Refine search Expand filter

Reports

Published

Actions for Government advertising 2022-23

Government advertising 2022-23

Finance
Transport
Whole of Government
Compliance
Management and administration
Procurement

About this report

The Government Advertising Act 2011 requires the Auditor-General to undertake a performance audit of the activities of one or more government agencies in relation to government advertising campaigns in each financial year.

This year, we examined two campaigns run by Transport for New South Wales (TfNSW) - 'Don't trust your tired self' (DTYTS) and 'Saving lives on country roads' (SLCR).

The audit assessed whether they were carried out effectively, economically, and efficiently, and complied with regulatory and policy requirements.

Audit findings

The DTYTS campaign complied with all requirements set out in the Act, the Regulation, and Government Advertising Guidelines - except for the requirement to complete an approved and complying cost-benefit analysis (CBA), as per the Guidelines.

The campaign had a clear target audience. It achieved many of its stated objectives and other performance measures and represented an economical and efficient spend.

However, TfNSW has not measured the campaign's long-term impact and this, combined with the lack of a complying CBA, meant that TfNSW could not confidently demonstrate the campaign's effectiveness.

The SLCR campaign (which commenced in 2017) was last run fully in 2021–22. TfNSW could have improved the formal documentation of its decision-making process when it cancelled the SLCR campaign.

TfNSW continued to run state-wide advertising campaigns – with regional components - to address road safety in regional NSW.

Recommendations

By 31 October 2024, TfNSW should implement processes that ensure:

  1. CBAs prepared for government advertising campaigns comply with the Government Advertising Guidelines
  2. long-term impacts of advertising campaigns are evaluated
  3. strategic and operational decision-making about advertising campaigns, such as starting, stopping or significantly changing a campaign, is well-documented and follows good practice.

 

The Government Advertising Act 2011 (the Act) sets out requirements that must be followed by a government agency when it carries out a government advertising campaign. The requirements prohibit any political advertising and require a peer review and cost-benefit analysis to be completed before the campaign commences. The accompanying Government Advertising Regulation 2018 (the Regulation) and 2012 NSW Government Advertising Guidelines (the Guidelines) address further matters of detail.

Section 14 of the Act requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit must assess whether a government agency (or agencies) has carried out activities in relation to government advertising campaigns in an effective, economical and efficient manner and in compliance with the Act, the Regulation, other laws and the Guidelines.

This audit examined Transport for NSW's (TfNSW) advertising campaigns 'Don't Trust Your Tired Self' and 'Saving Lives on Country Roads' for the 2022–23 financial year.

TfNSW is the NSW Government agency responsible for leading the development of safe, integrated and efficient transport systems for the people of New South Wales.

The Don't Trust Your Tired Self (DTYTS) campaign, which cost $3.04 million in 2022–23, aimed to educate drivers on how to avoid driving tired and encouraged them to consider how tired they were before driving.

The Saving Lives on Country Roads (SLCR) campaign, which commenced in December 2017, aimed to encourage country drivers1 to re-think the common excuses used to justify their behaviour on the road. In early 2024, after the audit commenced, the Department of Customer Service (DCS) advised the audit team that TfNSW did not run the SLCR campaign in 2022–23. This was subsequently confirmed by TfNSW. Instead, the SLCR branding was used for the regional element of the state-wide drink driving campaign. As a result, this audit examined the reasons and decision-making process for its cancellation.

The SLCR campaign cost $3.11 million in 2021–22, the last full year in which it was run, and $17,038 in 2022–23.

This part of the report sets out key aspects of Transport for NSW's (TfNSW) compliance with the Government Advertising regulatory framework for Don't Trust Your Tired Self (DTYTS). It considers whether the agency complied with the:

  • Government Advertising Act 2011 (the Act)
  • Government Advertising Regulation 2018 (the Regulation)
  • NSW Government Advertising Guidelines 2012 (the Guidelines) and other relevant policy.

This part of the report considers whether Transport for NSW's (TfNSW) advertising campaign Don't Trust Your Tired Self (DTYTS) was carried out in an effective, efficient and economical manner.

This part of the report examines the cancellation of the Saving Lives on Country Roads (SLCR) campaign. It focuses on the decision-making process and evidence for the cancellation of this campaign following its last delivery in 2021–22. It also draws out key implications.

Appendix one – Response from agencies

Appendix two – About the campaigns

Appendix three – About the audit

Appendix four – Performance auditing
 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #396 released 25 June 2024.

Published

Actions for Driver vehicle system

Driver vehicle system

Transport
Finance
Cyber security
Information technology
Internal controls and governance
Project management
Service delivery

What this report is about

Transport for NSW (TfNSW) uses the Driver vehicle System (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.

DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.

DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.

This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.

Audit findings

TfNSW has not effectively planned the replacement of DRIVES.

It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.

In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.

TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.

TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.

TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.

Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.

Audit recommendations

TfNSW should:

  • implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
  • ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
  • ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
  • ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
  • develop a clear statement of the future role in whole of government service delivery for the system
  • resolve key issues currently faced by the DRIVES replacement program including by:
    • clearly setting out a strategy and design for the replacement
    • preparing a specific business case for replacement.

The DRIver VEhicle System1 (often known as DRIVES) is the Transport for NSW (TfNSW) system which is used to manage over 6.2 million driver licences and over seven million vehicle registrations in New South Wales.

DRIVES first went live in 1991 and has been significantly extended and enhanced over the past 33 years. DRIVES is a significant NSW Government information system — containing personal information such as home addresses for most of the NSW adult population, sensitive health information such as medical conditions, and biometric data in photographs.

Service NSW, part of the Department of Customer Service, is the NSW Government's 'one stop shop' for services to NSW citizens and businesses. It uses DRIVES when it delivers many transport-related services to NSW citizens such as licence renewals and checks the identity information stored in DRIVES as part of other services delivered to NSW citizens, such as a 'working with children check'.

DRIVES supports TfNSW's regulatory functions and the collection of more than $5 billion in revenue annually for the NSW Government. The system is also used by many organisations outside of the NSW Government including commercial insurers and national regulators, as well as individual citizens who access DRIVES for services such as 'Renew my registration' or 'Book a driver knowledge test'.

TfNSW owns and manages DRIVES. It intends to replace DRIVES with a modernised system to improve its cost, performance, and security.

The objective of this performance audit was to assess whether TfNSW is effectively:

  • managing the current system, and 
  • planning to transition DRIVES to a modernised system.

The auditee is TfNSW. We have consulted with the Department of Customer Service as a key stakeholder during the audit process.

This part of the report considers whether Transport for NSW (TfNSW) is effectively managing the current system. It considers DRIVES’:

  • role in NSW Government service delivery
  • ease of use and appropriateness for a modern system
  • mechanisms to ensure the service is available for users.

This part of the report considers whether Transport for NSW (TfNSW) is effectively planning to transition DRIVES to a modernised system. It makes findings on the:

  •  effort to develop a business case to fund the replacement of DRIVES
  • issues which have contributed to the slow progress of the replacement program.

Published

Actions for Regional road safety

Regional road safety

Transport
Health
Community Services
Internal controls and governance
Management and administration
Project management
Risk

What this report is about

Around one-third of the state’s population lives in regional NSW, but deaths on regional roads make up around two-thirds of the state’s road toll.

Transport for NSW (TfNSW) is responsible for managing road safety outcomes across the NSW road network. This audit assessed the effectiveness of TfNSW’s delivery of road safety strategies, plans and policies in regional areas.

The NSW Road Safety Action Plan 2022–2026 has the stated goal of ‘no death or serious injury occurring on the road transport network’ by 2050.

What we found

There is a disproportionate amount of trauma on regional roads, but there are no specific road safety plans or trauma reduction targets for regional NSW.

TfNSW advises that the setting of state-wide road safety targets is consistent with other jurisdictions and international best practice. However, the proportion of road fatalities and serious injuries in regional NSW is almost the same as ten years ago.

There is no regional implementation plan to assist TfNSW to target the Road Safety Action Plan 2026 to regional areas.

TfNSW considers that local road safety outcomes should be managed by councils, but only 52% of regional councils participated in its Local Government Road Safety Program (LGRSP) in 2022–23. This program has not been updated since 2014, despite commitments to do so in 2021 and 2022.

TfNSW has not undertaken a systematic and integrated analysis of the combined impact of its road safety strategies and plans in regional NSW since 2012.

TfNSW reports against the Community Road Safety Fund (CRSF) annually but there is no consolidated, public reporting on total road safety funding allocated to regional NSW. The Fund underspend increased from 12% in 2019–20 to 20% in 2022–23.

What we recommended

We recommended TfNSW:

  • develop a regional implementation plan to support the NSW Road Safety Action Plan, including a framework to annually measure, analyse and publicly report on progress
  • develop a plan to measure and mitigate risks causing underspend in the CRSF
  • expedite the review of the LGRSP including recommendations to increase involvement of regional councils.

Disclosure of confidential information

Under the Government Sector Audit Act 1983 (the Act), the Auditor-General may disclose confidential information if, in the Auditor-General’s opinion, the disclosure is in the public interest, and that disclosure is necessary for the exercise of the Auditor-General’s functions.

Confidential information in the Act means Cabinet information or information subject to legal privilege. This performance audit report contained confidential information.

The NSW Premier has certified that in his opinion the disclosure of the confidential information was not in the public interest.

The confidential information has been redacted from this report.

Under section 36A(2) of the Government Sector Audit Act 1983, the Auditor-General may authorise the disclosure of confidential information if, in the Auditor-General’s opinion, the disclosure is in the public interest and necessary for the exercise of the Auditor-General’s functions. Confidential information under the Government Sector Audit Act 1983 means Cabinet information, or information that could be subject to a claim of privilege by the State or a public official in a court of law. This performance audit report contained confidential information which, in the opinion of the Auditor-General, is in the public interest to disclose and that disclosure is necessary for the exercise of the Auditor-General’s functions.

On 26 October 2023, pursuant to section 36A(2)(b) of the Government Sector Audit Act 1983, the Auditor-General notified the NSW Premier of the intention to include this information in the published report, having formed the opinion that its disclosure is in the public interest and is necessary for the exercise of the Auditor-General’s functions.

On 23 November 2023, pursuant to section 36A(2)(c) of the Government Sector Audit Act 1983, the NSW Premier certified that, in his opinion, the proposed disclosure of the confidential information contained in this report was not in the public interest. The Premier’s certificate follows. Section 36A(4) states that a certificate of the Premier that it is not in the public interest to disclose confidential information is conclusive evidence of that fact.

The issuance of the certificate by the NSW Premier prevents the publication of this information. The relevant sections of the report containing confidential information have been redacted.

One-third of the New South Wales population resides in regional areas, but two-thirds of the state’s road crash fatalities take place on regional roads.

Between 2017 and 2021, the average number of fatalities for every 100,000 of the population living in regional New South Wales was 8.33 — approximately four times higher than the equivalent measure for Greater Sydney. Similarly, the average number of serious injuries in regional New South Wales over the same period was 75.24 per 100,000 of the population, compared with 50.53 in Greater Sydney. Further, more than 70% of people who lose their lives in accidents on regional roads are residents of regional areas.

Residents of regional areas face particular transport challenges. They often need to travel longer distances for work, health care, or recreation purposes, yet their public transport options are more limited than metropolitan residents. Vehicle safety is also an issue. According to the NSW Road Safety Progress Report 2021, of the light vehicles registered in New South Wales that were manufactured in or after 2000, 48.4% of light vehicles in regional areas had a five-star Australasian New Car Assessment Program (ANCAP) rating, compared to 54.8% in metropolitan areas. Road conditions in regional areas can also be more challenging for drivers.

Regional New South Wales covers 98.5% of the total area of the state. The road network in New South Wales is vast — spanning approximately 200,000 kilometres.

The road network includes major highways, state roads and local roads. Speed limits range from 10 km/hr in high pedestrian shared zones, up to 110 km/hr on high volume and critical road corridors. Eighty per cent of the network has a 100 km/h speed limit, which is mostly applied as a default speed limit, regardless of the presence of safety features and treatments.

Speed is the primary causal factor in more crashes in New South Wales than any other factor, and car crashes in regional areas are more likely to be fatal because of the higher average speeds involved.

The responsibility for managing road safety outcomes across the entire New South Wales road network lies with Transport for NSW (TfNSW), pursuant to Schedule 1 of the Transport Administration Act 1988.

While its safety responsibilities are state-wide, TfNSW does not own or directly manage all of the road network in regional New South Wales, which spans approximately 200,000 kilometres. Approximately 80% of the roads are classified as Local Roads and are administered and managed by local councils. Local councils also maintain Regional Roads that run through their local government areas. TfNSW is responsible for managing State Roads (approximately 20% of roads), which are major arterial roads. It also provides funding for councils to manage over 18,000 km (approximately 10%) of state-significant Regional Roads.

According to TfNSW, between 2016 and 2020, there were 9,776 people killed or seriously injured on roads in regional New South Wales. Adding to the tragic loss of life, according to TfNSW, the estimated cost to the community between 2016 and 2020 resulting from regional road trauma and fatalities was around $13.7 billion.

