for development in New South Wales. This audit focuses on local and regional development that requires assessment and determination by a local council and/or an independent local planning panel or Sydney or regional planning panel in three Local Government Areas (LGAs): Byron Shire Council, Northern Beaches Council, The Hills Shire Council.

Audited councils were selected from a range of criteria, including:

• the number, value and types of development applications determined in 2018–19
• average determination timeframes
• appeals against determinations and Land and Environment Court outcomes
• LGA demographics.

The audit also avoided councils that had previously been subject to a performance audit.

The objective of this audit was to assess whether:

• selected councils have effectively assessed and determined development applications in compliance with relevant legislation, regulations and government guidance
• selected councils and DPE effectively support independent planning panels to determine development applications in compliance with relevant legislation, regulations and government guidance.

This audit continues a series of audits examining the development assessment process in NSW local councils and is focused on the assessment and determination stages.

The Audit Office of New South Wales previously considered local government development assessments in our 2019 performance audit: 'Development assessment: pre-lodgement and lodgement in Camden Council and Randwick City Council'.

Appendix one – Response from agencies

Appendix two – Council profile: Byron Shire Council

Appendix three – Council profile: Northern Beaches Council

Appendix four – Council profile: The Hills Shire Council

Appendix five – About the audit 

Appendix six – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #370 - released 12 December 2022

What the report is about

This audit examined whether the Department of Planning and Environment (DPE) and the Biodiversity Conservation Trust (BCT) have effectively designed and implemented the Biodiversity Offsets Scheme (‘the Scheme’) to compensate for the loss of biodiversity due to development.

Under the Biodiversity Conservation Act 2016, the Scheme enables landholders to establish in-perpetuity Biodiversity Stewardship Agreements on sites to generate credits for the unique biodiversity on that land. These credits can be sold to offset the negative impact of development on biodiversity.

What we found

DPE has not effectively designed core elements of the Scheme. DPE did not establish a clear strategic plan to guide the implementation of the Scheme.

The BCT has various roles in the Scheme but lacked safeguards against potential conflicts, creating risks to credit supply.

The effectiveness of its implementation has also been limited. Key concerns around the Scheme’s transparency, sustainability and integrity are yet to be fully resolved.

A market-based approach to biodiversity offsetting is central to the Scheme's operation but credit supply is lacking and poorly matched to growing demand. DPE has not established a clear, resourced plan to manage the shortage in credit supply. Data about the market, published by the DPE and the BCT, does not provide an adequate picture of credit supply, demand and price to readily support market participation.

These factors create a risk that biodiversity gains made through the Scheme will not be sufficient to offset losses resulting from development, and that the DPE will not be able to assess the Scheme’s overall effectiveness.

DPE is leading work with the BCT to improve the Scheme, but this is not yet guided by a long-term strategy with clear goals.

What we recommended

The audit made 11 recommendations to DPE and the BCT, focusing on:

• a long-term strategic plan for the Scheme
• improvements to the operation and transparency of the market and credit supply
• frameworks to ensure the financial and ecological sustainability of biodiversity stewardship sites
• enhanced public reporting and data management
• resolving issues in conflicting governance and oversight.

The NSW Government's Biodiversity Outlook Report 2020 estimates that, without effective management, only 50% of species and 59% of ecological communities that are listed as threatened in New South Wales will still exist in 100 years. The NSW State of the Environment 2021 report identifies habitat destruction and native vegetation clearing as presenting the single greatest threat to biodiversity in the State.

According to the Organisation for Economic Co-operation and Development (OECD), biodiversity offsets are 'measurable conservation outcomes that result from actions designed to compensate for significant, residual biodiversity loss from development projects'. The OECD states that a feature of such schemes is that biodiversity offsets are intended to be implemented as the 'final step of a mitigation hierarchy' whereby reasonable first steps are taken to avoid and minimise the negative impacts.

The NSW Biodiversity Offsets Scheme was established in 2017 under the Biodiversity Conservation Act 2016 (the Act). The purpose of the Act is to 'maintain a healthy, productive and resilient environment for the greatest well-being of the community, now and into the future, consistent with the principles of ecologically sustainable development'.

