What this report is about

NSW local councils provide a wide range of essential services and infrastructure to their communities and are increasingly reliant on digital technologies.

Councils need to manage cyber security risks to ensure their information, data and systems are appropriately safeguarded. Councils also need to be prepared to detect, respond and recover when a cyber security incident occurs.

The audit assessed how effectively three selected councils identified and managed cyber security risks.

The audit also included the Department of Planning, Housing and Infrastructure (Office of Local Government) and Department of Customer Service (Cyber Security NSW), due to their roles in providing guidance and support to local councils.

Audit findings

The audit found that the selected councils are not effectively identifying and managing cyber security risks. Each of the councils undertook activities to improve their cyber security during the audit period, but this audit found significant gaps in their cyber security risk management and cyber security processes.

Such gaps result in unmitigated risks to the security of information and assets which, if compromised, could impact their local communities, service delivery and public infrastructure.

Cyber Security NSW and the Office of Local Government recommend that councils adopt requirements in the Cyber Security Guidelines for Local Government, but could do more to monitor whether the Guidelines are enabling better cyber security risk management in the sector.

Audit recommendations

In summary, the councils should:

• integrate assessment and monitoring of cyber security risks into corporate governance processes
• self-assess their performance against Cyber Security NSW's guidelines for local government
• develop and implement a risk-based cyber security improvement plan and program of activities
• develop, implement and test a cyber incident response plan.

Cyber Security NSW and the Office of Local Government should regularly consult on cyber security risks facing local government, and review the effectiveness of guidelines and related resources for the sector.

While this report focuses on the performance of the selected councils, the findings and recommendations should be considered by all councils to better understand their risks and challenges relevant to managing cyber security risks.

Read the PDF report

Parliamentary reference - Report number #392- released 26 March 2024

What this report is about

Extreme rainfall across eastern Australia in 2021 and 2022 led to a series of major flood events in New South Wales.

This audit assessed how effectively the NSW Government provided emergency accommodation and temporary housing in response to the early 2022 Northern Rivers and late 2022 Central West flood events.

Responsible agencies included in this audit were the Department of Communities and Justice, NSW Reconstruction Authority, the former Department of Planning and Environment, the Department of Regional NSW and the Premier’s Department.

Findings

The Department of Communities and Justice rapidly provided emergency accommodation to displaced persons immediately following these flood events.

There was no plan in place to guide a temporary housing response and agencies did not have agency-level plans for implementing their responsibilities.

The NSW Government rapidly procured and constructed temporary housing villages. However, the amount of temporary housing provided did not meet the demand.

There is an extensive waitlist for temporary housing and the remaining demand in the Northern Rivers is unlikely to be met. The NSW Reconstruction Authority has not reviewed this list to confirm its accuracy.

Demobilisation plans for the temporary housing villages have been developed, but there are no long-term plans in place for the transition of tenants out of the temporary housing.

Agencies are in the process of evaluating the provision of emergency accommodation and temporary housing.

The findings from the 2022 State-wide lessons process largely relate to response activities.

Audit recommendations

The NSW Reconstruction Authority should:

• Develop a plan for the provision of temporary housing.
• Review the temporary housing waitlist.
• Determine a timeline for demobilising the temporary housing villages.
• Develop a strategy to manage the transition of people into long-term accommodation.
• Develop a process for state-wide recovery lessons learned.

All audited agencies should:

• Finalise evaluations of their role in the provision of emergency accommodation and temporary housing.
• Develop internal plans for implementing their roles under state-wide plans.

Read the PDF report

Parliamentary reference - Report number #389 - released 22 February 2024

What this report is about

The report assesses whether the Department of Customer Service (the department) complied with legislation and NSW government policy when it directly negotiated with Duncan Solutions to procure backend services relating to the Park'nPay app.

The Park'nPay app, developed by the department, enables users to locate and pay for parking remotely using their smart mobile device.

The audit found

The department failed to establish the grounds for entering a direct negotiation procurement strategy, without any competitive tendering, for services for the Park'nPay app. It rushed a decision to trial the app in The Rocks, without considering how this might affect its procurement obligations.

There is no evidence that the procurement achieved value for money. Despite being required by legislation, as well as mandatory NSW government policy, the department did not consider how it would ensure value for money, nor did it demonstrate an adequate understanding of what is meant by value for money on this occasion.

The department failed to implement key probity requirements. There was no effective management of conflicts of interest. Key decisions were not documented. There was a lack of clarity, transparency, and oversight of the relationship between the Minister's office and staff in the department.