TfNSW also noted that the ‘risk of road trauma is pervasive, and a combination of effective road safety measures is required to systematically reduce this risk’.

TfNSW released its first long-term road-safety strategy in December 2012, which introduced the goal of ‘Vision Zero’ — a long-term goal of zero deaths or serious injuries on NSW roads. The terminology was changed to ‘Towards Zero’ in the 2021 Road Safety Plan and has been retained in the NSW Road Safety Action Plan 2022–2026. Towards Zero has the stated goal of ‘no death or serious injury occurring on the road transport network’ by 2050.

The objective of this audit is to assess the effectiveness of TfNSW’s delivery of ‘Towards Zero’ in regional areas.

In making this assessment, the audit examined whether TfNSW:

  • is effectively reducing the number of fatalities and serious injuries on regional roads
  • has an effective framework, including governance arrangements, for designing and refreshing the NSW Road Safety Strategy 2012–2021 and the NSW Road Safety Action Plan 2022–2026
  • effectively makes use of whole-of-government and other relevant sources of data to support decision-making, and to evaluate progress and outcomes
  • effectively manages accountabilities, including roles and responsibilities, with respect to road safety outcomes and the use of data.

This audit focused on the policies and strategies used by TfNSW for managing road safety outcomes in regional areas. We did not evaluate individual road safety projects, programs and initiatives as part of this audit.

Whilst Regional Roads and Local Roads (as defined by the Road Network Classifications) are owned and maintained by local councils, we included these roads in this audit as TfNSW may advise and assist councils to promote and improve road safety, as well as manage grant programs that focus on improving road safety outcomes on these roads. Hereafter, unless otherwise stated, references to ‘regional roads’ refer to all classifications of roads in the state which are in regional New South Wales, irrespective of their ownership.

Local councils in regional areas are key stakeholders for the purposes of this audit, and we interviewed eight as part of the audit process (noting that this was not intended to be a representative sample). Road asset management by local councils is also out of scope for this audit as it is the focus of a subsequent performance audit by the Audit Office of New South Wales.b

The Audit Office of New South Wales has undertaken several performance audits relating to road safety since 2009 and these have been referenced while undertaking this audit. They include:

  • Condition of State Roads (August 2006)
  • Improving Road Safety: Heavy Vehicles (May 2009)
  • Improving Road Safety: School Zones (March 2010)
  • Improving Road Safety: Speed Cameras (July 2011)
  • Regional Assistance Programs (May 2018)
  • Mobile speed cameras (October 2018)
  • Rail freight and Greater Sydney (October 2021).

Conclusion

TfNSW has acknowledged that there is a disproportionate amount of road trauma on regional roads in the NSW Road Safety Strategy 2012–2021, the NSW Road Safety Plan 2021, and the NSW Road Safety Action Plan 2022–2026. However, TfNSW has not articulated or evaluated a strategy for implementing road safety policy in regional New South Wales to assist in guiding targeted activities to address regional road trauma. There is also no transparency about the total amount of funding invested in improving road safety outcomes for regional New South Wales.

People living in regional New South Wales make up one-third of the state’s population, but deaths on regional roads make up around two-thirds of the state’s total road toll. This statistic is almost the same in 2023 as it was ten years ago when TfNSW released its first long-term road safety strategy.

More than 70% of people who died on roads between 2012 and 2022 in regional New South Wales were residents of regional areas. Speed is the greatest contributing factor to road fatalities and serious injuries across the entire state. However, it is responsible for more fatalities on regional roads (43%) than in Greater Sydney (34%).

TfNSW’s road safety strategies and plans acknowledge that most road fatalities occur in regional New South Wales but none of its existing strategies or plans show evidence of tailoring measures to suit particular regional settings or ‘hot spots’. There are infrastructure initiatives (such as Saving Lives on Country Roads) and behavioural programs targeting regional areas (such as Driver Reviver). However, these activities are not aligned to a regional-specific strategy or plan that addresses issues specific to regional areas.

TfNSW has state-wide responsibility for managing road safety outcomes. TfNSW advised the audit that a regional plan and regional trauma reduction targets are not needed as the state-wide plan and targets apply equally for all areas of New South Wales, and local road safety factors are best managed by local councils. TfNSW partners with local councils. However, only 52% of councils in regional New South Wales participate in TfNSW’s Local Government Road Safety Program, compared to 84% of councils in metropolitan areas. TfNSW has not undertaken any evaluations to determine whether projects completed under the Local Government Road Safety Program have reduced road trauma at the local level.

Notwithstanding the above points, TfNSW works with local councils (who are road authorities for local roads in their respective areas under the Roads Act 1993) and other key stakeholders such as the NSW Police Force to achieve the NSW Government’s road safety policy objectives.

TfNSW advised that ‘the setting of state-wide road safety targets is consistent with other jurisdictions and international best practice. Importantly, delivery of road safety countermeasures is tailored and applied with a focus on road user groups across all geographic locations to maximise trauma reductions’. There may be legitimate reasons for the existing approach, as articulated by TfNSW. However, the proportion of road fatalities in regional New South Wales roads has not reduced since 2012 – despite a long-term reduction in the overall number of deaths on the state’s roads between 2012–2021. The audit report has recommended that a regionally focused implementation plan could address this issue. TfNSW has accepted this report’s recommendation that such a plan be developed.

Specific road safety initiatives targeted to regional areas have not been implemented or expanded

Text removed pursuant to section 36A of the Government Sector Audit Act 1983 (NSW), in compliance with the issuance of a Premier’s certificate preventing the publication of this information.

TfNSW increased the use of other forms of automated enforcement (such as tripling enforcement hours in mobile speed cameras).
However, the use of automated enforcement has a strong metropolitan focus with most red light and fixed speed cameras being in metropolitan areas. Average speed cameras are the only camera type overwhelmingly located in regional areas but these apply only to heavy vehicles and are positioned on major freight routes. 

There is no consolidated, public reporting of what proportion of total road safety funding is directed to regional New South Wales each year. The main source of funding for road safety in New South Wales, the Community Road Safety Fund, has been underspent since 2019.

Fines from camera-detected speeding, red-light and mobile phone use offences are required to be used solely for road safety purposes through the Community Road Safety Fund (CRSF), as set out in the Transport Administration Amendment (Community Road Safety Fund) Act 2012.

The CRSF has been underspent every year since 2019–20. The underspend has increased from 12% in 2019–20 to 20% in 2022–23 where the full year underspend was forecasted to be $104 million. Of this underspend, $13.5 million was dedicated for regional road infrastructure projects. TfNSW advised the audit that much of the underspend is the result of delays to infrastructure projects due to COVID-19, bushfires, and floods, as well as skills shortages. However, TfNSW has not provided any evidence that it had a plan to mitigate these risks – meaning the level of underspend could continue to grow. TfNSW also advised ‘there is no reason to expect budget management and controls will not return to pre-COVID circumstances’.

In total, TfNSW received $700 million in funding for road safety in 2021–22 (including federal contributions and the Community Road Safety Fund). Of this, $411 million (or ~59%) was directed to regional New South Wales. This is the most recent comprehensive financial data that was provided by TfNSW to the audit team. The 2022–23 NSW Budget allocated $880 million for road safety in 2022–23, with a forecasted total allocation for road safety of $1.6 billion in recurrent expenses and $0.8 billion in capital expenditure over the period 2022–23 to 2025–26.

Appendix one – Response from Transport for NSW

Appendix two – The Safe Systems framework and NSW road safety strategies and plans

Appendix three – About the audit

Appendix four – Performance auditing

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #386 - released 30 November 2023

Published

Actions for Government's acquisition of private property: Sydney Metro project

Government's acquisition of private property: Sydney Metro project

Transport
Planning
Whole of Government
Compliance
Infrastructure
Internal controls and governance
Project management
Risk

What the report is about

Sydney Metro is Australia’s largest public transport project. It requires the acquisition of many private properties, including residential and business properties.

This audit assessed the effectiveness of the acquisition of private properties for the Sydney Metro project. The audited agencies were Sydney Metro, the Department of Planning and Environment (Valuer General NSW) and Transport for NSW (the Centre for Property Acquisition).

The audit assessed agencies against the framework for property acquisitions in New South Wales. It did not re-perform the valuations done for individual properties that were acquired by Sydney Metro.

What we found

Acquisitions of private property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. We found Sydney Metro:

  • complied with legislative and policy requirements for compensation and communication with people subject to property acquisitions
  • kept accurate records of its acquisitions and applied probity controls consistently
  • did not complete detailed plans or negotiation strategies for the high-risk and high-value acquisitions we reviewed
  • did not comply with legislative timelines for most compulsory acquisitions because of delays in receiving the required information from the Valuer General in these cases.

The Centre for Property Acquisition has overseen the implementation of reforms to residential acquisition processes, but its assessment of the effectiveness of these reforms has not been comprehensive.

What we recommended

The audit made four recommendations to the audited agencies to improve:

  • plans and strategies for the acquisition of high-risk and high-value properties
  • timeliness of issuing compensation determinations for compulsory acquisitions
  • data quality on the experience of people subject to property acquisitions.

The NSW Government has the power to acquire land that is owned or leased by individuals or businesses, if it is needed for a public purpose. The power arises from the Land Acquisition (Just Terms Compensation) Act 1991 (the Just Terms Act). Government agencies that have the power to compulsorily acquire private property are referred to as ‘acquiring authorities’. People who are subject to acquisitions are referred to as ‘affected parties’ and include property owners (business or residential), businesses with a commercial lease on a property, or individuals with residential tenancy leases. In recent years, the vast majority of acquisitions by the NSW Government have been for public transport or road projects.

Sydney Metro is a NSW Government agency with responsibility for building the Sydney Metro railway project. Sydney Metro is Australia’s largest public transport project. The project requires the acquisition of a large number of private properties. Sydney Metro has been one of the largest acquirers of private property in recent years, completing over 500 acquisitions between 2020 and mid-2022, with a total acquisition value of over $2 billion. Other agencies and statutory officers involved in the acquisition of property for the Sydney Metro project include:

  • the Department of Planning and Environment (DPE), which supports the minister responsible for the Just Terms Act. DPE also provides staff to the Valuer General of NSW
  • the Valuer General of NSW, an independent statutory officer that determines compensation in cases where the acquiring authority and the affected party cannot agree on compensation for property that has been acquired
  • Transport for NSW, which includes the Centre for Property Acquisition (CPA). The CPA does not have a direct role in acquiring properties, but its responsibilities include developing guidance for acquiring agencies and monitoring and reporting on their activities.

About this audit

The objective of this audit was to assess the effectiveness of acquisitions of private properties for Sydney Metro projects. The audit assessed agencies against the legislative and policy requirements in place for government acquisitions of private property in New South Wales. In line with the Audit Office's legislative mandate, the audit does not comment on the merits of the policy objectives reflected in the Just Terms Act.

The audit examined a sample of 20 property acquisitions. This was not a statistically representative sample. While our report provides comments on Sydney Metro’s overall acquisition processes, it does not provide assurance regarding the acquisitions that were not examined for this audit.

The audit did not re-perform the valuations done for individual properties that were acquired by Sydney Metro. Affected parties who disagree with the valuation of their property have the right to seek independent assessment of this via the Valuer General and the Land and Environment Court.

Conclusion

Acquisitions of property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. Sydney Metro followed requirements for communication with affected parties. Compensation processes were conducted in compliance with legislative requirements, but compensation determinations for compulsory acquisitions were not completed within legislated time frames due to delays in receiving these from the Valuer General. Governance and probity processes were followed consistently, with some relatively minor exceptions. 

Sydney Metro has detailed guidelines for acquisitions that are based on relevant legislation and government policy. In the 20 acquisitions we assessed for this audit, these procedures were followed consistently. This included adhering to minimum timelines for negotiation periods, engaging independent valuers and other experts when needed, and complying with governance and probity processes.

Sydney Metro staff followed requirements for communication and support for residential acquisitions by assigning ‘personal managers’ and providing additional support to affected parties when needed. The Centre for Property Acquisition (CPA) has overseen reforms to the residential property acquisition process in recent years. These reforms include the introduction of the NSW Property Acquisition Standards and the use of personal managers, in addition to the existing acquisition managers, for residential acquisitions. However, the CPA has not assessed the impact of these changes on the experiences on people affected by property acquisitions.

Sydney Metro did not comply with the legislative requirement to provide a formal compensation notice to the affected party within 45 days of a compulsory acquisition starting in any of the eight relevant acquisitions in our sample. This was because Sydney Metro must wait for the Valuer General to complete a compensation determination before Sydney Metro can send the compensation notice, and the Valuer General did not do this within 45 days. We acknowledge that Sydney Metro does not have full control over this process, and that it has taken steps to mitigate the impact of delays on affected parties. 