The Department of Planning and Environment (DPE) designed and manages this Scheme. Under the Act, a feature of the Scheme is a 'market-based conservation mechanism through which the impacts to biodiversity can be offset.' The Scheme enables landholders to establish in-perpetuity Biodiversity Stewardship Agreements (BSAs) on sites to generate biodiversity credits, which can be sold to offset the negative impact of development on biodiversity. BSA sites are intended to be managed over the long term to generate the biodiversity gains required to offset the impact.

The Biodiversity Conservation Trust (BCT) monitors and supports landholders to manage BSA sites under the Scheme. This includes making payments to landholders from funds held in the Biodiversity Stewardship Payments Fund for undertaking the required biodiversity management actions.

This Scheme was preceded by several other offsetting schemes in New South Wales, including the BioBanking scheme that started in 2008. DPE has arrangements to transition sites, credits, and offset obligations from this and other previous schemes.

The current biodiversity credit market in New South Wales consists of 1394 different types of ecosystem credits, which are approved to be traded in 364 different offset trading groups, and 867 different species credits. Trading rules, set out in the Biodiversity Conservation Regulation 2017 (the Regulation), prioritise offsetting the obligations of a development with like-for-like ecosystem or species credits.

The Scheme is implemented through the planning system in New South Wales. Proposed development that involves the clearing of native vegetation, and meets certain thresholds, is required to undertake a Biodiversity Development Assessment Report. These reports determine an offset obligation, in biodiversity credits, to compensate for the biodiversity loss proposed. These reports are considered by consent authorities (such as a council, for local development, or by the Minister for Planning for major projects). An offset obligation is then included in the conditions of development approval.

In addition to establishing a market for trading between developers, with offset obligations, and landholders, who sell credits from their BSA sites, the Scheme allows developers to pay into the Biodiversity Conservation Fund and transfer their obligations to the BCT. This allows the developer to proceed with their project. The BCT must then meet these acquired obligations by buying the required credits, or by undertaking other approved activities set out in the Regulation. The BCT has more options than developers on how and when it acquits its obligations.

This audit examined whether DPE and the BCT have effectively designed and implemented the Biodiversity Offsets Scheme to compensate for the loss of biodiversity due to development.

This section presents an overview of the status of the biodiversity credit market in New South Wales. It describes development of the market under the Scheme in the context of transitional arrangements from previous schemes, and the extent of market participation and transactions to date. It also presents information about emerging trends in credit demand and supply.

This section assesses the clarity and alignment of the goals of the Scheme to key features of its design and operations. It also examines structural elements of the Scheme that aim to maintain integrity within administering agencies, and the status of actions to address risks or issues.

This section assesses how effectively components of the Scheme have been designed and are being implemented to provide assurance that the impacts of development are being avoided and minimised such that only ‘unavoidable’ impacts remain to be offset. The section also assesses whether the Scheme and its market embeds the necessary controls to ensure that obligations are offset as required.

This section assesses how effectively the supply of biodiversity credits has been supported by encouraging and enabling landholders to participate in the Scheme. It also assesses whether sufficient action is underway to address issues and risks to the establishment of BSA sites, especially in the context of known credit supply issues (section 2).

This section assesses how effectively BSA sites, which need to be managed by landholders to generate the biodiversity gains represented by credits, are regulated and supported by the Biodiversity Conservation Trust. It also assesses whether actions have been taken to address identified risks to the suitability of funds required to ensure long-term BSA site management.

Appendix one – Response from agencies 

Appendix two – Like-for-like, variation and ancillary rules

Appendix three – Detail on progress of the IIAP

Appendix four – About the audit 

Appendix five – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #367 - released 30 August 2022

What the report is about

The ePlanning program is an initiative of the Department of Planning and Environment (the department) to deliver a digital planning service for New South Wales through the NSW planning portal (the portal).