The audit made recommendations about

1. making and retaining complete and accurate records, particularly on decisions to commit or expend public money
2. ensuring department staff understand how to exercise their financial delegations and procurement processes
3. ensuring that only staff with appropriate delegations are committing or approving the spending of public money
4. consistency with the contract extension provisions of the NSW Government Procurement Policy Framework, particularly regarding ensuring value for money
5. protocols to guide the interactions between department staff and Minister and Minister's staff
6. the need for proper management and oversight of contingent workers, such as contractors.

On 27 February 2019 the then Minister for Finance, Services and Property announced the commencement of a Park’nPay app trial in The Rocks precinct of Sydney.

The app was intended to enable users to locate and pay for parking remotely, using their smart mobile device such as a phone or tablet, rather than needing to physically be at a parking meter.

In July 2019, following a direct negotiation procurement conducted by the then Department of Finance, Services and Innovation, a contract was executed with Duncan Solutions for an estimated value of $1,260,600 over three-years, with three single-year options to extend. The contract required Duncan Solutions to provide development services to link the Park'nPay app to its Parking Enterprise Management System platform and to provide ongoing software support services.

This audit assessed whether the department complied with the procurement obligations that applied at the time it procured these services from Duncan Solutions.

This audit focussed on the department's processes and decision-making relating to:

• the direct negotiation with Duncan Solutions at the exclusion of any other potential supplier
• the negotiation, execution and management of the contract with Duncan Solutions.

As this audit focusses on the department's procurement and contract management processes, it does not comment on the activities of Duncan Solutions. The detailed audit objective, criteria and audit approach are in Appendix three.

The auditee is the Department of Customer Service. As a result of machinery of government changes, the Department of Finance, Services, and Innovation became the Department of Customer Service from 1 July 2019. To avoid confusion, this report simply uses ‘the department’ to refer to either. Where the report refers to the Minister, it relates to the former Minister in office at the time.

Appendix one – Response from auditee

Appendix two – Key requirements of the department's procurement manual 

Appendix three – About the audit 

Appendix four– Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #387 - released 14 December 2023

What the report is about

This audit assessed how effectively the Department of Planning and Environment (Heritage NSW) is overseeing and administering heritage assets of state significance.

Heritage that is rare, exceptional or outstanding to New South Wales may be listed on the State Heritage Register under the Heritage Act 1977. This provides assets with legal recognition and protection. Places, buildings, works, relics, objects and precincts can be listed, whether in public or private ownership.

Heritage NSW has administrative functions and regulatory powers, including under delegation from the Heritage Council of NSW, relevant to the listing, conservation and adaptive re-use of heritage assets of state significance.

In summary, the audit assessed whether Heritage NSW:

• is effectively administering relevant advice and decisions
• is effectively supporting and overseeing assets
• has established clear strategic priorities and can demonstrate preparedness to implement these.

What we found

Heritage NSW does not have adequate oversight of state significant heritage assets, presenting risks to its ability to promote the objects of the Heritage Act.

Information gaps and weaknesses in quality assurance processes limit its capacity to effectively regulate activities affecting assets listed on the State Heritage Register.

Heritage NSW has adopted a focus on customer service and recently improved its timeliness in providing advice and making decisions about activities affecting listed assets. But Heritage NSW has not demonstrated how its customer-focused priorities will address known risks to its core regulatory responsibilities.

Listed assets owned by government entities are often of high heritage value. Heritage NSW could do more to promote effective heritage management among these entities.

What we recommended

The report made eight recommendations to Heritage NSW, focusing on:

• improving quality assurance over advice and decisions
• improving staff guidance and training
• defining and maintaining data in the State Heritage Register
• clarifying its regulatory intent and approach
• sector engagement and interagency capability to support heritage outcomes.

The Heritage Act 1977 (the Heritage Act) and accompanying regulation provide the legal framework for the identification, conservation and adaptive re-use of heritage assets in New South Wales.

The Department of Planning and Environment (Heritage NSW) has responsibility for policy, legislative and program functions for state heritage matters, including supporting the Minister for Heritage to administer the Heritage Act.

Heritage assets that are rare, exceptional or outstanding beyond a local area or region may be listed on the State Heritage Register under the Heritage Act. These assets include places, buildings, works, relics, moveable objects and precincts, and assets that have significance to Aboriginal communities in New South Wales. Assets nominated for and listed on the State Heritage Register ('listed assets') may be owned privately or publicly, including by local councils and state government entities.