This chapter presents our findings on Sydney Metro's acquisition of industrial and commercial properties. Industrial properties include construction businesses and manufacturing facilities. Commercial properties were mostly properties such as shopping centres and office towers. Many of these acquisitions involve businesses and properties that are relatively complex and have high values. This means the valuation process can require multiple experts and can be lengthy and contested. Adherence to governance and probity requirements is important for these acquisitions in order to demonstrate that the acquiring authority has achieved value for money.

This chapter presents our findings on Sydney Metro's acquisition of residential properties, which include apartments and houses, and small business leases, which mostly affected businesses in small shopping centres or arcades. Most of these acquisitions were lower value compared to industrial and commercial property acquisitions and did not require as much expert advice on complex technical issues. However, residential property acquisitions can be personally distressing for the affected parties and require staff from the acquiring authority to provide support and show empathy while ensuring legislative compliance and value for money.

Appendix one – Responses from agencies

Appendix two – About the audit 

Appendix three – Performance auditing 

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #375 - released 9 February 2023

Published

Actions for Design and implementation of the Transport Asset Holding Entity

Design and implementation of the Transport Asset Holding Entity

Transport
Treasury
Asset valuation
Financial reporting
Infrastructure
Procurement
Risk
Service delivery

What the report is about

The Transport Asset Holding Entity (TAHE) is the State's custodian of rail assets. It is a state owned corporation and commenced operating on 1 July 2020.

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. We audited TAHE, Transport for NSW (TfNSW) and NSW Treasury.

Separate and related audits on TAHE are reported in 'State Finances 2022', 'State Finances 2021' and 'Transport and Infrastructure 2022' reports.

What we found

The design and implementation of TAHE, which spanned seven years, was not effective.

The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.

The benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose.

Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed.

Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.

What we recommended

We recommended that the audited agencies should:

  • improve accountability and transparency for major new fiscal transformation initiatives
  • ensure entities do not reflect the financial impact of significant initiatives in the Budget when there is uncertainty, or it creates perverse incentives
  • review record keeping practices, systems and policies to ensure compliance with the State Records Act 1998, and the NSW Government Information Classification, Labelling and Handling Guidelines
  • review procurement policies to ensure that consultant use complies with all NSW Government policy requirements.

The NSW Government established the Transport Asset Holding Entity (TAHE), a statutory State Owned Corporation (SOC), on 1 July 2020 to replace the former rail infrastructure owner – RailCorp. It is the State's custodian of rail network assets, including rail tracks and other infrastructure, rolling stock, land, train stations and facilities, retail space, and signal and power systems, within metropolitan and regional New South Wales. It is responsible for $2.8 billion of major capital projects in 2022–23.

TAHE was established under Part 2 of the Transport Administration Act 1988 and is governed by a decision-making board. The Treasurer and the Minister for Finance and Employee Relations are the Shareholding Ministers of TAHE, and they annually agree performance expectations articulated in a Statement of Corporate Intent.

Whereas TAHE is the custodian of rail assets, Sydney Trains and NSW Trains operate public rail services. TAHE does not have responsibility for the operation of the heavy rail network or train services, nor does it have network control functions. TAHE, Sydney Trains and NSW Trains are in the Transport and Infrastructure cluster in the public sector (formerly the Transport cluster and renamed in April 2022), which also includes Sydney Metro and Transport for NSW (TfNSW).

TfNSW leads the Transport and Infrastructure cluster. Its role is to set the strategic direction for transport across the State. This involves the shaping of planning, policy, strategy, regulation, resource allocation and other service and non-service delivery functions for all modes of transport.

TAHE's Operating Licence is granted by the Portfolio Minister and authorises the entity to perform the functions required to acquire, develop, finance, divest and hold assets, pursuant to the Transport Administration Act 1988. The Portfolio Minister also issues a Statement of Expectations which outlines the government’s expectation for the business for the next three to five years.

TAHE's original Portfolio Minister was the Minister for Transport who approved, on 30 June 2020, the issuing of an interim 12-month Operating Licence to enable TAHE to commence operating on 1 July 2020. The Portfolio Minister then granted TAHE's current Operating Licence in 2021. After TAHE requested a 12-month extension to its current Operating Licence, its next Operating Licence is due on 1 July 2024. The current Portfolio Minister is the Minister for Infrastructure, Cities and Active Transport.

About this audit

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. In making this assessment, we considered whether: 

  • the process of designing and implementing TAHE was cohesive and transparent, and delivered an effective outcome
  • agencies' roles and responsibilities were clear in the planning of TAHE
  • agencies effectively identified and managed certain risks.

Conclusion

The design and implementation of TAHE was not effective. The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments to sustain TAHE through continuing investment, and funding of the state owned rail operators. The ineffective process to design TAHE delivered a model that entails significant uncertainty as to whether the anticipated longer-term financial improvements to the Budget position can be achieved or sustained.

NSW Treasury and TfNSW had different objectives for TAHE

Up to June 2013, RailCorp had been the owner and operator of rail services and maintainer of the metropolitan rail network for almost a decade. It had been operating as a not-for-profit Public Non-Financial Corporation (PNFC).

In 2012, NSW Treasury (hereafter Treasury) decided there was a risk that the Australian Bureau of Statistics (ABS) would reclassify RailCorp to the General Government Sector (GGS), meaning depreciation expenses of approximately $870 million would be reflected in the GGS Budget. Treasury wanted to avoid this impact on the GGS Budget, and considered the establishment of a transport asset holding entity as a means to do so. Capital grants to RailCorp were being treated as an expense to the GGS Budget.

TfNSW also wanted an asset holding entity – but one that would be a non-trading ‘shell’ company with no staff that would hold and manage all public transport assets. TfNSW's concept envisaged the entity would have a structure that would enable future public transport reforms and strategic directions while ensuring vertical integration of operations between asset owners and the rail operators to maintain rail safety.

However, Treasury pursued its objective to improve the GGS Budget result, and sought to expand on TfNSW's 'shell' asset holding entity concept. Treasury wanted an entity that could generate a return on investment, as this meant that government investment in transport assets could be treated as equity investments, rather than a Budget expense, and in turn improve the GGS Budget position. As an example of the potential impact of creating this new entity, capital grants of $2.3 billion were paid to RailCorp in 2013–14. If Treasury's objective was met, grants of this significance would then be treated as an equity investment, rather than an expense in the GGS Budget.

In 2017, Treasury's preferred option was progressed through legislation, but both agencies' central objectives for the proposed asset holding entity would continue to prove difficult to reconcile. To achieve Treasury's objective to improve the Budget result, the entity would need to generate a return on investment (this is further discussed below). However, TfNSW expressed concerns that the prioritisation of rail safety, and the effective management of governance, regulation and operations would be more complex in an entity with commercial imperatives.

Asset holding entities are a common approach to the management of transport assets in Australia and internationally, and there are a range of approaches to how they are structured and used. Such structures should be driven by the goal of improved asset management. Ultimately, TfNSW's objectives could have been delivered through a simpler entity structure. However, reconciling TfNSW's objectives with Treasury's imperative to deliver and justify a Budget improvement in the short-term resulted in an overly lengthy process and an unnecessarily complex outcome that places an obligation on future governments to sustain. There is still significant uncertainty as to whether the short-term improvements to the Budget can continue to be realised in the longer-term.

The Budget benefits of TAHE were claimed before the entity was legislated, committing the agencies to deliver, regardless of the complexities that subsequently arose

The 2015–16 GGS Budget treated the government's investment in TAHE (still known at this time as RailCorp) as an equity contribution. This had the immediate impact of improving the Budget result by $1.8 billion per annum. However, the legislation to enable the establishment of TAHE had not yet been passed by Parliament, key elements of the operating model were still under development, and imminent changes in accounting standards had the potential to impact TAHE's financial model. The decision to book the benefits in the Budget early committed the involved agencies to implement a solution that justified the 2015–16 Budget impacts, irrespective of the challenges that arose. 

TAHE's financial structure requires circular government investment to work

For the NSW Government to continue to treat its investment in TAHE as an equity contribution, rather than an expense to the Budget, there must be a reasonable expectation that TAHE will generate a sufficient rate of return as required by the Government Finance Statistics (GFS) framework. In doing so, it needs to recover a revaluation loss created by a $20.3 billion reduction in the value of its assets which was incurred in its first full year of operation. This loss occurred as a result of a revaluation of TAHE's assets when RailCorp (a not-for profit entity) became TAHE (a for-profit commercial entity) – and is discussed further in the 'Key findings' below.

TAHE generates a small portion of its income from transactions with the private sector but, as noted in our report 'State Finances 2021', TAHE receives the majority of its revenue (more than 80%) from access and licence fee agreements with Sydney Trains and NSW Trains. Both of these entities are funded by grants (a Budget expense) to TfNSW from the GGS Budget.

Based on Treasury’s correspondence with the ABS in 2015, TAHE was initially expected to pay a return on equity of 7% in 2016–17. The assumption of a 7% return persisted through to 2018, after the legislation enabling the establishment of TAHE was passed by Parliament. However, when the initial access and licence fees were agreed on 1 July 2020, this figure had been revised to an expected rate of return of 1.5% excluding the revaluation loss. This was below the long-term inflation target and did not include the recovery of the revaluation loss – risking the government's ability to treat its investment in TAHE as an equity contribution. Importantly, as TAHE is primarily reliant on fees paid by the state owned rail operators that, in turn, are funded by the GGS Budget (as an expense), the decision to change the returns model from 7% to 1.5% would in its own right have had a positive impact on the GGS Budget. However, the decision to use a 1.5% return would ultimately be problematic as it made it difficult to treat the government's contributions to TAHE as an equity investment, as discussed below.

On 14 December 2021, to avoid a qualified audit opinion, the NSW Government made the decision to increase TAHE's expected rate of return to 2.5%, equal to the Reserve Bank’s long-term inflation target.

In 2021-22, TAHE needed to start charging rail operators higher access and licence fees in order to generate a return of 2.5%, so as to support the government's treatment of its investment in TAHE as an equity contribution in the GGS Budget. This meant the government needed to provide additional grant (expense) funding to the state owned rail operators so they could pay the increased access and licence fees to TAHE. Based on current projections, TAHE is not expected to recover the revaluation loss until 2046.

There remains a risk that TAHE will not be able to generate a sufficient return on the NSW Government's investment without relying on increased funding to state owned rail operators so that they can in turn pay the higher access and licence fees. TAHE's ability to generate returns on government investment from other sources are uncertain and may not be achievable or sustainable. Current modelling highlights that TAHE remains largely reliant, through to 2046, on increasing fees (which are assumed to increase at 2.5% per annum from 2031 onwards when the current 10 year contracts with rail operators expire) paid by the state owned rail operators that remain principally reliant on GGS Budget grants.

The process of designing and implementing TAHE was not transparent to independent scrutiny

Our report 'State Finances 2021' commented that Treasury did not always provide this Office with information relating to TAHE on a timely basis. Similarly, during this performance audit, there were also multiple instances where auditees were unable to provide documentation regarding key activities in the process to deliver TAHE. Agencies also applied higher sensitivity classifications to large tranches of documents than was justified or required by policy. Of particular concern is the incorrect classification of documents as Cabinet sensitive information. The incorrect or over-classification of documentation as Cabinet sensitive delayed this Office's ability to provide scrutiny or independent assurance.

There was a lack of clarity around the roles and responsibilities of governance structures set up to oversee the design and implementation of TAHE

From 2014, multiple workstreams and advisory committees were established to progress the design and implementation of TAHE. For some of these committees and workstreams, there is limited information on what they were tasked to do and what they achieved. Most had ceased meeting by 2018, before significant work needed to deliver TAHE was completed.

The lack of clarity around the roles and responsibilities of these governance structures reduced opportunities for TfNSW and Treasury to reconcile their differing objectives for TAHE, and resolve key questions earlier in the process.

There was a heavy reliance on consulting firms throughout the process to establish TAHE, and the management of consultant engagements failed to ensure that agencies received independent advice to support objective decision-making

In 2020, Treasury and TfNSW failed to prevent, identify, or adequately manage a conflict of interest when they engaged the same 'Big 4' consulting firm to work on separate TAHE-related projects. Both agencies used the firm's work to further their respective views with regard to the financial implications of TAHE's operating model. At this time those views were still unreconciled.

Treasury engaged the firm to provide a fiscal risk management strategy and advice on the impact of changes to accounting standards. TfNSW engaged the same firm to develop operating and financial models for TAHE, which raised concerns regarding the viability of TAHE. Disputes arose around the findings of these reports. Treasury disagreed with some of the outcomes of the work commissioned by TfNSW, relating to accounting treatment and fiscal advice.

The management of this conflict (real or perceived) was left to the 'Big 4' consulting firm when it was more appropriate for it to be managed by Treasury and TfNSW. If these agencies had communicated more effectively, used available governance structures consistently, and shared information openly about their use of the firm and the nature of their respective engagements, these disputes might have been avoided. This issue, coupled with deficiencies in procurement by both agencies, reflected and further perpetuated the lack of cohesion in the design and implementation of TAHE.