Using the portal, relevant planning activities can be carried out online, including all stages of development applications.

The portal has been developed under three separate business cases in 2013, 2014 and 2020.

In late 2019, the government mandated the use of the portal for all development applications. This decision took effect across 2020–21.

This audit assessed the effectiveness of the department's implementation, governance and stakeholder engagement in delivering the NSW planning portal. 

What we found

Since implementation commenced in 2013, the NSW planning portal has progressively achieved its objectives to provide citizens with access to consolidated planning information, and allow them to prepare and submit development applications online.

Shortcomings in the department's initial planning and management of the program led to a significant time overrun. It has taken the department longer and cost significantly more to implement the portal than first anticipated. 

In recent years the department has improved the planning, implementation and governance of the ePlanning program, resulting in improved delivery of the portal’s core functions.

The department now has a clear view of the scope necessary to finalise the program, but has not yet published the services it plans to implement in 2022 and 2023.

Mandating the use of the portal for all development applications changed the program's strategic risk environment and required the department to work more closely with a cohort of stakeholders, many of whom did not want to adopt the portal.

Despite this change, the department kept its overall delivery approach the same.

While implementation of the portal has delivered financial benefits, the department has overestimated their value.

The Department has only reported benefits since 2019 and has not independently assured the calculation of benefits.

What we recommended

By December 2022, the department should:

• publish a roadmap of the services it expects to release on the portal across 2022 and 2023
• update its ePlanning program assumptions, benefits targets and change management approach to reflect the government's decision to mandate the use of the portal for all stages of a development application
• independently assure and report publicly the correct calculation of ePlanning program benefits.

The ePlanning program is an initiative of the Department of Planning and Environment (the department) to deliver a digital planning service for New South Wales through the NSW planning portal (the portal, or the planning portal). The department defines the portal as an online environment where community, industry and government can work together to better understand and meet their obligations under the Environmental Planning and Assessment Act 1979 (NSW). Using the portal, relevant planning activities can be carried out online throughout New South Wales. This includes, but is not limited to:

• applying for and gaining planning approval
• applying for and gaining approval for building works, sub-dividing land and similar activities
• issuing occupancy and other certificates.

The portal has been developed under three separate business cases. The first business case in 2013 led to the creation of a central portal, which made planning information available to view by planning applicants and allowed some planning applications to be lodged and tracked online.

Under a second business case prepared in 2014, the department set out to improve and widen the functions available via the portal. The department prepared a third business case in 2020 to fund further improvements to the portal over the period July 2020 to June 2023. The third business case also extended the portal's functions to support the building and occupation stages of the planning cycle.

In late 2019, the government mandated the use of the portal for all stages of development applications. This decision took effect across 2020–21 and applied to all councils as well as certifiers and others involved in the planning process.

The objective of this performance audit was to assess the effectiveness of the department's implementation, governance and stakeholder engagement in delivering the NSW planning portal. We investigated whether:

• delivery of the NSW planning portal was planned effectively
• sound governance arrangements are in place to ensure effective implementation of the program
• users of the NSW planning portal are supported effectively to adopt and use the system.

This part of the report sets out how:

• the ePlanning program has been planned and delivered
• users of the portal have been supported
• the program has been governed.

This part of the report sets out the ePlanning program's:

• expected and reported financial benefits
• calculation of financial benefits.

In 2019, the department increased its expectations for net financial benefits

The department's three ePlanning business cases each forecast substantial financial benefits from the implementation of the planning portal. The department expected that most financial benefits would flow to planning applicants due to a quicker and more consistent planning process. It also expected that government agencies and councils would benefit from the portal.

In 2019 the department commissioned a review to explore opportunities to better identify, monitor and realise the benefits of the ePlanning program. Using this work, the department updated the expected benefits for business cases 1 and 2 to take account of:

• errors and miscalculations in the original benefits calculations
• slower delivery of the portal and changes to the take-up of portal services by councils
• changes to the services supported by the portal.