The Heritage Act establishes the Heritage Council of NSW (the Heritage Council) to undertake a range of functions in line with its objectives. Heritage NSW provides administrative support to the Heritage Council, for example providing advice on assets that have been nominated for listing on the State Heritage Register. Many of Heritage NSW’s core activities also relate to exercising functions and powers under delegation from the Heritage Council. These include making administrative decisions about works affecting listed assets, and exercising powers to regulate asset owners’ compliance with requirements under the Heritage Act.

Heritage NSW states that heritage:

According to Heritage NSW, an effective heritage system will facilitate the community in harnessing the cultural and economic value of heritage.

The objective of this audit was to assess how effectively the Department of Planning and Environment (Heritage NSW) is overseeing and administering heritage assets of state significance.

For this audit, ‘heritage assets of state significance’ refers to items (including a place, building, work, relic, moveable object or precinct) listed on the State Heritage Register ('listed assets'), and those which have been nominated for listing.

This chapter assesses the effectiveness of Heritage NSW's oversight of state heritage assets, including its visibility of listed assets, and its oversight of regulatory decision-making. It also assesses Heritage NSW's activities to engage with owners to meet their obligations under the Heritage Act and to support heritage outcomes.

This chapter assesses the timeliness of Heritage NSW’s provision of advice, recommendations, and decisions on heritage issues to support heritage management outcomes with respect to listed assets.

This chapter assesses whether the Department of Planning and Environment (Heritage NSW) has established clear strategic priorities to effectively oversee and administer activities related to listed assets, and its preparedness to implement reforms. It also assesses the adequacy of planning activities and governance arrangements to support the achievement of strategic directions.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #384 - released 27 June 2023

Introduction

The Auditor-General's financial and performance audits of local councils aim to improve financial management, governance and public accountability across the local government sector.

Annual Local Government reports to Parliament have consistently highlighted risks and weaknesses across the sector in relation to financial management and governance. We will continue to focus on these matters as a priority area in our forward work program.

While this report focuses on MidCoast Council, the findings should be considered by all councils to better understand the challenges and opportunities when addressing financial sustainability and financial management needs.

Findings and recommendations around the effectiveness of long-term financial planning, comprehensive and timely financial reporting and financial management governance arrangements are relevant for all councils.

What this report is about

The Local Government Act 1993 requires councils to apply sound financial management principles, including sustainable expenditure, effective financial management and regard to intergenerational equity.

This audit assessed whether MidCoast Council has effective financial management arrangements that support councillors and management to fulfill their responsibilities as financial stewards.

What we found

MidCoast Council has not met all legislative and policy requirements for long-term financial planning.

From FY2019–20 to FY2020–21, the Council had financial management and governance gaps. Some gaps were addressed throughout FY2021–22.

MidCoast Council experienced significant challenges in its implementation of a consolidated financial management system following amalgamation in 2016 and the merging of MidCoast Water in 2017. This led to gaps in finance processes and data quality.

What we recommended

The report recommends that MidCoast Council should:

• ensure its long-term financial plan meets legislative and policy requirements
• undertake service reviews to better understand net costs to inform budget and financial planning decisions
• improve the quality of asset management information to inform budget and financial planning decisions
• use the financial management components of the MC1 system to its full potential
• address control and process gaps identified in audits and reviews
• ensure competency of those responsible for finance and budget
• ensure financial sustainability initiatives account for the cost of services and asset management information.

Effective financial management is important in ensuring that councils achieve their long-term objectives, remain financially viable and deliver intended benefits to the community.

Sustainable financial management has been a priority for the local government sector since 2013 and continues to be one of the highest rated risks and priorities among councils in 2023.

According to data provided by the Department of Planning and Environment, during FY2020–21, NSW local councils:

• collected $7.8 billion in rates and annual charges
• received $5.8 billion in grants and contributions
• incurred $4.8 billion of employee benefits and on costs
• held $16.8 billion of cash and investments
• managed $175.2 billion in infrastructure, property plant and equipment
• entered into $3.7 billion of borrowings.

The Local Government Act 1993 (LG Act) requires local councils to apply sound financial management principles including responsible and sustainable expenditure, investment, and effective financial and asset management. Under the LG Act and the Local Government Regulation 2021 (LG Regulation) councils are required to:

• establish and monitor their budget position
• clearly establish approaches to raise revenue, including from rates and other sources
• develop and implement integrated planning to ensure financial sustainability in line with community priorities and needs
• regularly report on their financial performance through financial statements.