More broadly, over the period 2014 – 2021, 16 separate consulting firms were employed to work on 36 contracts, valued at over $22.56 million, relating to TAHE ranging from accounting and legal advice, project management, and the provision of administrative support and secretariat services.

Consultants are legitimately used by agencies to provide advice on how to achieve the outcomes determined by government, including advising agencies on the risks and challenges in achieving those outcomes. Similarly, consultants can provide expert knowledge in the service of achieving those outcomes and managing the risks. However, the heavy reliance on consulting firms during the design and implementation of TAHE heightened the risk that agencies were not receiving value for money, were outsourcing tasks that should be performed by the public service, and did not mitigate the risk that the advice received was not objective and impartial. The risk that the role of consultants could have been blurred between providing independent advice to government on options and facilitating a pre-determined outcome was not effectively treated or mitigated. This risk was amplified because a small number of firms were used repeatedly to provide advice on one topic. The effective procurement and management of consultants is an obligation of government agencies.

Appendix one – Responses from audited agencies, and Audit Office clarification of matters raised in the TAHE formal response 

Appendix two – Classification of government entities 

Appendix three – About the audit 

Appendix four – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #372 - released 24 January 2023

 

Published

Actions for Rail freight and Greater Sydney

Rail freight and Greater Sydney

Transport
Information technology
Infrastructure
Management and administration
Project management
Service delivery

What the report is about

The movement of freight contributes $66 billion annually to the NSW economy. Two thirds of all freight in NSW moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036.

This audit assessed the effectiveness of transport agencies in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

What we found

Transport agencies do not have strategies or targets in place to improve the efficiency or capacity of the metropolitan shared rail network for freight.

The transport agencies acknowledge that they do not have sufficient information to achieve the most efficient freight outcomes and they do not know how to use the shared rail network to maximise freight capacity without compromising passenger rail services.

The Freight and Ports Plan 2018-2023 contains one target for rail freight - to increase the use of rail at Port Botany to 28 per cent by 2021. However, Transport for NSW (TfNSW)'s data indicates this target will not be met.

Sydney Trains records data on train movements and collects some data on delays and incidents. TfNSW collects data for the construction of the Standard Working Timetable and third-party contracts.

However, a lack of clarity around what data is gathered and who has ownership of the data makes data sharing difficult and limits its analysis and reporting.

The Freight and Ports Plan 2018-2023 includes the goal of 'Reducing avoidable rail freight delays', but the transport agencies do not have any definition for an avoidable delay and, as a result, do not measure or report them.

TfNSW and Sydney Trains are appointed to manage and deliver the Transport Asset Holding Entity of New South Wales (TAHE)'s obligations to allow rail freight operators to use the shared rail network. There are no performance measures in rail freight operator contracts or inter-agency agreements. This limits transport agencies' ability to improve performance.

TfNSW’s Freight Branch is working on four freight-specific strategies; a review of the Plan, a freight rail strategy, a port efficiency strategy and a freight data strategy.

TfNSW has not yet determined the timeframes or intended outcomes of these strategies.

What we recommended

Transport agencies should:

  • commit, as part of the review of Future Transport 2056, to delivering the freight-specific strategies currently in development and develop whole-of-cluster accountability for this work including timeframes, specific targets and clear roles and responsibilities 
  • improve the collection and sharing of freight data
  • develop a plan to reduce avoidable freight delays
  • systematically collect data on the management of all delays involving and/or impacting rail-freight
  • develop and implement key performance indicators for the agreements between the transport agencies.

Fast facts    

  • 288 million tonnes of freight volume predicted to pass through Greater Sydney in 2036, up from 194 million in 2016 (an increase of 48%)

  • 54 trucks that can be replaced by one 600 m long port shuttle freight train    

  • 26,671 freight trains that passed through the metropolitan shared rail network between 1 July 2020 and 30 June 2021

The movement of freight contributes $66.0 billion annually to the New South Wales economy — or 13 per cent of the Gross State Product. Two thirds of all freight in New South Wales moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036. This increasing demand is driven by increasing population and economic growth.

The sequence of activities required to move goods from their point of origin to the eventual consumer (the supply chain) is what matters most to shippers and consumers. Road can provide a single-mode door-to-door service, whereas conveying goods by rail typically involves moving freight onto road at some point. In Greater Sydney, 80 per cent of all freight is moved on road. Freight often passes through intermodal terminals (IMTs) as it transitions from one mode of transport to the next.

In 2016, Transport for NSW (TfNSW) released Future Transport 2056 - the NSW Government's 40-year vision for transport in New South Wales, which is intended to guide investment over the longer term. In Future Transport 2056, TfNSW noted that New South Wales will struggle to meet increasing demand for freight movements unless rail plays a larger role in the movement of freight.

Sydney Trains manages the metropolitan shared rail network, which is made up of rail lines that are used by both passenger and freight trains. The Transport Administration Act 1988 requires that, for the purposes of network control and timetabling, NSW Government transport agencies give ‘reasonable priority’ to passenger trains on shared lines. As the Greater Sydney population and rail patronage continue to grow, so too will competition for access to the shared rail network. See Appendix two for details of the area encompassed by Greater Sydney.

Freight operators can also use dedicated rail freight lines operated by the Australian Rail Track Corporation (ARTC - an Australian Government statutory-owned corporation). As the metropolitan shared rail network connects with dedicated freight lines, freight operators often use both to complete a journey.

TfNSW, Sydney Trains and the Transport Asset Holding Entity (TAHE) work in conjunction with other rail infrastructure owners and private sector entities, including port operators, privately operated IMTs and freight-shipping companies. TfNSW and Sydney Trains are responsible for managing the movement of freight across the metropolitan shared rail network. TAHE is the owner of the rail infrastructure that makes up the metropolitan shared rail network. The NSW Government established TAHE, a NSW Government state-owned corporation, on 1 July 2020 to replace the former rail infrastructure owner - RailCorp. The Auditor-General for New South Wales has commenced a performance audit on TAHE which is expected to table in 2022.

On 1 July 2021, TAHE entered into new agreements with TfNSW and Sydney Trains to operate, manage and maintain the metropolitan shared rail network. Until 30 June 2021, and in accordance with TAHE's Implementation Deed, TAHE operated under the terms of RailCorp's existing arrangements and agreements.

This audit assessed the effectiveness of TfNSW, Sydney Trains and TAHE in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

The audit focused on:

  • the monitoring of access to shared rail lines
  • the management of avoidable delays of rail freight movements
  • steps to increase the use of rail freight capacity in Greater Sydney.

Conclusion

Transport agencies do not have clear strategies or targets in place to improve the freight efficiency or capacity of the metropolitan shared rail network. They also do not know how to make best use the rail network to achieve the efficient use of its rail freight capacity. These factors expose the risk that rail freight capacity will not meet anticipated increases in freight demand.

Future Transport 2056 notes that opportunities exist to shift more freight onto rail, and that making this change remains an important priority for the NSW Government. However, the transport agencies acknowledge that they do not have sufficient information to achieve the most efficient freight outcomes. In particular, transport agencies do not know how to use the shared rail network in a way that maximises freight capacity without compromising passenger rail services.

Neither Future Transport 2056 nor the Freight and Ports Plan 2018–2023 give any guidance on how transport agencies will improve the efficiency or capacity of the shared rail network. Other than a target for rail freight movements to and from Port Botany, which TfNSW's data indicates will not be met, there are no targets for improving rail freight capacity across the shared network. The lack of specific strategies, objectives and targets reduces accountability and makes it difficult for transport agencies to effectively improve the use of rail freight capacity in line with their commitment to do so.

Sydney Trains and Transport for NSW do not effectively use data to improve rail freight performance and capacity.

To drive performance improvement when planning for the future, transport agencies need good quality data on freight management and movements. Sydney Trains records data on train movements in real-time and collects some data on delays and incidents. TfNSW collects data for the construction of the Standard Working Timetable (SWTT) and third-party contracts. However, the different types of data gathered and the separation between the teams responsible mean that there is a lack of clarity around what data is gathered and who has ownership it. This lack of coordination prevents best use of the data to develop a single picture of how well the network is operating or how performance could be improved.

Sydney Trains' ability to evaluate the effectiveness of its incident and delay mitigation strategies is also limited by a lack of information on its management of rail-freight related delays or incidents. While Sydney Trains collects data on major incidents, it can only use this to conduct event-specific analysis on the causes of an incident, and to review the operational and management response. The use of complete and accurate incident data would assist to define, identify and reduce avoidable delays. Reducing avoidable delays is a goal of the Freight and Ports Plan 2018–2023. More complete data on all incidents would help TfNSW to have more effective performance discussions with rail freight operators to help improve performance.

TfNSW has started developing strategies to identify how it can use rail freight capacity to achieve efficient freight outcomes, but it has not committed to implementation timeframes for this work.

TfNSW’s Freight Branch has started work on four freight-specific strategies to improve freight efficiency: a review of the Plan, a freight rail strategy, a port efficiency strategy and a freight data strategy. However, none of these strategies will be fully developed before the end of 2022. TfNSW has not yet determined the implementation timeframes or intended outcomes of these strategies, although TfNSW reports that it is taking an iterative approach and some recommendations and initiatives will be developed during 2022. 

Appendix one - Response from agencies

Appendix two - The Greater Sydney region

Appendix three - TfNSW strategic projects 

Appendix four - Sydney Trains path priority principles 

Appendix five - Sydney Trains delay management

Appendix six - About the audit 

Appendix seven - Performance auditing
 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #357 - released (19 October 2021).

Published

Actions for Managing cyber risks

Managing cyber risks

Whole of Government
Transport
Cyber security
Information technology
Internal controls and governance
Procurement
Risk

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

  • develop and implement a plan to uplift the Essential 8 controls to the agency's target state
  • as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
  • ensure cyber security risk reporting to executives and the Audit and Risk Committee
  • collect supporting information for the CSP self assessments 
  • classify all information and systems according to importance and integrate this with the crown jewels identification process
  • require more rigorous analysis to re-prioritise CDP funding 
  • increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

  • clarify the requirement for the CSP reporting to apply to all systems
  • require agencies to report the target level of maturity for each mandatory requirement.

Fast facts

  • $42m Total value of the Transport Cyber Defence Rolling Program over three years.
  • 7.2% Percentage of staff across the Transport cluster who had completed introductory cyber security training

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

  • Are agencies effectively identifying and planning for their cyber security risks?
  • Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Conclusion

Transport for NSW and Sydney Trains are not effectively managing their cyber security risks. Significant weaknesses exist in their cyber security controls, and both agencies have assessed that their cyber risks are unacceptably high. Neither agency has reached its Essential 8 or Cyber Security Policy target levels. This low Essential 8 maturity exposes both agencies to significant risk. Both agencies are implementing cyber security plans to address identified cyber security risks.
This audit identified other weaknesses, such as low numbers of staff receiving basic cyber security awareness training. Cyber security training is important for building and supporting a cyber security culture. Not all of the weaknesses identified in this audit had previously been identified by the agencies, indicating that their cyber security risk identification is only partially effective.
Agency executives do not receive regular detailed information about cyber risks and how they are being managed, such as information on mitigations in place and the effectiveness of controls for cyber risk. As a result, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of executive decision-making.
TfNSW and Sydney Trains are partially effective at identifying their cyber security risks and both agencies have cyber security plans in place

Both agencies regularly carry out risk assessments and have identified key cyber security risks, including risks that impact on the agencies' crown jewels. These risks have been incorporated into the overall enterprise risk process. However, neither agency regularly reports detailed cyber risk information to agency executives to adequately inform them about cyber risk. The Cyber Security Policy (CSP) requires agencies to foster a culture where cyber security risk management is an important and valued aspect of decision-making. By not informing agency executives in this way, TfNSW and Sydney Trains are not fulfilling this requirement.

Agencies' cyber security risk assessment processes are not sufficiently comprehensive to identify all potential risks. Not all of the weaknesses identified in this audit had previously been identified by the agencies.

To address identified cyber security risks, both agencies have received funding approval to implement cyber security plans. TfNSW first received approval for its cyber security plan in 2017. Sydney Trains received approval for its cyber security plan in February 2020. In 2020–21 TfNSW and Sydney Trains combined their plans into the Transport Cyber Defence Rolling Program business case valued at $42.0 million over three years. This is governed as part of a broader Cyber Defence Portfolio (CDP). The CDP largely takes a risk-based approach to annual funding. The Cyber Defence Portfolio Steering Committee and Board can re-allocate funds from an approved project to a different project. This re-allocation process could be improved by making it more risk-based.

TfNSW and Sydney Trains are not effectively managing their cyber security risks

Neither agency has fully mitigated its cyber security risks. These risks are significant. Neither TfNSW nor Sydney Trains have reduced their cyber risk to levels acceptable to the agencies. Both agencies have set a risk tolerance for cyber security risks, and the identified enterprise-level cyber security risks remain above this rating. Both agencies' self-attested maturity against the Essential 8 remains low in comparison to the agencies' target levels, and in relation to the significant risks and vulnerabilities that are exposed. Little progress was made against the Essential 8 in 2020.

