This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no matters in this report impacting the Total State Sector Accounts we have decided to break with normal practice and table this report ahead of the ‘Report on State Finances’.

What the report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.

What we found

Internal control trends

The proportion of control deficiencies identified as high risk this year increased to 2.8 per cent (2.5 per cent in 2019–20). Six high risk findings related to financial controls while three related to IT controls. Two were repeat findings from the previous year.

Repeat findings of control deficiencies now represent 49 per cent of all findings (42 per cent in 2019–20).

Information technology

We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access which affected 82 per cent of agencies.

Cyber security

Agencies' self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low. Although agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.

Policies, processes and definition around security incidents and data breaches lack consistency. Improvement is required to ensure breaches are recorded in registers and action taken to address the root cause of incidents.

Conflicts of interest

Agencies' policies generally meet the minimum requirements of the Ethical Framework set out in the Government Sector Employment Act 2013. However, few meet the Independent Commission Against Corruption's best practice guidelines. Policies could be strengthened in relation to requirements around annual declarations of interests from employees and contractors.

Masterfile management

Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of agencies respectively.

Weaknesses were identified in those policies. Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.

Tracking recommendations

Most agencies do not maintain a register to monitor recommendations from performance audits and public inquiries. Registers of recommendations could be improved to include risk ratings and record revisions to due dates. While recommendations can take several years to fully address, the oldest open items were originally due for completion by June 2016.

What we recommended

Agencies should:

• prioritise actions to address repeat control deficiencies, particularly those that have been repeated findings for a number of years
• prioritise improvements to their cyber security and resilience as a matter of urgency
• formalise and implement policies on tracking and monitoring the progress of implementing recommendations from performance audits and public inquiries.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

The scope of this year's report covers 25 general government sector agencies. Last year's report covered 40 agencies within the total state sector. For consistency and comparability, we have adjusted the 2020 results to include only the agencies remaining within scope of this year's report. Therefore, the 2020 figures will not necessarily align with those reported in our 2020 report.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security planning and governance arrangements.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' conflicts of interest management processes.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency's management of supplier and employee masterfiles.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' processes to track and monitor the implementation of recommendations from performance audits and public inquiries.

What the report is about

The term ‘machinery of government’ refers to the way government functions and responsibilities are organised.

The decision to make machinery of government changes is made by the Premier. Changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day.

Larger machinery of government changes typically occur after an election or a change of Premier.

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet (DPC) and NSW Treasury in overseeing machinery of government changes.

What we found

The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of benefits has not been monitored. The costs of the changes were not tracked or reported.

DPC and NSW Treasury provided principles to guide implementation but did not require departments to collect or report information about the benefits or costs of the changes.

The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled.

Major implementation challenges included negotiation about the allocation of corporate support staff and the integration of complex corporate and ICT systems.

What we recommended

DPC and NSW Treasury should:

• consolidate existing guidance on machinery of government changes into a single document that is available to all departments and agencies
• provide guidance for departments and agencies to use when negotiating corporate services staff transfers as a part of machinery of government changes, including a standard rate for calculating corporate services requirements
• progress work to develop and implement common processes and systems for corporate services in order to support more efficient movement of staff between departments and agencies.

The term ‘machinery of government’ refers to the way government functions and responsibilities are allocated and structured across government departments and agencies. A machinery of government change is the reorganisation of these structures. This can involve establishing, merging or abolishing departments and agencies and transferring functions and responsibilities from one department or agency to another.

The decision to make machinery of government changes is made by the Premier. These changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day. Machinery of government changes are formally set out in Administrative Arrangements Orders, which are prepared by the Department of Premier and Cabinet, as instructed by the Premier, and issued as legislative instruments under the Constitution Act 1902.

The heads of agencies subject to machinery of government changes are responsible for implementing them. For more complex changes, central agencies are also involved in providing guidance and monitoring progress.

The NSW Government announced major machinery of government changes after the 2019 state government election. These changes took place between April and June 2019 and involved abolishing five departments (Industry; Planning and Environment; Family and Community Services; Justice; and Finance, Services and Innovation) and creating three new departments (Planning, Industry and Environment; Communities and Justice; and Customer Service). This also resulted in changes to the 'clusters' associated with departments. The NSW Government uses clusters to group certain agencies and entities with related departments for administrative and financial management. Clusters do not have legal status. Most other departments that were not abolished had some functions added or removed as a part of these machinery of government changes. For example, the functions relating to regional policy and service delivery in the Department of Premier and Cabinet were moved to the new Department of Planning, Industry and Environment.