The objective of the audit is to assess whether MidCoast Council (the Council) has effective financial management arrangements that support councillors and management to fulfil their financial stewardship responsibilities. It considers whether:

• the Council has an effective governance framework for financial management, through the existence of governance, risk management, internal controls and provision of adequate financial management training, including whether:
  • governance, risk management and internal controls are in place for financial management
  • adequate financial management and governance training and support has been provided to councillors, management and operational managers.
• the Council has quality and comprehensive internal financial management reporting, including whether:
  • councillors and management have identified and implemented essential internal financial management reporting elements
  • council’s financial systems and data have integrity, and support identified financial management report production requirements
  • council reports are relevant, consistent, reliable, understandable, and tailored towards the requirements of key users (appendix two provides more information about the characteristics of effective financial management reporting).
• the financial management governance and reporting arrangements support councillors and management to fulfil their financial stewardship responsibilities, including whether councillors and management use internal financial management reporting to:
  • support budget decisions, resource allocation and cost setting (for example fees and charges)
  • monitor financial sustainability
  • assess operational efficiency, financial services and investments
  • make improvements where necessary.

This audit completed fieldwork during November 2022 to February 2023. The audit period of review was from 1 July 2019 to 30 June 2022.

Appendix one – Response from agency

Appendix two – Characteristics of effective financial management reporting

Appendix three – About the audit 

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #381 - released 16 June 2023

What the report is about

The Office of Local Government (OLG) in the Department of Planning and Environment is responsible for strengthening the local government sector, including through its regulatory functions.

This audit assessed whether the OLG is effectively monitoring and regulating the sector under the Local Government Act 1993. The audit covered:

• the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions
• whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.

What we found

The OLG does not conduct effective, proactive monitoring to enable timely risk-based responses to council performance and compliance issues.

The OLG has not clearly defined and communicated its regulatory role to ensure that its priorities are well understood.

The OLG does not routinely review the results of its regulatory activities to improve its approaches.

The department lacks an adequate framework to define, measure and report on the OLG's performance, limiting transparency and its accountability.

The OLG's new strategic plan presents an opportunity for the OLG to better define, communicate, and deliver on its regulatory objectives.

What we recommended

The OLG should:

• publish a tool to support councils to self-assess risks and report on their performance and compliance
• ensure its council engagement strategy is consistent with its regulatory approach
• report each year on its regulatory activities and performance
• publish a calendar of its key sector support and monitoring activities
• enhance processes for internally tracking operational activities
• develop and maintain a data management framework
• review and update frameworks and procedures for regulatory responses.

The Local Government Act 1993 (the LG Act) provides the legal framework for the system of local government in New South Wales. The LG Act describes the functions of councils, county councils and joint organisations which should be exercised consistent with the guiding principles and requirements of the LG Act. Councils also have functions and responsibilities under other Acts.

There are 128 local councils, nine county councils and 13 joint organisations of councils in the New South Wales local government sector. Each council is unique in size and location, owns and manages assets, and delivers services for their communities. According to 2021–22 data provided by the Department of Planning and Environment (the department), local councils managed $175.2 billion in infrastructure, property plant and equipment, held $16.8 billion of cash and investments, collected $7.8 billion in rates and charges and entered into $3.7 billion of borrowings. Councils' decision-making responsibilities directly impact the communities they serve, including responsibilities relevant to financial management, economic development, environmental sustainability and community wellbeing.

Under the LG Act, each elected council is accountable to the community they serve. In addition to Auditor-General reports, issues relating to council performance and compliance have been identified in public inquiries commissioned by the Minister for Local Government and investigations by the Independent Commission Against Corruption, NSW Ombudsman and Office of Local Government (OLG). Challenges and opportunities related to the operations and sustainability of the local government sector have also been reported by the sector and identified in reports by NSW government agencies such as the Independent Pricing and Regulatory Tribunal.

The department is the primary state government agency with responsibility for policy, legislative, regulatory and program functions for local government matters. The Office of Local Government (OLG) is a business unit within the department that advises the Minister for Local Government and exercises delegated functions of the Secretary of the Department of Planning and Environment under the LG Act.