Reported benefits significantly exceed the current targets

In September 2021, the department reported that the program had achieved $334 million of benefits over the three financial years up to June 2021 plus the first two months of 2021–22. These reported benefits were significantly higher than expected. 

The department attributes the higher-than-expected financial benefits to the following:

• benefit targets have not been updated to reflect the impact of the 2019 decision to mandate the use of the portal for all development applications. This decision brought forward the expected benefits as well as potential costs of the program. However, the department did not update its third business case which was draft at the time. The business case was subsequently approved in July 2020
• one-off cost savings for agencies not having to develop their own systems
• public exhibitions of planning proposals continuing to be available online during 2020 when some newspapers stopping printing due to COVID-19.

The calculation of benefits is overstated

The department reported $334 million of benefits in September 2021 due to the ePlanning program. This calculation is overstated because:

• a proportion of reported benefits is likely to be due to other planning reforms
• the calculation of the largest single benefit is incorrect
• the reported benefits may not fully account for dis-benefits reported by some stakeholders.

The program’s benefits are calculated primarily from changes in planning performance data, such as the time it takes to determine a planning development application. The department currently attributes the benefits from shorter planning cycles entirely to the effect of the ePlanning program. However, planning cycles are impacted by many other factors such as the complexity of planning regulations and the availability of planning professionals. Planning cycles may also be impacted by other departmental initiatives which are designed to improve the time that it takes for a planning application to be evaluated. The Introduction describes some of these initiatives.

The largest contribution to the department’s September 2021 benefit report was an estimated saving of $151 million for developers due to lower costs associated with holding their investment for a shorter time. However, the department’s calculation of this benefit assumes a high baseline for the time to determine a development application. It also assumes that all development applications except for additions or alterations to existing properties will incur financing costs. However, a small but material number of these applications will be self-financed. The calculation also includes several data errors in spreadsheets.

The calculation of some benefits relies upon an extrapolation of the benefits experienced by a small number of early-adopter councils, including lower printing and scanning costs, fewer forms and quicker processing times. However, some councils report that their costs have increased following the introduction of the portal, primarily because aspects of the portal duplicate work that they carry out in their own systems. The portal has also required some councils to re-engineer aspects of their own systems, such as the integration of their planning systems with other council systems such as finance or property and rating systems. It has also required councils to create new ways of integrating council information systems with the planning portal.

The department has published information to help councils and certifiers to automatically integrate their systems with the planning portal. This approach uses application programming interfaces (or APIs) which are an industry-standard way for systems to share information. In April and May 2021, the government granted $4.8 million to 96 regional councils to assist with the cost of developing, implementing and maintaining APIs. The maximum amount of funding for each council was $50,000. The department is closely monitoring the implementation of APIs by councils and other portal users. Once they are fully implemented the department expects APIs to reduce costs incurred by stakeholders.

The department has not yet measured stakeholder costs. It was beyond the scope of this audit to validate these costs.

The department has not independently assured the calculation of reported benefits

In 2020 the department appointed an external provider to calculate the benefits achieved by the ePlanning program. The department advised that it chose to outsource the calculation of benefits because the provider had the required expertise and because it wanted an independent calculation of the benefits. The process involves:

• extraction and verification of planning performance data by the department
• population of data input sheets by the department
• calculation of benefits by the external provider using the data input
• confirmation by the department that the calculation includes all expected benefit sources.

The department does not have access to the benefits calculation model which is owned and operated by the external provider. The department trusts that the provider correctly calculates the benefits and does not verify the reported benefit numbers. However, as the benefits model involves many linked spreadsheets and approximately 300 individual data points, there is a risk that the calculation model contains errors beyond those discussed in this audit.

The reported benefits have only been calculated since 2019

The department originally intended to track benefits from October 2014. However, it only started to track benefits in 2019 when it appointed an external provider to calculate the benefits achieved by the portal. Any benefits or dis-benefits between the introduction of the portal and 2019 are unknown and not included in the department’s calculation of benefits.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #366 - released 21 June 2022

What the report is about

The report focuses on how effectively the Department of Customer Service (DCS) and Department of Planning and Environment (DPE) led reforms addressing the unsafe use of combustible external cladding on existing residential and public buildings.