Our Report on State Finances 2019, tabled in October 2019, outlined these changes and identified several issues that can arise from machinery of government changes if risks are not identified early and properly managed. These include: challenges measuring the costs and benefits of machinery of government changes; disruption to services due to unclear roles and responsibilities; and disruption to control environments due to staff, system and process changes.

In April 2020, the Department of Regional NSW was created in a separate machinery of government change. This involved moving functions and agencies related to regional policy and service delivery from the Department of Planning, Industry and Environment into a standalone department.

This audit assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet and NSW Treasury in overseeing machinery of government changes. The audit investigated whether:

• DPIE and DRNSW have integrated new responsibilities and functions in an effective and timely manner
• DPIE and DRNSW can demonstrate the costs of the machinery of government changes
• The machinery of government changes have achieved or are achieving intended outcomes and benefits.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #359 - released (17 December 2021).

What the report is about

This audit examined a state-wide program to provide small-group tuition to students disadvantaged by the move to learning from home during 2020.

The audit assessed the design and implementation of the program.

What we found

The program design was based on research and data showing learning loss during 2020. 

The department rapidly planned and developed the policy design and guidelines for schools. 

Governance arrangements matured during program delivery.

The department changed the models for funding schools but did not clearly explain the reasons for doing so.

Government schools with over 900 students were disadvantaged by the funding model compared to smaller schools. 

Guidelines, resources and professional learning helped schools implement the program.

Staff eligibility for the program was expanded after reported difficulties in recruiting qualified teachers in some areas. 

Online tuition and third-party provider options were developed throughout the program.

There were issues with the quality and timeliness of data used to monitor school progress. 

Evaluation arrangements were developed early in the program.

Data limitations mean the evaluation will not be able to fully assess all program objectives.

What we recommended

1. Distributing funds between schools more equitably and improving communication of the funding methods. 
2. Clearer communication about the intended targeted group of students.
3. Reviewing the time needed to administer the program.
4. Improve support for educators other than qualified teachers.
5. Offer the online tuition program to more schools.
6. Analysis of the effects of learning from home during 2021 across equity groups and geographic areas.
7. Working with universities to increase use of pre-service teachers in the program.

The report also identifies lessons learned for future programs.
 

The NSW Government announced the COVID Intensive Learning Support Program on 10 November 2020, as part of the 2020–21 NSW Budget. The primary goal of the $337 million program was to deliver intensive small group tuition for students who were disadvantaged by the move to remote and/or flexible learning, helping to close the equity gap. It included:

• $306 million to provide small-group tuition for eligible students across every NSW Government primary, secondary and special purpose school
• $31.0 million for around 400 non-government schools to provide small-group tuition to students with the greatest levels of need.

The objective of this audit was to assess the effectiveness of the design and implementation of the COVID Intensive Learning Support Program (the program). To address this objective, the audit assessed whether the Department of Education (the department):

• effectively designed the program and supporting governance arrangements
• is effectively implementing the program.

This audit focuses on activities between October 2020 and August 2021, which aimed to address the first session of learning from home in New South Wales. From August to October 2021, students in many areas of New South Wales were learning from home again, but this second period has not been a focus of this audit. On 18 October 2021, the NSW Government announced the program would be extended into 2022.

This chapter considers how effectively the COVID Intensive Learning Support Program (the program) was designed and planned for implementation.

This chapter considers how effectively the COVID Intensive Learning Support Program was implemented over our period of review (Terms 1 and 2, 2021).

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #358 - released (15 December 2021).

This report analyses the results of our audits of the Premier and Cabinet cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Premier and Cabinet cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Premier and Cabinet cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The number of monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.

The Library Council of New South Wales corrected a prior period error of $325 million. In 2017, the council split its collection assets into six asset classes, but not the related asset revaluation reserves. To correct this error, some revaluation decrements previously recognised in asset revaluation reserves were reclassified to accumulated funds.

Eight agencies did not complete all of the mandatory early close procedures.

What the key issues were

The Premier and Cabinet cluster was impacted by three Machinery of Government (MoG) changes during 2020–21.

The changes resulted in the transfer of activities and functions in and out of the cluster and the creation of a new entity - Investment NSW.