Key departmental planning documents state that the OLG is responsible for strengthening the sustainability, performance, integrity, transparency and accountability of the local government sector. As the state regulator of the local government sector, the OLG aims to promote voluntary compliance, build councils' capacity for high performance, and intervene only when 'warranted and appropriate'. Relevant regulatory activities include issuing guidelines, investigating councils and councillors, and supporting the Minister for Local Government's discretionary intervention powers. The OLG's other functions include developing policy, administering grants and programs, supporting local government election processes, and issuing certain approvals.

The objective of this audit was to assess whether the OLG is effectively monitoring and regulating the local government sector under the LG Act. The assessment included:

• the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions
• whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.

This report focuses on the OLG’s activities relevant to powers under Chapter 13 of the LG Act, and related regulatory activities, such as monitoring risks, issuing guidance and engaging with councils. It also examines strategic and operational planning for these activities in the context of the OLG's other activities, and departmental arrangements to oversee and enable the OLG's regulatory effectiveness.

Other OLG activities were not in scope of the audit but are commented on in this report where contextually relevant. This includes the OLG's responsibilities under the LG Act with respect to councillor misconduct, and the 2022 review of the councillor misconduct framework commissioned by the former Minister for Local Government.

This chapter considers the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions.

This chapter assesses whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.

The OLG’s 2017 Improvement and Intervention Framework is intended to guide appropriate responses to council compliance or performance risks and issues. The publicly available framework states that generally, the OLG will encourage councils to meet their obligations before a more formal intervention will be considered. It also states that any intervention or improvement response will be proportionate to the circumstances.

Appendix one – Response from agency

Appendix two – Statutory powers relevant to council accountability under the Local Government Act

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #380 - released 23 May 2023

What the report is about

This audit assessed how effectively NSW government agencies procure and manage consultants. It examined the role of the NSW Procurement Board and NSW Procurement (a unit within NSW Treasury) in supporting and monitoring agency procurement and management of consultants.

The audit used four sources of data that contain information about spending on consultants by NSW government agencies, including annual report disclosures and the State's financial consolidation system (Prime). It also reviewed a sample of consulting engagements from ten NSW government agencies.

What we found

Our review of a selection of consulting engagements indicates that agencies do not procure and manage consultants effectively.

We found most agencies do not use consultants strategically and do not have systems for managing or evaluating consultant performance. We also found examples of non-compliance with procurement rules, including contract variations that exceeded procurement thresholds.

NSW Procurement has made improvements to the information available about spending on consultants, including additional analysis and reporting. However, there is no single data source that accurately captures spending on consultants.

Our analysis of data on whole-of-government spending on consultants, drawn from agency annual reports, indicates that four large professional services firms accounted for about a quarter of consultancy expenditure from 2017–18 to 2021–22. This concentration increases strategic risks, including over-reliance on a limited number of providers and potential reduction in the independence of advice.

It is also highly unlikely that NSW government agencies will meet the government's 2019 policy commitment to reduce consultancy expenses by 20% each year, over four years, from 2019–20. NSW Treasury advised that to implement this commitment, agency budgets were reduced in Prime in line with the savings targets. However, actual spending on consulting in NSW Treasury's Reports on State Finances 2020–21 and 2021–22 was almost $100 million higher than the savings targets over the first three years since 2019–20.

What we recommended

The report made seven recommendations which aim to improve:

• the quality and transparency of data on spending on consultants
• monitoring of strategic risks and agency compliance with procurement and recordkeeping rules
• agencies' strategic use of consultants, including evaluation and knowledge retention.

Between 2017–18 and 2021–22, NSW government agency annual reports disclosed total spending of around $1 billion on consultants across more than 10,000 engagements. More than 1,000 consulting firms provided services to NSW government agencies during this period. Consulting is a classification of professional services that is characterised by giving advice or recommendations on a specific issue. The NSW Procurement Board Direction PBD-2021-03 defines a consultant as a person or organisation that provides 'recommendations or professional advice to assist decision-making by management'. PBD-2021-03 notes that the advisory nature of the work of consultants is the main factor that distinguishes them from other providers of professional services.

The NSW Procurement Board is responsible for setting procurement policy, issuing directions to support policies, and monitoring and reporting on agency compliance with policies and directions. NSW Procurement, a division within NSW Treasury, supports agencies to comply with the NSW Procurement Board’s policies and directions. A 'devolved governance model' is used for procurement in New South Wales. This means the heads of government entities that are covered by the NSW Procurement Board’s directions are responsible for managing the entity's procurement, including managing risks, reporting and ensuring compliance, in line with procurement laws and policies.