Nine local councils were included in the audit because they have responsibilities and powers needed to implement the NSW Government’s reforms.

What we found

After the June 2017 Grenfell Tower fire in London, the NSW Government committed to a ten-point action plan, which included establishing the NSW Cladding Taskforce, chaired by DCS, and with DPE as a key member. The Taskforce co-ordinates and oversees the implementation of the plan.

Depending on the original source of development approval, either individual local councils or DPE are responsible for ensuring that buildings are identified, assessed, and remediated. NSW Government-owned buildings are the responsibility of each department.

Identifying buildings potentially at risk was complex and resource intensive. However, on balance, it is likely that most affected buildings have now been identified.

By October 2021, around 40 per cent of assessed high-risk buildings that are the responsibility of local councils had either been remediated or found not to pose an unacceptable fire risk.

By February 2022, almost 50 per cent of affected NSW Government-owned buildings, and 90 per cent of buildings that are the responsibility of DPE, have either been cleared or are in the process of being remediated.

Earlier guidance on some key issues could have been provided by DCS and DPE in the two years after the Grenfell Tower fire. This may have reduced confusion and inconsistency across local councils we audited, and in some NSW Government departments. This especially relates to the application of the Fair Trading Commissioner's product use ban.

Given the inherent risks posed by combustible external cladding, buildings initially assessed as low-risk may also still warrant further action.

While most high-risk buildings have likely been identified, poor information handling makes it difficult to keep track of all buildings from identification, through to risk assessment and remediation.

What we recommended

DCS and DPE should:

1. address the confusion surrounding the application of the Commissioner for Fair Trading's product use ban for aluminium composite panels with polyethylene content greater than 30 per cent
2. develop an action plan to address buildings assessed as low-risk
3. improve information systems to track all buildings from identification through to remediation.

NSW Government's response to the risks posed by combustible external cladding

The NSW Government first became aware of the potential heightened risks posed by combustible external cladding on building exteriors after the 2014 Lacrosse Tower fire in Melbourne. However, it was the tragic loss of life from the Grenfell Tower fire in London, in June 2017, that gave added urgency to the need to address these risks.

Within six weeks of the London fire, the NSW Government committed to a ten-point plan of action for NSW to:

• identify and remediate any buildings with combustible external cladding
• ensure that regulation prevented the unsafe use of such cladding
• ensure that experts involved in providing advice and certifying fire safety measures had the necessary skills and experience.

One of the actions in the ten-point plan was the creation of the NSW Government's Fire Safety and External Wall Cladding Taskforce (the Cladding Taskforce) chaired by the Department of Customer Service (DCS) and with the Department of Planning and Environment (DPE) as a key member.

The ten-point plan also specified that NSW Government departments would be responsible, in regard to buildings they owned to '…audit their buildings and determine if they have aluminium cladding'.

Local councils play a key role in implementing the Government's reforms, given their responsibilities and powers under the Environmental Planning and Assessment Act 1979 (EPA Act) and Local Government Act 1993 (Local Government Act) to approve building works (as 'consent authorities'), as well as to ensure fire safety standards are met. DPE plays an equivalent role for a smaller number of 'State Significant Developments' for which it is the consent authority under delegation from the Minister for Planning.

Commissioner for Fair Trading's building product use ban

On 18 December 2017, the Building Products (Safety) Act 2017 (BPS Act) came into effect in NSW, introducing new laws to prevent the use of unsafe building products. Notably, the BPS Act gave the Secretary of DCS and the Commissioner for Fair Trading the power to ban unsafe uses of building products.

After an extensive consultative process, the Commissioner for Fair Trading used these powers to issue a product use ban on 15 August 2018. This banned the use of external wall cladding of aluminium composite panels with a core comprised of more than 30 per cent polyethylene by mass on new buildings, unless the proposed use was subject to independent fire propagation testing of the specific product and method of application to a building in accordance with relevant Australian Standards.