The transferor entities continued to provide services to Investment NSW subsequent to 30 June 2021. There were no formal service level agreements in place for the provision of these services.

The New South Wales Electoral Commission (the Commission) and Sydney Opera House Trust obtained letters of financial support from their relevant Minister and/or NSW Treasury in 2020–21. The postponement of local government elections impacted the Commission's operations due to increased planned expenditure to support a COVID-safe election. Sydney Opera House Trust's ability to generate revenue was impacted due to the closure of the Concert Hall partly due to COVID-19 and planned renovations.

The number of repeated audit issues raised with management and those charged with governance increased from 22 in 2019–20 to 24 in 2020–21.

There were 47 moderate risk and 28 low risk findings identified. Of the total findings there were 24 repeat issues.

What we recommended

Investment NSW should ensure services received from other agencies are governed by service level agreements.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Education cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Education cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Education cluster (the cluster) agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued on the Department of Education (the department), the NSW Education Standards Authority and the NSW Skills Board's financial statements.

An 'other matter' paragraph was included in the Technical and Further Education Commission's (the TAFE Commission) audit opinion drawing attention to legislative non-compliance concerning financial delegations during the reporting year.

The number of misstatements identified in the financial statements of cluster agencies decreased from 14 in 2019–20 to seven.

What the key issues were

The department and the TAFE Commission revalued their land assets this year, recognising collective increases of $863.8 million.

The department and the TAFE Commission are not scheduled to perform comprehensive revaluations of their buildings until 2022–23. Construction costs, which are a key input in their current replacement cost valuation methodologies for buildings, may have increased by an estimated nine per cent since the last comprehensive revaluation in 2017–18 based on broad based indices used by the department and the TAFE Commission. While the estimated index increase indicates the fair value of buildings may exceed the carrying values, the use of such high-level indicators has a degree of estimation uncertainty due to the specialised nature of the assets. Therefore, both agencies did not adjust the values of their buildings.

The number of issues we reported to management decreased. Fifty per cent of issues were repeated from prior years.

Of the 11 newly identified moderate rated issues, seven related to internal control deficiencies, with six identified in procurement and payroll controls.

What we recommended

The department and the TAFE Commission reconsider policy settings governing the frequency of revaluations; and refine and consider the outcomes of interim fair value assessments to ensure asset carrying values reflect fair value at each balance date.

Cluster agencies should prioritise and action recommendations to address internal control deficiencies.

This report provides Parliament and other users of the Education cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Education cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Education cluster.

Findings reported to management

The number of findings reported to management has decreased. Fifty per cent of all issues were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 28 findings raised across the cluster (33 in 2019–20). Fifty per cent of all issues were repeat issues (45 per cent in 2019–20).

The most common repeat issues related to weaknesses in controls over information technology general controls, application controls, and identified deficiencies in procurement and payroll practices.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

The department continues to address recommendations to improve monitoring of privileged user access

Privileged users have higher levels of access to systems, and in some instances, may include access that can bypass segregation of duty controls. If reviews of access logs are not fully embedded in the control environment, the risk of unauthorised transactions occurring and not being detected in a timely manner is elevated.

In 2019–20 a high-risk issue was reported at the department relating to the inadequate monitoring and follow up of privileged user activity in its enterprise resource planning system – SAP. This year the department has largely addressed our findings by initiating a review of the identified instances of privileged user activity and establishing periodic oversight controls. There remains a need to improve the timeliness and completeness of these newly implemented controls.

Data analytics identified the root cause of internal control deficiencies in procurement and payroll

Our 2020–21 agency management letters identified seven new moderate risk internal control deficiency matters, of which six related to payroll and procurement.

To enhance our financial statement audit of the department we applied data analytics over elements of the department's procurement and payroll control processes. Our procedures, conducted over periods across the financial year, helped identify the following:

• a low level of compliance with procurement practices requiring the creation of purchase orders before invoices are received. The root cause was a lack of understanding by agency staff of the procurement processes
• transactions related to previous years being recorded in the current year. The root cause was a lack of understanding of the three-way matching process and the goods received/not invoiced facilities within SAP
• negative payments in fortnightly pay runs, predominantly representing deductions to recover salary payments made in error. The root cause was the lack of timeliness in notifying payroll for cessation of employment, or for employees undertaking secondments who should have been classified as being on leave without pay.

Appendix one – Early close procedures

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.

Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.