This audit assessed how effectively NSW government agencies procure and manage consultants. It assessed the role of the NSW Procurement Board and NSW Procurement in supporting and monitoring agency procurement and management of consultants. It also reviewed a sample of consulting engagements from ten NSW government agencies to examine how agencies procured, managed and reported on their use of consultants. The ten NSW government agencies were:

• NSW Treasury
• Department of Communities and Justice
• Department of Customer Service
• Department of Education
• Department of Planning and Environment
• Department of Premier and Cabinet
• Department of Regional NSW
• Infrastructure NSW
• Sydney Metro
• Transport for NSW

There are four different sources of data that contain information about spending on consultants by NSW government agencies: the State's financial consolidation system (Prime), disclosures of spending on consultants in agency annual reports, and two systems operated by NSW Procurement (the Business Advisory Services (BAS) dashboard and Spend Cube). Each of these data sources serves a different purpose, and collects and categorises information differently. None of these provide a complete source of data on spending on consultants, either in their own right or collectively.

NSW Treasury considers Prime to be the 'source of truth' on consulting expenditure across the NSW public sector. An account within Prime records recurrent spending on consultants, but this account does not include capital expenditure (that is, spending on consultants that has from a financial reporting perspective been 'capitalised' to a project on the balance sheet). As the State's financial consolidation system, Prime captures all financial information. However, capitalised consulting expenditure is recorded within various capital accounts, and is not identifiable within these accounts. While this is appropriate for accounting purposes, it means that the Prime account that records recurrent consulting expenditure does not reflect total spending on consultants by NSW government agencies. We used the data in Prime to assess whether NSW government agencies met the NSW Government's policy commitment—stated before the 2019 election and costed by the Parliamentary Budget Office—to reduce recurrent expenditure on consulting by 20% each year, over four years, from 2019–20. We did this because, while the Prime account for recurrent consulting expenditure does not reflect all spending on consultants, it does capture the recurrent spending that was subject to the policy commitment.

Most NSW government agencies are required by legislation to disclose spending on consultants (as defined in PBD-2021-03) in their annual reports. These disclosures include both recurrent and capital expenditure. For consulting engagements that cost more than $50,000, the disclosures also provide itemised information, including the names of the individual projects and the consultants used. While this data is more complete than Prime because it includes capital expenditure, it also has some gaps. Some entities are excluded from public reporting requirements on consultant use. For example, NSW Local Health Districts (LHD) are not required to produce annual reports, and the Ministry of Health does not include LHD consulting expenditure in its annual report.¹ We used annual report disclosure data to report on total expenditure on consultants, and the concentration of suppliers of consulting services to NSW government agencies.

The BAS dashboard and Spend Cube are systems created by NSW Procurement to collect information about spending on suppliers of professional services. This includes consultants, but also includes other professional services providers. The systems were not designed for reporting on spending on consulting as defined in PBD-2021-03. However, we have used this data to assess specific aspects of NSW Procurement's monitoring of the use of consultants by NSW government agencies.

In 2018, we conducted an audit titled 'Procurement and reporting of consultancy services'. This assessed how 12 NSW government agencies complied with procurement requirements and how NSW Procurement supported the functions of the NSW Procurement Board. The 2018 audit found that none of the 12 agencies fully complied with NSW Procurement Board Directions on the use of consultants and that the NSW Procurement Board was not fully effective in overseeing and supporting agencies’ procurement of consultants. Specific findings from the 2018 audit included: 

• Agencies applied the definition of consultant inconsistently, which affected the accuracy of reporting on consultancy expenditure.
• There was inadequate guidance from NSW Procurement for agencies implementing the procurement framework, with a need for additional tools, automated processes, and other internal controls to improve compliance.
• NSW Procurement had insufficient data for effective oversight of procurement and did not publish any data on the procurement of consultancy services by NSW government agencies.

This chapter outlines our findings on the role of NSW Procurement in overseeing the use of consultants by NSW government agencies.

This chapter outlines our findings on the use of consultants by the ten NSW government agencies that were included in this audit.

Appendix one – Responses from auditees

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #378 - released 2 March 2023

What the report is about

The Government Advertising Act 2011 requires the Auditor-General to undertake a performance audit on government advertising activities each financial year.

This audit examined whether TAFE NSW's annual advertising campaign in 2021–22:

1. was carried out effectively, economically, and efficiently
2. complied with regulatory requirements and the Government Advertising Guidelines.

What we found

TAFE NSW complied with Section 6 of the Act, prohibiting political content.