Buildings occupied before the product use ban came into force are not automatically required to have the banned product removed. Under the BPS Act, consent authorities may determine necessary actions to eliminate or minimise the risk posed by the banned material on existing buildings.

Project Remediate

Project Remediate is a three-year NSW Government program announced in November 2020. The program was designed by the NSW Government to assist building owners of multi-storey apartments (two storeys or more) with high-risk combustible cladding to remediate their building to a high standard and for a fair price.

The scheme is voluntary and includes government paying for the interest on ten-year loans, as well as incorporating assurance and project management services to provide technical and practical support to owners’ corporations and strata managing agents. Building remediations under the program are expected to commence in 2022.

About this audit

This audit assessed whether DCS and DPE effectively led reforms to manage the fire safety risk of combustible external cladding on existing residential and public buildings.

In making this assessment, we considered whether the expressed policy intent of the NSW Government's ten-point plan for fire safety reform had been achieved by asking:

• are the fire safety risks of combustible external cladding on existing buildings identified and remediated?
• is there a comprehensive building product safety scheme that prevents the dangerous use of combustible external cladding products on existing buildings?
• is fire safety certification for combustible external cladding on existing buildings carried out impartially, ethically and in the public interest by qualified experts?

Consistent with the focus of the Cladding Taskforce on multi-storey residential buildings and public buildings, the scope of our audit is limited to buildings categorised under the Building Code of Australia (BCA) as class 2, 3 and 9. These classes are defined in detail in section 1.2, but include: multi-unit residential apartments, hotels, motels, hostels, back-packers, and buildings of a public nature, including health care buildings, schools, and aged care buildings. The scope was also limited to existing buildings, which is defined as buildings occupied by 22 October 2018.

Auditees

The Department of Customer Service chairs the NSW Government's Cladding Taskforce, which is responsible for coordinating the combustible external cladding reforms. The Commissioner of Fair Trading sits within DCS and DCS regulates the industry accreditation scheme for fire safety practitioners, as well as administering the BPS Act.

The Department of Planning and Environment administers the EPA Act and the Environmental Planning and Assessment Regulation 2000 (EPA Regulation), which regulate the building development process. As well as being the delegated consent authority for State Significant Developments, DPE is also responsible for maintaining the mandatory cladding register requiring building owners of multi-storey (BCA class 2, 3 or 9) buildings to register buildings with combustible external cladding on an online portal.

Functions and responsibilities between DCS and DPE varied over time. For example, in October 2019, the DPE building policy team responsible for co-ordinating the DPE response to the combustible cladding issue was transferred to DCS, following changes to agency responsibilities resulting from machinery of government changes. DPE advised this resulted in a lessening of DPE's subsequent policy work on combustible cladding and its involvement in the Cladding Taskforce.

While the focus of the audit was on the oversight and coordination provided by DCS and DPE, nine councils were also auditees for this performance audit. Councils play an essential part as consent authorities for building development approvals in NSW, as well as having responsibilities and powers to ensure fire safety standards. To fully understand how well their activities were overseen and coordinated, a sample of councils was included as auditees.

Nine councils were selected to represent both metropolitan and regional areas, noting that there are very few in-scope buildings in rural areas. The audited councils were:

• Bayside Council
• City of Canterbury Bankstown Council
• Cumberland City Council
• Liverpool City Council
• City of Newcastle Council
• City of Parramatta Council
• City of Ryde Council
• City of Sydney Council
• Wollongong City Council.

Terminology

The two NSW Government department auditees have, over time, been subject to machinery of government changes, which have changed some of their functions and what the departments are called.

Relevant to this audit, the effect of these changes has been:

• the Department of Finance, Services, and Innovation (DFSI) became the Department of Customer Services (DCS) on 1 July 2019
• on 1 July 2019, the Department of Planning and Environment became the Department of Planning, Industry, and Environment (DPIE)
• on 21 December 2021, DPIE became the Department of Planning and Environment (DPE).