NSW Treasury estimates these risks could have significant costs.

What we found

DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.

In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.

DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.

There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.

DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.

NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.

In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.

What we recommended

DPIE and NSW Treasury should, in partnership:

• enhance the coordination of climate risk management across agencies
• implement climate risk management across their clusters.

DPIE should:

• update information and strengthen education to agencies, and monitor progress
• review relevant land-use planning, development and building guidance
• deliver a climate change adaptation action plan for the state.

NSW Treasury should:

• strengthen climate risk-related guidance to agencies
• coordinate guidance on resilience in infrastructure planning
• review how climate risks have been assured in agencies’ asset management plans.

According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.

According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.

The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.

In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.

The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:

• use robust climate projection information to understand the potential climate impacts
• undertake sound climate risk assessments, within an enterprise risk management framework
• implement adaptation plans that reduce these risks, and harness opportunities.

Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.

According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.

This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.

Appendix one – Response from agencies

Appendix two – Timeline of key activities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #355 - released (7 September 2021).

What the report is about

This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020. 

The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications. 

DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:

• deliver jobs
• progress to the next stage of development within six months of determination
• deliver public benefit.

The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.

What we found

Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.

Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.

DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19. 

Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments. 

What we recommended

DPIE should:

• strengthen controls over conflicts of interest 
• evaluate the Fast-tracked Assessment Program.

In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.

In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:

• deliver jobs – particularly in the construction industry
• be capable of progressing to the next stage of development within six months of determination
• deliver public benefit.

At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.

This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.

Appendix one – Response from agency

Appendix two – Planning determination pathways

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #354 - released (27 July 2021).

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the planning and delivery of new, redeveloped and upgraded public schools.

School Infrastructure NSW has identified the need to accommodate an additional 180,000 enrolments in public schools by 2039 with a large portion of this growth expected in metropolitan Sydney. It has also identified that around 34,000 teaching spaces will require upgrading to be fit-for-purpose.

Although School Infrastructure NSW has developed a long-term strategic plan that advises government of ongoing funding requirements, it has not presented a list of priorities to meet those needs. Developing a longer-term list of priorities would help signal the areas of greatest need and allow more time to develop the best options to meet those needs.

The audit found that School Infrastructure NSW has focused on delivering existing projects, election commitments and other government announcements. This has diverted attention from identifying and delivering projects that would have better met present and future needs. 

The report makes eight recommendations to improve long-term planning for future needs, strengthen the quality of estimated project costs and benefits, and embed a continuous improvement program. 

In 2016, the Department of Education prepared a School Assets Strategic Plan (2016 SASP) which outlined long-term funding needs to support the expected growth in enrolments to 2031. Following the release of the 2016 SASP, the NSW Government substantially increased funding for new and upgraded schools from $2.4 billion in the 2016–17 State Budget to $4.2 billion in 2017–18.

In 2017, the Department of Education established School Infrastructure NSW (SINSW) to lead the delivery of the 2016 SASP and the 123 new projects announced in the 2017–18 Budget. This significantly larger program of work required rapid development of internal capacity, governance arrangements, and project management systems. This needed to be done at the same time as scoping and planning for the list of announced projects.

As there are limited funds available to meet growing needs across the State, it is important that SINSW has effective methods to prioritise projects to communities with the greatest need. To ensure that projects deliver value for money, business cases need to have robust estimates of project costs and benefits. Business cases also need to account for the inherent risks in delivering infrastructure projects. Unplanned cost escalations can reduce the number of new or modernised classrooms SINSW can deliver. Unforeseen delays may also impact families who make significant life choices based on their expectations that a school will open at the beginning of the school year.

The objective of this audit was to assess the effectiveness of planning and delivery of new, upgraded and redeveloped schools to meet demand for public school education in New South Wales. To address this objective, the audit examined whether the Department:

• has effective procedures for planning and prioritising school capital works to meet present and future demands
• develops robust business cases for school capital works that reliably inform decision-making
• has effective program/project governance and management systems that support delivering projects on-time, within budget and achievement of intended benefits.

The audit examined business cases for 12 projects as case studies. These include a mix of projects initiated before and after the establishment of SINSW.

This audit commenced in June 2020 and examined strategies and demographic projections developed prior to the emergence of COVID-19. This audit did not examine potential longer-term impacts of COVID-19 on future demands for public school education.