Neither agency has reached its target levels of maturity for the CSP mandatory requirements. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles. The Transport Cyber Defence Rolling Program has a KPI to achieve a target rating of three for all CSP requirements where business appropriate. TfNSW considers this target rating to be its target for all the CSP requirements. However TfNSW has not undertaken analysis to determine whether this target is appropriate to its business.

The CSP makes agencies accountable for the cyber risks of their ICT service providers. While both agencies usually included their cyber security expectations in contracts with third-party suppliers, neither agency was routinely conducting audits to ensure that these expectations were being met.

The CSP requires agencies to make staff aware of cyber security risks and deliver cyber security training. TfNSW is responsible for delivering cyber security training across the Transport cluster, including in Sydney Trains. TfNSW was not effectively delivering cyber security training across the cluster because training was not mandatory for all staff at the time of the audit and completion rates among those staff assigned the training was low. As such, only 7.2 per cent of staff across the Transport cluster had completed introductory cyber security training as at January 2021.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Exhibit 7 - Spot the Scammer exercise
In both 2019 and 2020, TfNSW performed a ‘Spot the Scammer’ exercise in which they sent out over 25,000 emails to staff based on a real phishing attack in order to measure awareness and response. The exercise tested staff 'click through rate', the percentage of staff who clicked on the fake phishing link. In 2019, these results were then compared to industry benchmarks, with over a 20 per cent click through rate being considered 'very high'. Both TfNSW and Sydney Trains were considered to have a ‘very high’ click through rate in comparison to these benchmarks in both 2019 and 2020. This indicates that staff awareness of phishing emails was low. The click through rate for TfNSW was 24 per cent in 2020, an increase from 22 per cent in 2019. For Sydney Trains, the click through rate in 2020 was 32 per cent, which was a decrease from 40 per cent in 2019.
Source: Audit Office analysis of TfNSW documents.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

Published

Actions for WestConnex: changes since 2014

WestConnex: changes since 2014

Transport
Compliance
Infrastructure
Internal controls and governance
Management and administration
Project management
Risk

What the report is about

The report examined whether Transport for NSW (TfNSW) and Infrastructure NSW (INSW) effectively assessed and justified major scope changes to the WestConnex project since 2014.

What we found

NSW Government decisions to fund WestConnex-related projects outside WestConnex's $16.812 billion budget have reduced transparency and understate the full cost of WestConnex.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency over the cost of the road component of Sydney Gateway. $1.76 billion of the cost to complete Sydney Gateway is funded outside the WestConnex budget.

Network integration costs, currently estimated at $2.3 billion, are also funded outside the WestConnex budget. Many of these costs are directly attributable to WestConnex and ought to be included in the reported budget.

The Parramatta Road Urban Amenity Improvement Program, costing $198 million, should also be included as part of the WestConnex reported budget.

Decisions to exclude or remove these elements from WestConnex without justification have seen $4.26 billion of projects funded outside the $16.8 billion budget.

Positively, robust analysis was used to develop and incorporate design improvements into the 2015 WestConnex Updated Strategic Business Case.

The separate components of WestConnex underwent all required assurance reviews. However, the NSW Government's assurance framework does not require ongoing ‘whole-of-program’ assurance for large and complex projects like WestConnex. The absence of a holistic review of WestConnex allows for some costs and benefits to avoid scrutiny.

What we recommended

TfNSW should:

  • review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects
  • ensure that estimated costs and benefits of works which are reasonably required to meet consent conditions are included in business cases for complex large infrastructure projects
  • establish centralised and project specific record keeping for major infrastructure projects.

Infrastructure NSW should provide transparent whole of program assurance on total costs and benefits when complex projects are split into sub-projects.

Government should consider enhancing public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole-of-program level.

Fast facts

  • $16.812b 2015 WestConnex business case budget
  • $2.3b current estimated cost of network integration works to enable WestConnex, funded outside the WestConnex budget
  • $1.76b cost to complete Sydney Gateway to enable WestConnex and also funded outside the WestConnex budget
  • $198m Parramatta Road Urban Amenity Improvement Program, originally part of WestConnex but now funded outside the WestConnex budget

WestConnex

WestConnex is a 33 km motorway network that will link the western and south‑western suburbs with the Sydney CBD and the Airport and Port Botany precinct. It will also connect with proposed future motorway links to the north shore, northern beaches, and southern Sydney. The project is being delivered in three stages, with completion scheduled for 2023.

When first conceived by Infrastructure NSW (INSW) in 2012, WestConnex was described as a single integrated concept. In August 2013, government approved a business case for an integrated concept of WestConnex, with an estimated cost of $14.881 billion (in nominal outturn costs). Transport for NSW (TfNSW) is the government agency (sponsor agency) accountable for the delivery of WestConnex in accordance with the business case. In August 2014, the NSW Government established the Sydney Motorway Corporation to fund, deliver and operate WestConnex.

In November 2015, the NSW Government publicly released an updated WestConnex business case with greater detail and design enhancements, which increased the estimated cost to $16.812 billion.

Subsequent to this update, further changes were made to the design, including realignment of the M4 to M5 Link connection to the Western Harbour Tunnel project, an expanded interchange at Rozelle, the deletion of the Camperdown Intersection, and the addition of the Iron Cove Link. The reported budget for WestConnex was not changed as a result of these design updates.

To fund WestConnex, Sydney Motorway Corporation consolidated a concessional loan of $2 billion from the Australian Government, private sector debt and equity funding from the State. The Australian Government also provided a $1.5 billion contribution to the State to partially fund construction of WestConnex.

In August 2018, the NSW Government sold 51 per cent of its stake in Sydney Motorway Corporation for $9.26 billion. At the time of writing, the NSW Government is in the process of selling its remaining 49 per cent stake of Sydney Motorway Corporation.

About this audit

In the course of delivering a complex major infrastructure project, it is reasonable to expect changes to the original design and scope. Changes may occur as the design moves from a high‑level concept to a detailed design for project delivery, as new risks or issues are identified, as demands change, or as other interdependent projects are approved. Changes can also occur in response to potential cost or delivery overruns which arise as a result of planning deficiencies. Where design and scope changes significantly change the project costs and/or expected benefits, the justification for these changes should be robust and transparent.

Following our 2014 performance audit, 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF) to improve accountability and transparency over major projects that are developed, procured, or delivered by government agencies. Under the framework, TfNSW, as project sponsor, is responsible for ensuring the WestConnex project meets all IIAF requirements. These include ensuring the project remains strategically aligned and viable, and benefits are on track. INSW is responsible for coordinating the assurance review process and reporting directly to NSW Cabinet on project delivery against time, budget and risks to project delivery.

The objective of this performance audit is to assess whether TfNSW and INSW effectively assessed and justified major scope changes to the WestConnex project since 2014.

 

Conclusion

Government decisions to separate WestConnex related projects and deliver them outside WestConnex's 2015 business case budget of $16.812 billion has understated the total cost of WestConnex achieving its objectives. The rationale for separating these elements from the WestConnex project scope has not been transparent. Together, these projects represent costs of $4.26 billion funded outside the $16.812 billion WestConnex budget.

Since 2015, the NSW Government has removed several projects from the scope described in the 2015 WestConnex business case, and funded them separately:
  • In mid‑2017, the Sydney Gateway became a separate project outside WestConnex. This project, estimated in 2015 to cost $800 million, now has an estimated cost of $2.56 billion. The project remains partly funded by an $800 million contribution from the $16.812 billion WestConnex budget, with $1.76 billion funded outside the WestConnex budget.
  • In late 2018, the Parramatta Road Urban Amenity Improvement Program became a separate project outside the 2015 WestConnex budget. This project was part of the 2015 WestConnex Business Case and is intended to create urban renewal opportunities around Paramatta Road. It is estimated to cost $198 million.

Work required to integrate WestConnex with existing roads ('network integration') was funded outside the $16.812 billion budget for the November 2015 WestConnex business case. TfNSW is obliged to deliver network integration works to meet the conditions of planning approval for WestConnex. As such, these costs should be included in the WestConnex budget. The current estimated cost of these network integration works is $2.3 billion.

The rationale to exclude or remove each of these elements from the WestConnex project scope has not been transparent, nor supported by robust analysis and justification. These elements are required for WestConnex to achieve its objectives. The additional project costs will also deliver additional benefits not included in the 2015 WestConnex business case. Removing them understates the total cost of achieving the objectives set out in the 2013 and 2015 WestConnex business cases.

WestConnex's complex financing arrangements further reduce transparency on costs.

Transparency over the total cost of WestConnex – including elements funded from other project budgets – is further limited by the project's complex financing arrangements.

Prior to 2018, the Audit Office provided assurance on costs borne and levied by Sydney Motorway Corporation and its controlled entities. Since the NSW Government sold its majority stake in WestConnex in August 2018, the Auditor‑General no longer has the mandate to provide this assurance. Considering this, and the lack of transparency on the cost of projects removed from the WestConnex project scope, there is no transparent or comprehensive view of the total cost to deliver WestConnex – nor of how these cost would be offset by the sale of the government's remaining stake.

There is no 'whole‑of‑program' assurance over the WestConnex program of works. This limits transparency and confidence that WestConnex will meet intended objectives within its budget.

After INSW conducted a gateway review of a draft of the 2015 WestConnex Business Case under the IIAF, the project was broken up into separate components to support staged delivery. Each of these projects, including the Sydney Gateway, as well as the Network Integration Program, underwent the required assurance reviews under the IIAF. INSW also provided monthly progress updates to government. These individual projects are, in themselves, significant in scale and complexity. Addressing them as discrete components for the purposes of the assurance review process is justified and there is no requirement under the IIAF to holistically review projects which together deliver final benefits of the WestConnex program. However, whole‑of‑program review would improve transparency over total costs and benefits.

In 2016, TfNSW revised the design of the M4‑M5 Link and Rozelle to address traffic and integration issues.

TfNSW identified that the concept designs used for the M4‑M5 Link and Rozelle Interchange in the 2015 WestConnex Business Case would not integrate well with surface roads, including the proposed Bays Precinct, and would result in increased traffic on Victoria Road and the ANZAC Bridge. Following a comprehensive review conducted in mid‑2016, TfNSW refined the design of the M4‑M5 Link and Rozelle Interchange to address these limitations without increasing the cost of delivery. TfNSW documented the rationale for the design changes, including how the changes improved on the original design to increase capacity, improve traffic conditions and create more open space.

1. Key findings

Government decisions to fund WestConnex related projects outside of WestConnex's $16.812 billion reported budget have reduced transparency over costs and understate the full cost of WestConnex

In 2015, the work required to integrate WestConnex with existing roads ('network integration') was funded as a separate project with an estimated cost of $1.534 billion outside the 2015 WestConnex budget of $16.812 billion. TfNSW then created the Network Integration Program to respond to the conditions of planning approval for WestConnex. The current estimated cost to deliver all network integration works is $2.3 billion.

Since the 2015 WestConnex Business Case, the NSW Government has removed several elements from the scope of WestConnex and funded them as separate projects, while keeping the published WestConnex budget at an estimated $16.812 billion. Projects removed include:

  • Sydney Gateway, currently costed at $2.56 billion (with an $800 million contribution from WestConnex)
  • Parramatta Road Urban Amenity Improvement Program, costed at $198 million in late 2018 and funded though new funding to the Greater Sydney Commission.

Together, these projects represent costs of $4.26 billion that are not included in the WestConnex budget, but are required for WestConnex to achieve the objectives of the 2013 and 2015 WestConnex Business Cases. The costs of these elements in supporting the objectives of WestConnex is not tracked centrally, and there is no single point of oversight over them. Exhibit 1 compares total WestConnex forecast costs (including related projects) between November 2015 and April 2021.

 

November 2015
($ million)

April 2021
($ million)
WestConnex
Stage 1
Stage 1A (M4 Widening) 497 517
Stage 1B (M4 East) 3,802 3,782
Total 4,299 4,299
Stage 2
King Georges Road Interchange 131 131
New M5 4,335 4,335
Sydney Gateway Contribution 800 800
Total 5,266 5,266
Stage 3
M4‑M5 Link and Rozelle Interchange 7,049 7,049
Urban renewal (Parramatta Road) 198 ‑‑
Urban renewal (Rozelle) ‑‑ 198
Total 7,247 7,247
Total reportable WestConnex 16,812 16,812

Exhibit 1: WestConnex and related projects forecast costs
  November 2015
($ million)
April 2021
($ million)
Related projects
Network integration 1,534 2,300
Urban renewal (Parramatta Road) ‑‑ 198
Sydney Gateway Road Component ‑‑ 1,760
Total 1,534 4,258

Source: AO research.

Many network integration costs are directly attributable to WestConnex and ought to be included in the reported budget for WestConnex

Prior to 2015, the scope of WestConnex included enabling works needed before or during construction, as well as funding for future works to address any adverse traffic outcomes created by WestConnex which become apparent after its opening. These works are also known as network integration works.