To avoid confusion, we use the titles by which these departments are known at the date of this report: the Department of Customer Service and the Department of Planning and Environment.

This chapter considers the part played by DCS and DPE as key members of the Cladding Taskforce in ensuring that buildings with combustible external cladding were effectively identified and remediated through processes implemented by:

• local councils or DPE, where those bodies were consent authorities under the EPA Act for the relevant buildings
• in the case of NSW Government buildings, the departments that owned those buildings.

This chapter considers what has been done to deliver a comprehensive building product safety scheme that prevents the dangerous use of combustible external cladding products.

This chapter considers whether reforms have ensured that only people with the necessary skills and experience are certifying buildings and signing off on fire-safety.

Inspections of existing buildings and development of any subsequent action plans to address combustible external cladding are not activities covered by accreditation or registration schemes for building certifiers

Almost all the risk assessment and remediation work done on buildings in the scope of this audit have been undertaken under fire safety orders issued by consent authorities using their powers under the EPA Act. This has been the recommended approach by DPE and DCS since at least 2016 (that is, before the Grenfell Tower fire in London).

While there have been reforms to certifier registrations scheme, these were not intended to ensure that combustible cladding-remediation on existing buildings is supported by people with the necessary skills and experience in fire safety under the fire safety order process. Instead, they are focused on offering better assurance for work done in respect to new building projects where accredited experts certify that building work is carried out in accordance with BCA under the DCS managed certifier registration schemes.

No steps have been taken to ensure the quality of the work done by experts inspecting, assessing the fire risk and developing action plans to address combustible external cladding on existing buildings, other than where consent authorities have chosen to exercise their discretion. This includes requiring fire safety experts to be appropriately qualified and requiring peer review of some cladding risk assessments and remediation plans.

Consent authorities determine whether individuals with accreditation are required for combustible cladding inspection, risk assessments and remediation on existing buildings

Whether an individual with certifier accreditation participates in a cladding inspection, risk assessment, or remediation for an existing building will be determined by what councils as consent authorities specify in their fire safety orders unless building owners opt to use such experts without being directed to do so by the consent authority.

As discussed earlier, councils acting as consent authorities vary in whether they require building owners to engage individuals with certifier accreditation. In most of the councils we audited, A1 or C10 accredited experts were either required, or recommended, to perform functions such as auditing suspected combustible cladding, or conducting fire safety risk assessments and developing plans to rectify combustible cladding.

However, these types of work are not functions covered by the accreditation or registration schemes that apply to building and development certifiers.

Certifier accreditation schemes do not cover cladding remediation work done under fire safety orders

While councils may require or recommend that independent accredited A1 or C10 certifiers be engaged by building owners for cladding risk assessment and remediation, they are not performing those functions as certifiers — they are, in effect, more akin to expert consultants. Accordingly, how they perform their functions and duties is not covered by the legislation supporting the accreditation scheme for certifiers that was operated until July 2020 by the Building Professional Board.

Instead, their use in this process is a convenient and practical way for consent authorities to ensure that building owners use appropriate experts who have the qualifications, skills and experience needed to investigate and identify combustible cladding, and then to formulate appropriate action to deal with such cladding. However, these individuals are not performing regulated or accredited work, are not subject to regulatory oversight, and are not accountable to any accreditation body for the quality of the work they perform.

While councils could (and sometimes do) choose to decline poor quality or incomplete cladding-related work prepared by A1 or C10 certifiers, the burden of resolving poor quality would fall on the building owner, who would have to seek amended or additional risk assessments or rectification plans.

In the absence of regulatory oversight, disincentives for poor quality cladding-related work, may include litigation being commenced by the property owner, harm to the expert's reputation in a small and competitive market, and the potential impact on whether the individual could retain their professional indemnity insurance at a reasonable cost (especially in an environment when many insurance providers withdrew coverage for cladding related work).

Reforms impact on regulated experts doing work on new buildings

The reforms that commenced on 1 July 2020, replaced categories of accreditation with classes of registration, and varied the classes such that:

• accredited building surveyor category A1 became registered building surveyor-unrestricted
• accredited certifier—fire safety engineer category C10 became registered certifiers-fire safety.