1. Key findings

SINSW delivered projects against an established program of works in its first years of operation

At establishment, SINSW inherited a portfolio of existing projects and 123 new projects announced as part of the 2017–18 Budget (to commence over 2017–18 and 2018–19). It has progressively worked through individual project planning to deliver against these projects.

The 2018–19 Budget funded two new projects that had not already been announced. Both projects were identified by SINSW as a priority. The 2018–19 Budget also allocated funding for 'planning' 22 new projects. Seventeen of the 22 projects had been identified by SINSW as a priority.

SINSW identified 31 new priority projects in its Capital Investment Plan for 2019–20. Thirteen of these projects were funded in that year with a further 27 projects included as election commitments. SINSW identified 20 new projects in its Capital Investment Plan for 2020–21 but only two of these were funded. SINSW advised this was due to a constrained budget environment.

There is an anticipated shortfall of classrooms based on the current funded program

Despite increased funding since 2017–18, SINSW advised the NSW Government in early 2020 that the currently funded infrastructure program would not meet forecast classroom requirements for 2023 and beyond. Accordingly, it is vital that new funding is prioritised to projects which best meet demand.

SINSW only identified specific priorities over a two-year horizon in its Capital Investment Plans for 2018–19, 2019–20 and 2020–21. The School Assets Strategic Plan 2016 and the 2020 update make the case for sustained funding for school building and redevelopment. These plans estimate annual funding requirements and show geographic areas with increasing forecast enrolments. Detailing how priorities over a ten-year timeframe fit within a ten-year capital planning limit would create more certainty about meeting growth demands.

There has been progress in formalising prioritisation frameworks, data tools and supporting governance arrangements

SINSW committed to planning for new and redeveloped schools in 'School Community Groups' in the School Assets Strategic Plan 2016. This is a new way of planning which considers the educational needs over a defined geographical area. It has developed a planning tool to prioritise School Community Groups based on weighted criteria. It has also established governance frameworks to improve transparency over decisions to reprioritise this list.

SINSW has refined its approach to planning in School Community Groups over the past four years. It now prepares Service Needs Reports to investigate needs, identify projects, prioritise, determine scope and timing, and assess non-capital options. SINSW has yet to finalise arrangements for how needs identified in Service Needs Reports progress to the strategic business case stage.

Projects announced prior to developing a business case have less opportunity to consider a range of options to meet the service needs

Business cases for projects already announced by government (or announced for planning) go through the same process of determining the service need and impacts on surrounding schools. However, for some announced projects, the range of options considered in the business case is influenced by the parameters of the announcement. This makes it more difficult to genuinely pursue alternate options that could better meet the identified service need.

Projects identified by SINSW have a more rigorous process of considering options. Service Needs Reports explore a wide range of asset and non-asset interventions across the School Community Group. Options are narrowed as the projects move through the strategic and final business case stages. SINSW uses its Investment Review Committee to engage key stakeholders early in the process so that they are informed about how non-asset solutions have been considered and why SINSW is progressing the business case for a capital solution for particular projects.

Several business cases underestimated project costs and risks, leading to scope and budget increases

Several business cases we reviewed did not adequately identify the initial scope requirements, project-specific risks or the likely project cost. For two business cases, this appeared to be due to an attempt to fit the project within a predetermined amount. Announcing a project’s scope, budget and timeframe before proper planning increases risks to successful delivery against expectations.

Several of the projects we examined required drawdowns on contingency funds due to inadequate consideration of scope, costs and project risks at the planning stage. Contingency funds are intended for unanticipated extra costs rather than those that could have or should have been identified at the planning stage.

Guidance on benefit calculations has provided a consistent framework for business cases

Business cases we examined presented a consistent set of benefits based on guidance developed in partnership with NSW Treasury. Following this guidance helps to compare cost-benefit analyses across business cases. However, the evidence for the estimated benefits is based on contexts outside of NSW. SINSW has the tools and data sources to calculate benefits more suited to the context of particular schools. Doing so would improve the accuracy of cost-benefit analyses. SINSW advised that it is currently updating the guidance in partnership with NSW Treasury.

SINSW involves school principals, executives and teaching staff in developing education rationales when commencing projects. These documents help align projects with education outcomes. They also provide a baseline for post-occupancy evaluation, which is important to determine whether the new school infrastructure is being used in the ways that were anticipated in the business case.