It also complied with most other advertising requirements.
 
An important exception was that the Managing Director certified that the campaign complied with regulatory requirements and was an efficient and cost-effective means of achieving its public purpose, before a cost-benefit analysis (CBA) was completed.

We have found issues with agencies complying with CBA requirements in previous government advertising audits. This includes the failure to complete them before signing compliance certificates.

The policy owner, the Department of Customer Service (DCS), does not consider oversight of CBAs to be within the scope of their peer review process.  

TAFE NSW evaluated this advertising campaign by surveying a population significantly broader than the target audience. As such, survey results may not accurately reflect the views of the intended audience.

What we recommended

By 30 June 2023, TAFE NSW should:

1. implement processes that ensure:
   1. CBAs are completed before the launch of campaigns over $1 million
   2. compliance certificates are completed only after all regulatory requirements are met
2. consider adding to its current evaluation methods by surveying a population which closely reflects the age profile of its intended target audience.

By June 2023, DCS should:

3. improve whole‑of‑government reporting and monitoring processes to provide the NSW Government with a central view of compliance, including the completion of CBAs by agencies.

The Government Advertising Act 2011 (the Act) sets out requirements that must be followed by a government agency when it carries out a government advertising campaign. The requirements include an explicit prohibition on political advertising, as well as a need to complete a peer review and cost-benefit analysis before the campaign commences. The accompanying Government Advertising Regulation 2018 (the Regulation) and Government Advertising Guidelines (the Guidelines) address further matters of detail.

The Act also requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit must assess whether a government agency (or agencies) has carried out activities in relation to government advertising campaigns in an effective, economical and efficient manner. It also assesses compliance with the Act, the Regulation, other laws and the Guidelines.

This audit examined TAFE NSW's advertising campaign for the 2021–22 financial year. TAFE NSW is the NSW Government's public provider of vocational education and training. TAFE NSW carries out an advertising campaign every year. In 2021–22, it spent $15.16 million on developing and implementing advertising. TAFE NSW used channels such as television, radio, internet and social media, press, and out of home advertising in public settings such as bus stops. The advertising aimed to increase the percentage of people considering TAFE NSW for training or education, grow the percentage of people who consider TAFE NSW to be the preferred education provider in NSW, and maintain the proportion of people who are aware of TAFE NSW more generally.

There are a range of private service providers helping to deliver vocational education and training in NSW.

This part of the report sets out key aspects of TAFE NSW's compliance with the government advertising regulatory framework. It considers whether TAFE NSW complied with the:

• Government Advertising Act 2011
• Government Advertising Regulation 2018
• NSW Government Advertising Guidelines 2012 and other relevant policy.

This part of the report considers whether TAFE NSW's advertising program for 2021–22 was carried out in an effective, efficient, and economical manner.

Appendix one – Responses from agencies

Appendix two – About the campaign

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #377 - released 28 February 2023

What the report is about

This audit assessed the effectiveness of the NSW Rural Fire Service (RFS) and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression.

What we found

The RFS has focused its fleet development activity on modernising and improving the safety of its firefighting fleet, and on the purchase of new firefighting aircraft.

There is limited evidence that the RFS has undertaken strategic fleet planning or assessment of the capability of the firefighting fleet to respond to current bushfire events or emerging fire risks.

The RFS does not have an overarching strategy to guide its planning, procurement, or distribution of the firefighting fleet.

The RFS does not have effective oversight of fleet maintenance activity across the State, and is not ensuring the accuracy of District Service Agreements with local councils, where maintenance responsibilities are described.

What we recommended

1. Develop a fleet enhancement framework and strategy that is informed by an assessment of current fleet capability, and research into appropriate technologies to respond to emerging fire risks.
2. Develop performance measures to assess the performance and capabilities of the fleet in each RFS District by recording and publicly reporting on fire response times, fire response outcomes, and completions of fire hazard reduction works.
3. Report annually on fleet allocations to RFS Districts, and identify the ways in which fleet resources align with district-level fire risks.
4. Develop a strategy to ensure that local brigade volunteers are adequate in numbers and appropriately trained to operate fleet appliances in RFS Districts where they are required.
5. Establish a fleet maintenance framework to ensure regular update of District Service Agreements with local councils.
6. Review and improve processes for timely recording of fleet asset movements, locations, and maintenance status.