When government approved the 2015 WestConnex Business Case, it noted that the project would require $1.534 billion for network integration works to address the impacts of WestConnex on the road network. However, the WestConnex project budget of $16.812 billion did not include funding for network integration works. Instead, Roads and Maritime Services (RMS, now TfNSW) was to fund network integration through its normal budget allocation.

It is important to recognise these costs as part of the total WestConnex project cost because:

  • TfNSW created the Network Integration Program to respond to network traffic and transport elements of the planning conditions of approval for WestConnex granted by the then NSW Department of Planning and Environment under the Environment, Planning and Assessment Act 1979.
  • NSW Treasury guidelines for business cases note that accurate cost estimates include assessment of the financial impact of meeting the conditions of planning approval.
  • Travel time and vehicle operating cost benefits attributed to the WestConnex project in the 2015 WestConnex Business Case assume that some network integration works, then costed at $373 million, were in place.

Refer to Appendix two for more detail on network integration works.

Some of the projects in the WestConnex Network Integration Program provide community and place benefits, such as parklands and cycleways. These benefits have not been attributed to WestConnex. Additionally, some network integration works are likely to deliver additional traffic related benefits to WestConnex. As the Network Integration Program’s primary purpose is to meet the conditions of planning approval for WestConnex, TfNSW should attribute all the costs and benefits of the program to WestConnex.

To September 2021, the total funded cost of the Network Integration Program is approximately $2.077 billion. TfNSW estimates that it will need a further $222 million to complete all expected network integration works.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency and accountability for TfNSW's underestimation of the cost of the road component of Sydney Gateway

Sydney Gateway is a high‑capacity connection between the new St Peters Interchange and the Sydney Airport and Port Botany precinct. It includes a road and rail components. The road component was included in the scope of WestConnex in the 2015 WestConnex Business Case. The November 2015 design, which TfNSW costed at $800 million, involved separate roadways from the St Peters Interchange to the International terminal, and to the domestic terminals and Mascot airport precinct.

By October 2016, TfNSW was aware that the $800 million budget for Sydney Gateway was insufficient and revised the forecast cost for the road component to $1.8 billion. The original cost estimate did not sufficiently consider the cost of:

  • constructing a complex design adjacent to the airport precinct
  • obtaining access to land required for the project
  • managing environmental contamination.

On 9 August 2017, the then Minister for WestConnex announced that the Sydney Gateway project was not part of WestConnex.

The 2015 WestConnex Business Case notes that material changes to the WestConnex budget, funding, scope, or timeframe are subject to Cabinet approval processes. It states that, when seeking approval for material changes, the portfolio Minister will make a submission to the relevant Cabinet Committee. Changes in project scope required the approval of the then Cabinet Committee on Infrastructure and should have been endorsed by the WestConnex Interdepartmental Steering Committee.

TfNSW and the NSW Department of Premier and Cabinet (DPC) assert that there is no documentation to support the government’s decision to separate Sydney Gateway from the WestConnex Program, or the WestConnex Interdepartmental Steering Committee's endorsement of a submission to Cabinet seeking approval for the separation.

The established governance processes for major scope changes were not followed in this instance. The lack of transparency regarding government's decision to separate Sydney Gateway from WestConnex also reduces visibility of TfNSW's underestimation of the cost of delivering the road component of Sydney Gateway.

The November 2018 Final Business Case for Sydney Gateway, which was approved by the government, included an estimate of $2.45 billion (nominal outturn cost) for the road component. This estimate included an $800 million contribution from WestConnex. A more recent estimate (late 2020) for this project is $2.56 billion (nominal outturn cost).

The Parramatta Road Urban Amenity Improvement Program should be included as part of the WestConnex budget

A specific objective of the 2015 WestConnex Business Case was the creation of opportunities for urban renewal along and around Parramatta Road. The business case included an allocation of $198 million in the $16.812 billion WestConnex budget for the Parramatta Road Urban Amenity Improvement program, designed to implement aspects of the objective. In November 2018, the NSW Government removed the Parramatta Road Urban Amenity Improvement Program from the WestConnex program of works and reallocated the $198 million (inside the $16.812 billion WestConnex budget) for urban renewal works around the Rozelle Interchange. As part of this decision, government approved new funding of $198 million to the Greater Sydney Commission for the urban amenity program, outside the $16.812 billion WestConnex budget. This understates the cost of WestConnex meeting its objectives by $198 million.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

In August 2015, INSW conducted its first Gateway Review of WestConnex as a program consisting of composite projects. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or mega‑project. This is not inconsistent with the IIAF and all WestConnex related projects, including Sydney Gateway and the Network Integration Program, have undergone independent assurance reviews as individual projects under the IIAF.

Once a program like WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to provide independent assurance on the program as a whole until it is completed. This is then done as part of the Gateway review for benefits realisation, which examines whether project benefits are being measured and meet expectations. These individual projects are, in themselves, significant in scale and complexity. While addressing them as discrete components for the purposes of the assurance review process can be justified, the absence of strategic, holistic reviews of WestConnex allows for total costs and benefits to become opaque and avoid scrutiny. Programs of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

There is a lack of public transparency on the total costs and benefits of the WestConnex project

Prior to 2018, the Audit Office provided assurance on costs borne and levied by Sydney Motorway Corporation and its controlled entities. Since the NSW Government sold 51 per cent of its stake in WestConnex in August 2018, the Auditor‑General no longer has the mandate to provide this assurance. The Audit Office is also unable to provide any assurance regarding the performance of tolling concessions.

This means that the total costs of WestConnex, including those levied on road users through tolling, are not reported alongside the full cost of delivering the project. This information, and independent assurance over that information, would provide transparency and context to the outcome of government's sale of its interest in WestConnex.

To enhance the transparency of existing infrastructure assurance processes, government could consider requiring large and complex infrastructure programs to undergo periodic review at a whole‑of‑program level. This could take the form of annual reports to Parliament on the total costs and benefits of selected large and complex projects by the responsible agency. The reports could include an assessment of the cost to government and cost to the community of funding and financing. Independent assurance of the agency report would provide Parliament with greater confidence that infrastructure is delivered economically and providing value for money for the people of NSW.

The Australian National Audit Office provides similar assurance on selected Department of Defence acquisition projects as part of its annual Major Projects Report.

Design enhancements included in the 2015 WestConnex Updated Strategic Business Case were supported by robust analysis

The 2015 WestConnex Business Case contained more detail than the 2013 WestConnex business case. Design enhancements were made as a result of modelling analysis conducted over the two years since the 2013 business case. Enhancements included a full underground link between Kingsgrove and St Peters as part of the New M5 and re‑alignment of the M4‑M5 link tunnel (Stage 3) to include the Rozelle Interchange. The Rozelle Interchange will provide a direct connection to the Anzac Bridge and Victoria Road, and will enable a connection to the proposed Western Harbour Tunnel and Beaches Link. A map and description of these elements can be found at Exhibits 2 and 3 of this report.

In 2016, TfNSW revised the design of the M4‑M5 Link and Rozelle to address traffic and integration issues

As part of preparing the 2015 WestConnex Business Case, TfNSW prepared a Project Definition and Delivery Report (PDDR) for the M4‑M5 Link. This report describes the scope of the project, including a high‑level concept design. TfNSW identified limitations with the proposed design of the M4‑M5 in the PDDR, which it would need to address as the project moved to a detailed design stage. In particular, these limitations included:

  • poor integration with the Bays Precinct masterplan
  • traffic capacity constraints on Victoria Road and Anzac Bridge
  • construction complexity.

Following a comprehensive review in mid‑2016, TfNSW changed the design of the M4‑M5 Link and Rozelle Interchange to address these limitations. These changes included:

  • deletion of the Camperdown intersection to improve traffic conditions on Parramatta Road
  • a fully underground and larger Rozelle Interchange with 10‑hectare dedicated parklands
  • a toll‑free tunnel link from Iron Cove Bridge to Anzac Bridge
  • increasing the lanes in the dual tunnels from three to four each way.

TfNSW documented, but did not publish, the rationale for the design changes, including how the changes addressed the limitations of the previous design while providing increased community benefit through the creation of open space. TfNSW undertook cost comparison studies which estimated that these changes would have a neutral impact on the estimated project cost while achieving the same or improved benefits.

TfNSW's record‑keeping systems for large infrastructure investments negatively impact accountability and transparency

In response to our formal requests for relevant information, made during the conduct of this audit, TfNSW advised that complete and valid records of key decision‑making processes, analysis and advice were unavailable. Additionally, TfNSW often provided information that was incomplete or unverifiable (for instance, unsigned briefing notes). This is not consistent with accepted governance practices and does not comply with the requirements of the State Records Act 1998.

We also requested that TfNSW provide a list of relevant documents held by the Sydney Motorway Corporation (SMC). While TfNSW acknowledged that SMC may hold material relevant to the audit, TfNSW did not have a list or description of these documents. As SMC is now a majority privately held entity, both the Audit Office and TfNSW have limited power to require SMC to provide documentation.

The delivery timeframe for large and complex infrastructure projects such as WestConnex frequently exceeds five years, and some projects can take over a decade to deliver. These projects represent a significant investment of public resources and government agencies should expect independent review and assurance activities such as performance audits. The establishment of dedicated record keeping facilities for major infrastructure projects, such as data rooms, would improve transparency and accountability. This would ensure that the use of public resources is fully auditable in line with public expectations and the requirements of the Government Sector Finance Act 2018, the State Records Act 1998 and the Public Finance and Audit Act 1983.

2. Recommendations

By December 2021, TfNSW should:

1. review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects

2. when preparing business cases for complex large infrastructure projects, ensure that the estimated costs and benefits of works which are reasonably expected to meet consent conditions are included in the overall project cost and its benefits (as per Treasury guidelines)

3. establish and maintain centralised and project‑specific record keeping, including through dedicated project data rooms, to ensure major infrastructure projects can readily be subject to external oversight and assurance.

By June 2022, INSW should:

4. provide transparent whole‑of‑program assurance on total costs and benefits throughout the project life‑cycle when complex projects are split into sub‑projects.

By June 2022, NSW Government should:

5. consider enhancing the public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole‑of‑program level. This could take the form of reports to Parliament on the total costs and benefits on selected large and complex projects by the responsible agency, including cost to government and cost to community of funding and financing, as well as an accompanying independent assessment of the agency report.

Following our 2014 performance audit report 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF). INSW is responsible for the development, implementation and administration of the IIAF. The assurance framework involves gateway reviews, health checks, deep dive reviews, and project monitoring and reporting at various stages in the lifecycle of a project. The main aims of the IIAF are to help ensure major infrastructure projects are delivered on time and on budget, and to ensure that reports are regularly monitored by the Cabinet of the NSW Government. The IIAF gateway review process is compulsory for all significant investments and expenditure under the NSW Treasury Gateway Policy.

In accordance with the IIAF, INSW is responsible for the following:

  • providing a dedicated Assurance Team including Gateway Review Managers to coordinate Reviews
  • determining appropriate expert reviewers, and manages scheduling, commissioning and administration of Assurance Review reports. Infrastructure NSW is independent of the Expert Review Team
  • monitoring Tier 1 – High Profile/High Risk projects, Tier 2 and Tier 3 (if required) project performance through independent Assurance Reviews
  • providing independent analysis and advice on key risks and any corrective actions recommended for Tier 1 – High Profile/High Risk, Tier 2 and Tier 3 projects
  • escalating projects to Infrastructure Investor Assurance Committee (IIAC) and Cabinet where projects present ‘red flag issues’ and where corrective action is needed
  • working with delivery agencies to register all capital projects with an estimated cost greater than $10.0 million and ensures they are risk profiled and assigned a risk‑based project tier with an endorsed IIAF Project Registration report
  • preparing forward looking annual Cluster Assurance Plans
  • maintaining and continuously improves the IIAF process
  • reporting to the IIAC, Cabinet and Infrastructure NSW Board
  • regularly report to NSW Treasury on the performance of the IIAF.

In relation to WestConnex, TfNSW is the sponsor agency responsible for meeting relevant IIAF requirements, including:

  • registering and risk profiling projects
  • IIAF gateway, health check, and deep dive assurance reviews
  • regular reporting.

Under the IIAF, it is mandatory for all capital projects valued over $10.0 million to be registered with INSW. Capital projects can be registered either as a program (comprising of a group of related projects or activities) or as a project (which may or may not be part of a program).

According to the IIAF, programs tend to have a lifespan of several years and aim to deliver outcomes and benefits related to an organisation's strategic objectives. Projects tend to have a shorter lifespan, and deal with outputs. Projects can, however, be grouped under a single program if they are similar in nature or if they are aimed at collectively achieving a strategic objective. Complex projects can be delivered in multiple stages, under different contracts, and across different time periods.

The last assurance review of the entire WestConnex program of works as a whole was in 2015

INSW conducted the first IIAF gateway review of WestConnex in August 2015. TfNSW developed a draft WestConnex Updated Strategic Business Case to consolidate the latest analysis on WestConnex, and to confirm that the project remained fit for purpose, economically viable, and financially deliverable. The review followed a recommendation in our 2014 performance audit report that business cases be thoroughly revisited.