SINSW could elevate its existing assurance review process to consolidate lessons learned

SINSW engages external peer reviewers to conduct assurance reviews on its projects at multiple stages of planning and delivery. It has established a Community of Practice for external reviewers to keep them up to date on new developments and requirements. Higher value projects are also subject to review by Infrastructure NSW under the Investor Assurance Framework.

By looking at all projects at all stages, assurance reviews can identify systematic issues across the full portfolio of projects. A recent assurance review analysed common findings from reviews of strategic and final business cases. This provides a helpful way to improve internal processes. SINSW advised that it is implementing a continuous improvement program, which will be able to take findings from assurance reviews to build organisational capabilities.

2. Recommendations

By September 2021, the Department of Education should:

1. finalise the investment prioritisation approach with agreement from key stakeholders
2. finalise and update on an ongoing basis a ten-year list of priorities to meet the forecast demand for new classrooms and contemporary fit for purpose learning environments, which identifies individual projects and programs in the short-term and priority geographic areas and programs in the medium-term
3. seek a ten-year Capital Planning Limit from NSW Treasury to ensure the needs identified in the ten-year list of priorities are met and are coordinated with the forward capital programs of other agencies
4. improve the quality of data on cost benchmarks that underpin the annual ten-year Capital Investment Plan and updates to the School Assets Strategic Plan
5. embed an evidence-based cost benefit analysis framework for school investment, in consultation with NSW Treasury, by:
   • validating benefits estimated in previous business cases with actual results
   • building the evidence base in relation to contemporary learning environments
6. regularly share data on forecast needs with relevant planning agencies to promote strategic opportunities for servicing education needs
7. implement the continuous improvement program for service planning, options assessment, business case development, project delivery and handover. The program should be informed by findings from assurance reviews, post-occupancy evaluations and project lessons learned
8. establish benefits realisation processes and practices that:
   • ensure business cases set baselines and targets for benefits
   • review benefits during delivery, prior to handover and as part of Post Occupancy Evaluations
   • identify which part(s) of the Department are best placed to develop, manage and evaluate benefits on an ongoing basis.

There have been significant increases in funding for education infrastructure since the 2017–18 Budget and further growth in demand for places in schools is forecast. SINSW has the challenge, not only of meeting the need for new classrooms due to population growth, but also upgrading facilities to enable modern teaching techniques. In addition, community expectations of what constitutes a vibrant and successful school community continues to increase.

Given growing demand and budget constraints, projects must be selected to best meet the needs of the community and planning and prioritisation are vital. SINSW has been progressing planning for announced projects as well as implementing a new type of strategic state-wide planning and prioritisation, cluster planning, where options are developed for School Community Groups.

The primary role of a business case is to reliably inform an investment and/or policy decision. Over the period of review, the NSW Government's guidelines for business cases have established this requires recommendations based on convincing arguments, sufficient evidence, and accurate costing of alternatives and expected benefits. Business case guidelines are underpinned by guides for economic appraisal and cost-benefit analysis.

As SINSW moves to prioritise business cases for interventions in School Community Groups, it will increasingly need to demonstrate rigour in its assessment of all options. It will also need to ensure that scope identification, cost and risk planning and the setting of contingencies are accurate. This will help decision-makers better understand, plan for and manage the investment required to meet the demand for school infrastructure.

For this audit, we examined business cases and related documentation for 12 projects. Several of these projects were developed before School Infrastructure NSW was established in mid-2017.

Over the period of review, NSW Government policies for business case development and submission have emphasised that effective governance arrangements are critical to a proposal's successful implementation.

SINSW's guidance similarly highlight the importance of effective governance and project management for achieving good outcomes. It prescribes a general governance structure managed by SINSW that can be tailored to the planning and delivery of school infrastructure projects.

Appendix one – Response from agency
 
Appendix two – About the audit 

Appendix three – Performance auditing 

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #347 - released (8 April 2021).

Auditor-General’s Report to Parliament on Delivering School Infrastructure 

This corrigendum has been prepared to amend the following text within my Auditor-General’s Report to Parliament on Delivering School Infrastructure, dated 8 April 2021. 

On page two, the original text was as follows: 

Further NSW Government announcements in the 2018–19 Budget and election commitments in the 2019–20 Budget made up the majority of new projects, rather than projects prioritised by SINSW. 

The original text has now been changed to 

Further NSW Government announcements in the 2018–19 Budget, election commitments in the 2019–20 Budget, and announcements in the 2020–21 Budget, made up the majority of new projects, rather than projects prioritised by SINSW. 