The legislation that introduced these reforms, the Building and Development Certifiers Act 2018, also repealed the pre-existing Building Professionals Act 2005 and abolished the Building Professionals Board. The new Act was accompanied by the Building and Development Certifiers Regulation 2020.

While the scope of this audit is limited to existing buildings, we note that there are buildings with combustible external cladding that are yet to be remediated. Just as these processes previously drew on the expertise of A1 and C10 category certifiers, it seems inevitable that the remediation of existing buildings will continue to draw on the expertise of the equivalent new classes of registered building surveyor-unrestricted and registered certifier-fire safety.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #364 - released 13 April 2022.

What the report is about

This audit examined a state-wide program to provide small-group tuition to students disadvantaged by the move to learning from home during 2020.

The audit assessed the design and implementation of the program.

What we found

The program design was based on research and data showing learning loss during 2020. 

The department rapidly planned and developed the policy design and guidelines for schools. 

Governance arrangements matured during program delivery.

The department changed the models for funding schools but did not clearly explain the reasons for doing so.

Government schools with over 900 students were disadvantaged by the funding model compared to smaller schools. 

Guidelines, resources and professional learning helped schools implement the program.

Staff eligibility for the program was expanded after reported difficulties in recruiting qualified teachers in some areas. 

Online tuition and third-party provider options were developed throughout the program.

There were issues with the quality and timeliness of data used to monitor school progress. 

Evaluation arrangements were developed early in the program.

Data limitations mean the evaluation will not be able to fully assess all program objectives.

What we recommended

1. Distributing funds between schools more equitably and improving communication of the funding methods. 
2. Clearer communication about the intended targeted group of students.
3. Reviewing the time needed to administer the program.
4. Improve support for educators other than qualified teachers.
5. Offer the online tuition program to more schools.
6. Analysis of the effects of learning from home during 2021 across equity groups and geographic areas.
7. Working with universities to increase use of pre-service teachers in the program.

The report also identifies lessons learned for future programs.
 

The NSW Government announced the COVID Intensive Learning Support Program on 10 November 2020, as part of the 2020–21 NSW Budget. The primary goal of the $337 million program was to deliver intensive small group tuition for students who were disadvantaged by the move to remote and/or flexible learning, helping to close the equity gap. It included:

• $306 million to provide small-group tuition for eligible students across every NSW Government primary, secondary and special purpose school
• $31.0 million for around 400 non-government schools to provide small-group tuition to students with the greatest levels of need.

The objective of this audit was to assess the effectiveness of the design and implementation of the COVID Intensive Learning Support Program (the program). To address this objective, the audit assessed whether the Department of Education (the department):

• effectively designed the program and supporting governance arrangements
• is effectively implementing the program.

This audit focuses on activities between October 2020 and August 2021, which aimed to address the first session of learning from home in New South Wales. From August to October 2021, students in many areas of New South Wales were learning from home again, but this second period has not been a focus of this audit. On 18 October 2021, the NSW Government announced the program would be extended into 2022.

This chapter considers how effectively the COVID Intensive Learning Support Program (the program) was designed and planned for implementation.

This chapter considers how effectively the COVID Intensive Learning Support Program was implemented over our period of review (Terms 1 and 2, 2021).

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #358 - released (15 December 2021).

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020. 

The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications. 

DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:

• deliver jobs
• progress to the next stage of development within six months of determination
• deliver public benefit.

The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.

What we found

Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.

Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.

DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19. 

Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments. 

What we recommended

DPIE should:

• strengthen controls over conflicts of interest 
• evaluate the Fast-tracked Assessment Program.

In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.

In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:

• deliver jobs – particularly in the construction industry
• be capable of progressing to the next stage of development within six months of determination
• deliver public benefit.

At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.

This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.

Appendix one – Response from agency

Appendix two – Planning determination pathways

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #354 - released (27 July 2021).

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).