During September 2015, INSW conducted additional informal reviews to identify strategic risks associated with public release of the WestConnex business case. Subsequently, INSW gave the Premier of NSW its views on the draft business case, including the following points:

  • The $398 million budget for Sydney Gateway was insufficient to meet the benefits claimed in the business case for a ‘functional’ connection to Sydney Airport and Port Botany. INSW studies indicate a future‑proof solution would require a minimum spend of $755 million.
  • Enabling works for WestConnex estimated at $1.534 billion were excluded from the cost of WestConnex. Significant work remained for RMS to identify mitigation measures to address planning approvals and network performance issues.
  • Enabling works (a Southern Connector), an access ramp and surface road improvements within St Peters were excluded from the draft 2015 business case despite their inclusion in the WestConnex scope in the 2014–15 State Budget.
  • The overall cost of works not funded within the WestConnex budget ranged from $2.011 billion to $2.196 billion. This included the enabling works, access ramp and surface road improvements and the shortfall for Sydney Gateway.

All WestConnex related projects, including Sydney Gateway have undergone independent assurance reviews under the IIAF

Since INSW submitted the first WestConnex progress update report to Cabinet in June 2015, INSW has been reporting monthly on the different stages of the WestConnex Program, including Sydney Gateway, as the projects were registered with INSW as High‑Profile, High‑Risk projects. Separate reporting enabled INSW to report and review each stage with more detailed scrutiny, compared to the reporting and reviewing at a program level.

WestConnex Stage 2 (New M5) underwent both mandatory and non‑mandatory reviews at key points in the project lifecycle. Three mandatory gateway reviews – at Gate 2 (Final business case), Gate 3 (Readiness for market), and Gate 4 (Tender evaluation) – were conducted by TfNSW before the introduction of IIAF. Four non‑mandatory health check reviews and one non‑mandatory deep dive review were conducted after the introduction of the IIAF managed by INSW.

Similarly, WestConnex Stage 3 projects – M4‑M5 link, M4‑M5 Tunnels, and Rozelle Interchange – also underwent mandatory and non‑mandatory reviews at key points in their lifecycle under IIAF.

The M4‑M5 Link had two mandatory gateway reviews and one non‑mandatory health check review under IIAF. These reviews were conducted before Stage 3 was split into two stages, due to major design changes to the Rozelle Interchange and the M4‑M5 tunnels.

The M4‑M5 tunnels had two mandatory gateway reviews (at Gates 3 and 4), one non‑mandatory health check review, and one non‑mandatory deep dive review under IIAF.

Rozelle Interchange also underwent three mandatory gateway reviews at Gate 3 (part 1), Gate 3 (part 2), and Gate 4, two non‑mandatory health check reviews, and one non‑mandatory deep dive review under IIAF.

Since mid‑2017, the Sydney Gateway project has undergone required independent assurance reviews, as well as a number of optional assurance reviews

In November 2016, INSW conducted a mandatory Gate 1 gateway review on a strategic business case for the Sydney Gateway Project. TfNSW did not proceed with this business case. Following the separation of Sydney Gateway from WestConnex in mid‑2017, TfNSW developed a new business case for Sydney Gateway. It has undergone the required Gate 1, Gate 2, and Gate 3 gateway reviews, as well as two non‑mandatory health check reviews, and three non‑mandatory deep dive reviews under IIAF.

Network integration works have undergone all IIAF required assurance reviews

TfNSW completed a strategic business case for the Network Integration Program in August 2020, and INSW completed a gateway review in November 2020. This is despite network integration projects starting as early as 2015, with $645 million having been spent by June 2020. The strategic business case included a prioritisation process for completing remaining works in the program. Prior to November 2020, TfNSW registered individual network integration projects with INSW, and these projects have undergone gateway reviews where required.

The Network Integration Program strategic business case does not include Rozelle interchange network integration works ($353 million) and additional network integration works to settle a contractor claim adjacent to St Peters Interchange ($190 million). These were excluded from the business case on the basis they had already been approved by government, and as such were not subject to the prioritisation elements of the business case. TfNSW has not developed separate business cases for these works, although the scope of the St Peters Interchange works was developed through a negotiated process.

TfNSW did not prepare business cases for some network integration works which have commenced, including the $323 million Campbell Road/Euston Road works

Prior to its development of the August 2020 strategic business case, TfNSW did not prepare business cases for many network integration works that have commenced, and in some instances were completed, before 2019. Significantly, TfNSW did not prepare a business case for the Campbell Road/Euston Road works, which cost $323 million and have been completed.

In 2016, TfNSW’s Business Case Policy requires the creation of business cases for capital projects costing over $1.0 million. At the time of writing this report, TfNSW’s draft policy requires full business cases for capital projects costing $10.0 million or more.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

INSW conducted its first gateway review of WestConnex (as a program, which consisted of composite projects) in August 2015. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or complex project. The IIAF allows this to occur.

Separate registration enabled INSW to report and review each stage with more scrutiny compared to whole‑of‑program level review.

Such an approach has merit, considering the individual stages (and components of these stages) are multi‑million dollar works in their own right. Each project has its own timing for gateway reviews at stages such as 'Readiness for Market' and 'Tender Evaluation'.

Once a program such as WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to conduct independent assurance on the program of works as a whole until the whole program is completed as part of the Benefits Realisation (Gate 6) gateway review. The absence of strategic, holistic reviews of projects of the scale and complexity such as WestConnex during their delivery allows for total costs and benefits to become opaque and avoid scrutiny. Projects of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

INSW has advised us that it has prepared a proposal to expand its assurance function to include whole‑of‑program review of inter‑related infrastructure projects.

Appendix one – Responses from agencies

Appendix two – Network integration works

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #351 - released (17 June 2021).

Published

Actions for Acquisition of 4–6 Grand Avenue, Camellia

Acquisition of 4–6 Grand Avenue, Camellia

Transport
Asset valuation
Compliance
Fraud
Infrastructure
Internal controls and governance
Management and administration
Procurement
Risk

The Auditor-General for New South Wales, Margaret Crawford, has today released a report on Transport for NSW’s (TfNSW) acquisition of 4–6 Grand Avenue in Camellia.

This audit, which was requested on 17 November 2020 by the Hon. Andrew Constance MP, the Minister for Transport and Roads, examined:

  • whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
  • whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

The audit found that TfNSW conducted an ineffective process when it purchased 4–6 Grand Avenue, Camellia. The audit also found that TfNSW’s internal policies and procedures to guide the transaction were, and continue to be, insufficient.

The Auditor-General has made seven recommendations to address the issues identified in the report.

On 17 November 2020, the Hon. Andrew Constance MP, the Minister for Transport and Roads, requested this audit under section 27B(3)(c) of the Public Finance and Audit Act 1983.

On 15 June 2016, Transport for New South Wales (TfNSW) acquired 6.3 hectares of land at 4–6 Grand Avenue, Camellia, by agreement from Grand 4 Investments Pty Ltd. Grand 4 Investments was a business entity established by the owners of Billbergia Pty Ltd, a property development and investment company.

TfNSW paid Grand 4 Investments $53.5 million and assumed liability for addressing environmental issues and contamination associated with the site. This took place seven months after the vendor acquired the land as part of a competitive Expression of Interest process, in which TfNSW also participated, for $38.15 million.

TfNSW is the NSW Government agency responsible for most major transport infrastructure projects in New South Wales. TfNSW acquired the Camellia site for use as a stabling and maintenance depot to support the Parramatta Light Rail (PLR) project.

Consistent with the minister’s request, this audit assessed:

  • whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
  • whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

In considering the effectiveness of the processes for this purchase, the audit considered:

  • the requirements of the Land Acquisition (Just Terms Compensation) Act 1991 (the Act)
  • the application of sound processes to manage risk to the NSW Government and to achieve value for money
  • the application of disciplines associated with complex procurement, such as probity, in a NSW Government context.
The acquisition of the 4–6 Grand Avenue site in Camellia was consistent with a 2014 feasibility study for the PLR, but occurred before the completion of detailed project planning or an acquisition strategy.

TfNSW made two attempts to acquire the 4–6 Grand Avenue site in Camellia, and was successful on the second attempt. TfNSW recognised the risks associated with early acquisition and had high-level strategies in place should the site not be required.

The specific site had been identified in a feasibility study for the PLR commissioned by TfNSW in 2014 as one of several options in Camellia for a stabling and maintenance depot. However, TfNSW had not done any substantive analysis of the various options to identify a preferred location before the two opportunities to acquire 4–6 Grand Avenue were brought to TfNSW’s attention by the landowners (or their agents). On both occasions, TfNSW chose to actively pursue acquisition in advance of any such analysis.

The acquisition was also not informed by a Property Acquisition Strategy, which TfNSW policy recommends in order to guide the process and manage acquisition specific risks.

In 2015, TfNSW identified that it would require a stabling and maintenance depot in the Camellia area for the Parramatta Light Rail

In 2014, TfNSW commissioned an external engineering consultancy to undertake a feasibility design study for the Parramatta Light Rail - the Parramatta Transport Corridor Strategy Feasibility Design study (herein referred to as ‘the feasibility study’). In early 2015, TfNSW received the feasibility study, which was one of several key sources that informed the development of business cases for the PLR.

The feasibility study recommended that TfNSW should consolidate the maintenance and cleaning operations with overnight stabling facilities on one site. The study noted that the optimal location for any such site would be in close proximity to the proposed network, and noted that the site must have access to road connections to accommodate access for cars and trucks.

The study found that a centrally located stabling and maintenance facility would be required for all routes serving the Parramatta CBD, and that the Camellia industrial area was a preferred location for such a facility. The study noted that the Camellia area was contaminated.

The feasibility study notes that its conclusions were based on assumptions about the light rail system adopted and decisions made by the future operator of the system, who had not yet been selected or appointed.

TfNSW's decision to progress a potential acquisition in 2015 considered the risk that the site may not be required

TfNSW's FIC was responsible for making decisions on funding allocations at a whole of program level within TfNSW. FIC was also responsible for approving ‘high-risk/high-value’ variations to program budgets. Members of the FIC included:

  • Secretary of Transport for NSW
  • Deputy Secretary, Infrastructure and Services
  • Deputy Secretary, Freight, Strategy and Planning
  • Deputy Secretary, Customer Services
  • Deputy Secretary Finance and Investment
  • Deputy Secretary People and Corporate Services.

An April 2015 submission, from the then Deputy Director-General to the agency’s FIC, sought authorisation and funding approval to participate in an Expression of Interest sale process. It noted the risk that the project may not go ahead. The submission advised that:

By acquiring a strategic site now, it reduces the risk of having to pay an improved value or a value that may be subject to rapidly improving land values due to changes in land use and rezoning.

The property can be acquired for the project, held strategically and income generated by leasing the site as hardstand 1 space until the project requires the land for the Parramatta Light Rail project.

If the project does not proceed in the medium to longer term, the property can be sold at a premium to what has been paid today as property fundamentals improve.

This submission acknowledged the risks associated with environmental contamination and proposed that these risks would be managed by negotiating a contract where the remediation and associated expenses would be at the landowner’s cost. 

TfNSW assessed the 4–6 Grand Avenue site as one of several sites in Camellia that was a feasible location for a stabling and maintenance facility

The Departmental feasibility study assessed six potential sites for a stabling and maintenance facility, including 4–6 Grand Avenue, noting strengths and weaknesses of each site. A different site on Grand Avenue was assessed as the ‘base case’ option (1 Grand Avenue). The study’s comments on the 4–6 Grand Avenue site included the following:

With an area of approximately 63,000m2, this site has sufficient space for a depot with the required stabling yard and maintenance facilities. The location allows for good road access and LRT [light rail transit] access would be from Grand Avenue, which may require a road crossing or signalised intersection. The site has been used for general industrial uses; however the land has been cleared and is currently undergoing remediation 2. The site is not affected by flooding based on one in 100-year flood data.

In early 2015, once the opportunity to acquire 4–6 Grand Avenue emerged, TfNSW commissioned a specific feasibility study of the 4–6 Grand Avenue site. The feasibility studies clearly documented the existence of environmental contamination. In April 2015, the report concluded:

Given the limitations of this report and within the parameters that have been set it is concluded that from a spatial and geographic perspective the site at 6 Grand Avenue would be suitable as a stabling and maintenance depot for the Parramatta light rail project. There are few engineering and environmental constraints that would affect the feasibility level analysis of this site and all issues identified, within this desk study, are considered to be resolvable. However this being said there is a significant amount of work necessary to reach the final layout and definition of the stabling and maintenance depot. There are numerous items which require further consideration and conformation; planning approvals could impose restrictions on building heights, noise mitigation measures, light and visual impact requirements all of which can have significant impacts on the spatial requirements of any stabling and maintenance depot. 