On page three, the original text was as follows: 

The 2018–19 Budget funded three new projects that had not already been announced. One of the three projects was identified by SINSW as a priority. 

The original text has now been changed to: 

The 2018–19 Budget funded two new projects that had not already been announced. Both projects were identified by SINSW as a priority. 

On page three the original text was as follows: 

SINSW identified 33 priority projects in its Capital Investment Plan for 2019–20.

The original text has now been changed to  

SINSW identified 31 new priority projects in its Capital Investment Plan for 2019–20. 

On page eleven, in Exhibit 4, the original text was as follows: 

The 2018–19 NSW Budget announced funding for an additional 43 new and upgraded schools to commence works in 2018–19. Of the 43 projects: 

•    1 was identified by SINSW as a priority in its Capital Investment Plan (SINSW requested funding for one new project)
•    40 had already been announced
•    2 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).

The original text has now been changed to: 

The 2018–19 NSW Budget announced funding for an additional 42 new and upgraded schools to commence works in 2018–19. Of the 42 projects: 

•    2 were identified by SINSW as a priority in its Capital Investment Plan (SINSW requested funding for two new projects)
•    40 had already been announced.

On page eleven, the original text was as follows: 

The 2019–20 NSW Budget announced funding for an additional 40 new and upgraded schools as election commitments. Of the 40 election commitment projects: 

•    13 were identified by SINSW as priorities in its Capital Investment Plan (SINSW requested funding for a total of 33 new projects)
•    27 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).

The original text has now been changed to: 

The 2019–20 NSW Budget announced funding for an additional 40 new and upgraded schools as election commitments. Of the 40 election commitment projects: 

•    13 were identified by SINSW as priorities in its Capital Investment Plan (SINSW requested funding for a total of 31 new projects)
•    27 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).

The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.  

This report outlines the results of audits of the financial statements of agencies now grouped in the NSW Planning, Industry and Environment cluster.

Unqualified audit opinions were issued for 56 of the 66 cluster agencies’ 30 June 2019 financial statements. Ten audits remain incomplete. The cluster agencies need to improve the timeliness of financial reporting. 

The Audit Office continued to identify issues regarding unprocessed Aboriginal land claims and the recognition of Crown land. ‘Auditor-General’s reports to parliament have recommended action to reduce the level of unprocessed land claims since 2007. However, the number of unprocessed claims continued to increase’, Margaret Crawford said.

One in five internal control findings were repeat issues. Key themes included information technology, asset management and improvements required to expense and payroll controls.

The report makes several recommendations including:

• Property NSW should urgently address the deficiencies in the lease data used to calculate the impact of the new leasing standard effective from 1 July 2019
• the Department of Planning, Industry and Environment should prioritise action to reduce unprocessed Aboriginal land claims
• the Department of Planning, Industry and Environment should ensure the Crown land database is complete and accurate so state agencies and local government councils are better informed about the Crown land they control.

This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2019. The table below summarises our key observations.

1. Machinery of Government changes

2. Financial reporting

3. Audit observations

This report provides parliament and other users of the Planning, Industry and Environment cluster agencies financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

This cluster was created by the Machinery of Government changes on 1 July 2019. This report is focused on agencies in the Planning, Industry and Environment cluster from 1 July 2019. However, these agencies were all in other clusters during 2018–19. Please refer to the section on Machinery of Government changes for more details.

Machinery of Government (MoG) refers to how the government organises the structures and functions of the public service. MoG changes are where the government reorganises these structures and functions that are given effect by Administrative orders.

The MoG changes, announced following the NSW State election on 23 March 2019, created the Planning, Industry and Environment (PIE) cluster. The Administrative Changes Orders issued on 2 April 2019, 1 May 2019 and 28 June 2019 gave effect to these changes. These orders became effective on 1 July 2019.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our audit observations and insights from our financial statement audits of agencies in the Planning, Industry and Environment (PIE) cluster for 2019. In this chapter, the Department of Planning, Industry and Environment is referred to as DPIE, the former Department of Planning and Environment as DPE, and the former Department of Industry as DOI.

Appendix one – List of 2019 recommendations

Appendix two – Status of 2018 recommendations

Appendix three – Cluster agencies

Appendix four – Financial data

Appendix five – Management letter findings

Appendix six – Timeliness of financial reporting

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.