The acquisition of 4–6 Grand Avenue was not informed by a Property Acquisition Strategy

For major projects, TfNSW typically requires the project team to complete a Property Acquisition Strategy, which is intended to guide both process as well as specific acquisition issues expected to be faced during the project. The Property Acquisition Strategy is not a mandated document but is a recommended tool to support property acquisition as part of major projects.

TfNSW did not have a Property Acquisition Strategy in place to guide the 2015 Expression of Interest process. On 6 November 2015, the then Project Director for the PLR project emailed the property team, noting a need to develop a Property Acquisition Strategy to close off the scoping design and preliminary business case.

In January 2016, TfNSW developed a draft Property Acquisition Strategy for the Parramatta Light Rail Project, although it was silent on the potential sites for the stabling and maintenance facility.

TfNSW focussed on 4–6 Grand Avenue because it was available and aligned to TfNSW's strategic interests

In early 2015, officials commenced monitoring the market for industrial real estate in the Camellia area and surrounds for possible sites for a stabling and maintenance facility.

In March 2015, then owner of the site, Akzo Nobel Pty Limited released the 4–6 Grand Avenue site through an Expression of Interest process managed by CBRE.

TfNSW’s then Deputy Director-General, Planning, sought approval from FIC to lodge an Expression of Interest up to $30.0 million. Approval was sought on the basis that it would ‘provide certainty for the Parramatta Light Rail project by allowing for a depot site in a suitable location and potentially avoid higher costs or longer timeframes associated with compulsory acquisition following completion of the project’s business case’. FIC approved the request at its meeting on 9 April 2015.

At this time, TfNSW had not conducted any analysis of financial or operational benefits and costs of the potential sites identified in earlier feasibility studies. TfNSW staff advised us that the decision to participate in the Expression of Interest process for 4–6 Grand Avenue was because it was available. There is no documentation substantiating this statement, which TfNSW staff provided verbally as part of this audit.

In November 2015, TfNSW was advised that it was unsuccessful in the Expression of Interest process and that Grand 4 Investments (a related entity of Billbergia) had purchased 4–6 Grand Avenue. TfNSW did not conduct any further analysis of alternative potential sites in Camellia between this date and commencing discussions with Grand 4 Investments in April 2016. In that time there had been some movement on other properties that were included in the feasibility study, including 37–39a Grand Avenue being under offer in September 2015.

In March 2016, TfNSW approached CBRE to organise a meeting with Grand 4 Investments. On 1 April 2016, TfNSW met with Grand 4 Investments.

TfNSW advises that a perceived benefit of the 4–6 Grand Avenue site was that it was not subject to other uses or leaseholds that would increase the cost of compulsory acquisition. Officers involved in the acquisition advised that other nominated sites in the feasibility study were subject to other uses or leaseholds. 


1  A hardstand space is a large, paved area to store cars, heavy vehicles and machinery.
2  Officers familiar with the acquisition could not confirm the nature of remediation being undertaken, but noted that the previous landowner had cleared buildings from the site, which may have been considered part of remediation.
TfNSW's independent valuation, which it commissioned and received after the acquisition, specifically excluded consideration of environmental contamination risk. As a result, TfNSW is exposed to the risk that the acquisition was not fully compliant with the Land Acquisition (Just Terms Compensation) Act 1991 (the Act) because it did not use an accurate estimate of market value during negotiations. That said, the acquisition of 4–6 Grand Avenue by agreement was consistent with preferred processes described in the Act.

TfNSW acquired the site from the landowner by agreement, and this is consistent with provisions in the Act. Obtaining approval for compulsory acquisition should negotiations for agreement break down is also consistent with the Act. That said, TfNSW did not at any time assess whether a compulsory acquisition could have resulted in acquisition at a lower cost than what was negotiated by agreement.

Despite the high risks associated with the acquisition, TfNSW did not commission a formal valuation in time to inform the negotiation and purchase. Instead, TfNSW relied on internal advice to estimate market value, but did not obtain a formal valuation from those advisors. For high-risk transactions, the greater expertise and arm's-length independence of an external specialist valuer should be preferred over an agency's own staff.

On 15 June 2016, the settlement date for the acquisition, TfNSW commissioned a formal independent valuation of the site. On 23 November 2016, TfNSW received the final formal valuation report. By not obtaining a formal independent valuation of the property in advance of acquisition to inform the acquisition value, TfNSW exposed itself to non-compliance with the Act by not establishing the market value as the basis for the acquisition price. TfNSW also breached its own internal policies.

TfNSW instructed the valuer to conduct its valuation within the following parameters:

  • Market valuation on an ‘as is’ basis – market value based on the methodology described in the Act. This approach valued the site at $25.0 million.
  • Market valuation on a speculative development basis – market value based on the financial value of the vendor's intended use of the site which, in this case, involved leasing the site for industrial use. This approach valued the site at $52.0 million, and TfNSW advised us this valuation supported the purchase price.
  • Disregard the impact of environmental contamination – TfNSW specifically instructed the independent valuer to disregard any known (or unknown) site contamination. As TfNSW knew of the significant environmental contamination affecting the site, this parameter resulted in a valuation that overstated the value of the site as it did not consider the cost of environmental remediation. The valuer applied this assumption for both market valuation approaches.

Additionally, as the independent valuer completed the valuation after the purchase was finalised, there is a risk that the valuation may have been influenced by the known purchase price.

TfNSW's failure to acquire a formal valuation and an assessment of the financial impact of environmental remediation before it purchased 4–6 Grand Avenue represents ineffective administration and governance.
TfNSW acquired the site at a time when there was demand and increasing prices for industrial property in the area. However, TfNSW did not effectively assess and manage the risks associated with the acquisition, and gaps in process led to increased risk. Briefings to decision-makers did not contain important information, and we found no evidence that gaps in advice were queried or explored by decision-makers.

TfNSW did not have plans or advice in place to assist in managing risk, such as:

  • a property acquisition plan
  • a comprehensive and up-to-date risk management plan
  • a negotiation strategy, or any authorisation limit or minimal acceptable position
  • an independent professional evaluation
  • external expert advice (with the exception of legal advice relating to the contract of sale).

TfNSW was aware of contamination issues affecting the land and had access to considerable information about the environmental conditions, such as site environmental audit reports and information on the NSW Environment Protection Authority's contaminated land register. However, TfNSW had not analysed specific technical information about the contamination and therefore was not aware of the risk implications and cost for remediation. Despite this, TfNSW changed its position from not accepting the risks and costs of contamination, to acquiring the site unconditionally. The basis for this decision is unclear and undocumented.

Briefing to senior leaders on the acquisition was silent on a number of important matters that would have been important for approvers to consider, including:

  • an explanation of the 40 per cent increase in purchase price between November 2015 and May 2016, and a 165 per cent increase from TfNSW’s offer in April 2015
  • the contamination risks associated with the site and an evidence-based estimate of potential costs to remediate the site
  • advice that an independent valuation had not been obtained, inconsistent with TfNSW policy.

Consideration of the acquisition by FIC was based on a summary business paper and was managed out-of-session, thereby removing the ability for comprehensive consideration of the acquisition proposal and its risks.

The probity management controls and assurances in place for the acquisition of the 4–6 Grand Avenue site were insufficient. These insufficiencies were exacerbated by the probity risk profile of the transaction.

The 4–6 Grand Avenue acquisition was a high-risk/high-value transaction, undertaken in a volatile property market in a short timeframe under pressure from Grand 4 Investments. TfNSW was engaging in a direct negotiation in advance of detailed planning for the acquisition, or the PLR as a whole. These circumstances contribute to heightened probity risk.

TfNSW did not establish a probity plan and sought no probity support throughout the acquisition. Also, with one exception, the staff involved in the acquisition did not complete conflict of interest declarations.

TfNSW was aware of the potential for probity or integrity issues with the transaction when it commissioned an internal audit in connection with the transaction in 2019. Internal discussions considered whether a misconduct investigation may be more appropriate, however no such investigation was undertaken.

TfNSW's insufficient probity practices, in addition to its failure to keep complete or comprehensive records of negotiations or decisions, reduce transparency of the process and its outcome and expose TfNSW to a greater risk of misconduct, corruption and maladministration.

At the time of the transaction, the TfNSW policy framework was not sufficiently risk-focussed and did not provide clarity on when officers ought to apply specific guidance or procedures. TfNSW's policies and procedures are more focussed on acquiring land to meet project needs and timeframes, and less on assuring value for money and managing risks.

At the time of its acquisition of 4–6 Grand Avenue, TfNSW had property acquisitions policies and procedures in place. Each of these were broadly sound in their content and intent. However, they lacked specificity on how or when to apply guidance, and when risk levels should elevate the importance of recommended guidance.

TfNSW's key guidance was principles based and relied on agency staff using their experience and expertise to apply guidance according to the circumstances of an individual transaction. This guidance was not duly applied in the acquisition of 4–6 Grand Avenue, Camellia. In addition, TfNSW does not have quality or control assurance to identify when TfNSW officers did not apply important policies or processes.

The primary focus of the TfNSW’s property acquisition guidance is to achieve vacant possession of land in a timeframe that meets the need of the relevant transport project. There is less specific focus on the need to meet the requirements of the NSW Government financial management framework.

Appendix one – Response from agency 

Appendix two – About the audit 

Appendix three – Performance auditing

 

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #349 - released (18 May 2021).

Published

Actions for CBD South East Sydney Light Rail: follow-up performance audit

CBD South East Sydney Light Rail: follow-up performance audit

Transport
Infrastructure
Internal controls and governance
Management and administration
Procurement
Project management
Risk
Service delivery

This is a follow-up to the Auditor-General's November 2016 report on the CBD South East Sydney Light Rail project. This follow-up report assessed whether Transport for NSW has updated and consolidated information about project costs and benefits.

The audit found that Transport for NSW has not consistently and accurately updated project costs, limiting the transparency of reporting to the public.

The Auditor-General reports that the total cost of the project will exceed $3.1 billion, which is above the revised cost of $2.9 billion published in November 2019. $153.84 million of additional costs are due to omitted costs for early enabling works, the small business assistance package and financing costs attributable to project delays.

The report makes four recommendations to Transport for NSW to publicly report on the final project cost, the updated expected project benefits, the benefits achieved in the first year of operations and the average weekly journey times.

Read full report (PDF)

The CBD and South East Light Rail is a 12 km light rail network for Sydney. It extends from Circular Quay along George Street to Central Station, through Surry Hills to Moore Park, then to Kensington and Kingsford via Anzac Parade and Randwick via Alison Road and High Street.

Transport for NSW (TfNSW) is responsible for planning, procuring and delivering the Central Business District and South East Light Rail (CSELR) project. In December 2014, TfNSW entered into a public private partnership with ALTRAC Light Rail as the operating company (OpCo) responsible for delivering, operating and maintaining the CSELR. OpCo engaged Alstom and Acciona, who together form its Design and Construct Contractor (D&C).

On 14 December 2019, passenger services started on the line between Circular Quay and Randwick. Passenger services on the line between Circular Quay and Kingsford commenced on 3 April 2020.

In November 2016, the Auditor-General published a performance audit report on the CSELR project. The audit found that TfNSW would deliver the CSELR at a higher cost with lower benefits than in the approved business case, and recommended that TfNSW update and consolidate information about project costs and benefits and ensure the information is readily accessible to the public.

In November 2018, the Public Accounts Committee (PAC) examined TfNSW's actions taken in response to our 2016 performance audit report on the CSELR project. The PAC recommended that the Auditor-General consider undertaking a follow-up audit on the CSELR project. The purpose of this follow-up performance audit is to assess whether TfNSW has effectively updated and consolidated information about project costs and benefits for the CSELR project.

Conclusion

Transport for NSW has not consistently and accurately updated CSLER project costs, limiting the transparency of reporting to the public. In line with the NSW Government Benefits Realisation Management Framework, TfNSW intends to measure benefits after the project is completed and has not updated the expected project benefits since April 2015.

Between February 2015 and December 2019, Transport for NSW (TfNSW) regularly updated capital expenditure costs for the CSELR in internal monthly financial performance and risk reports. These reports did not include all the costs incurred by TfNSW to manage and commission the CSELR project.

Omitted costs of $153.84 million for early enabling works, the small business assistance package and financing costs attributable to project delays will bring the current estimated total cost of the CSELR project to $3.147 billion.

From February 2015, TfNSW did not regularly provide the financial performance and risk reports to key CSELR project governance bodies. TfNSW publishes information on project costs and benefits on the Sydney Light Rail website. However, the information on project costs has not always been accurate or current.

TfNSW is working with OpCo partners to deliver the expected journey time benefits. A key benefit defined in the business plan was that bus services would be reduced owing to transfer of demand to the light rail - entailing a saving. However, TfNSW reports that the full expected benefit of changes to bus services will not be realised due to bus patronage increasing above forecasted levels.

Appendix one – Response from agency

Appendix two – Governance and reporting arrangements for the CSELR

Appendix three – 2018 CSELR governance changes

Appendix four – About the audit

Appendix five – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #335 - released 11 June 2020