This audit assessed how effectively the NSW Rural Fire Service (the RFS) plans and manages the firefighting equipment needed to prevent, mitigate, and suppress bushfires. This audit also examined the role of local councils in managing bushfire equipment fleet assets. Local councils have vested legal ownership of the majority of the land-based firefighting fleet, including a range of legislated responsibilities to carry out fleet maintenance and repairs. The RFS has responsibilities to plan and purchase firefighting fleet assets, and ensure they are ready for use in response to fires and other emergencies.

This report describes the challenges in planning and managing the firefighting fleet, including a confusion of roles and responsibilities between the RFS and local councils in relation to managing certain land-based rural firefighting fleet – a point that has been made in our Local Government financial audits over several years. This role confusion is further demonstrated in the responses of the RFS and local councils to this audit report – included at Appendix one.

The lack of cohesion in roles and responsibilities for managing rural firefighting vehicles increases the risk that these firefighting assets are not properly maintained and managed, and introduces a risk that this could affect their readiness to be mobilised when needed.

While the audit findings and recommendations address some of the operational and organisational inefficiencies in relation to rural firefighting equipment management, they do not question the legislative arrangements that govern them. This is a matter for the NSW Government to consider in ensuring the fleet arrangements are fit for purpose, and are clearly understood by the relevant agencies.

The NSW Rural Fire Service (hereafter the RFS) is the lead combat agency for bushfires in New South Wales, and has the power to take charge of bushfire prevention and response operations anywhere in the State. The RFS has responsibilities to prevent, mitigate and suppress bushfires across 95% of the State, predominantly in the non-metropolitan areas of New South Wales. Fire and Rescue NSW is responsible for fire response activity in the cities and large townships that make up the remaining five per cent of the State.

The RFS bushfire fleet is an integral part of the agency's overall bushfire risk management. The RFS also uses this fleet to respond to other emergencies such as floods and storms, motor vehicle accidents, and structural fires. Fleet planning and management is one of a number of activities that is necessary for fire mitigation and suppression.

The Rural Fires Act 1997 (Rural Fires Act) imposes obligations on all landowners and land managers to prevent the occurrence of bushfires and reduce the risk of bushfires from spreading. Local councils have fire prevention responsibilities within their local government areas, principally to reduce fire hazards near council owned or managed assets, and minor roads.

The RFS is led by a Commissioner and is comprised of both paid employees and volunteer rural firefighters. Its functions are prescribed in the Rural Fires Act and related legislation such as the State Emergency Rescue Management Act 1989. The RFS functions are also described in Bush Fire Risk Management Plans, the State Emergency Management Plan, District Service Agreements, and RFS procedural documents. Some of the core responsibilities of the RFS include:

• preventing, mitigating, and suppressing fires across New South Wales
• recruiting and managing volunteer firefighters in rural fire brigades
• purchasing and allocating firefighting fleet assets to local councils
• establishing District Service Agreements with local councils to give the RFS permissions to use the fleet assets that are vested with local councils
• carrying out fleet maintenance and repairs when authorised to do so by local councils
• inspecting the firefighting fleet
• supporting land managers and private property owners with fire prevention activity.

In order to carry out its legislated firefighting functions, the RFS relies on land-based vehicles, marine craft, and aircraft. These different firefighting appliance types are referred to in this report as the firefighting fleet or fleet assets.

RFS records show that in 2021 there were 6,345 firefighting fleet assets across NSW. Most of the land-based appliances commonly associated with firefighting, such as water pumpers and water tankers, are purchased by the RFS and vested with local councils under the Rural Fires Act. The vesting of firefighting assets with local councils means that the assets are legally owned by the council for which the asset has been purchased. The RFS is able to use the firefighting assets through District Service Agreements with local councils or groups of councils.

In addition to the land-based firefighting fleet, the RFS owns a fleet of aircraft with capabilities for fire mitigation, suppression, and reconnaissance during fire events. The RFS hires a fleet of different appliances to assist with fire prevention and hazard reduction works. These include aircraft for firefighting and fire reconnaissance, and heavy plant equipment such as graders and bulldozers for hazard reduction. Hazard reduction works include the clearance of bush and grasslands around major roads and protected assets, and the creation and maintenance of fire trails and fire corridors to assist with fire response activity.

The RFS is organised into 44 RFS Districts and seven Area Commands. The RFS relies on volunteer firefighters to assist in carrying out most of its firefighting functions. These functions may include the operation of the fleet during fire response activities and training exercises, and the routine inspection of the fleet to ensure it is maintained according to fleet service standards. Volunteer fleet inspections are supervised by the RFS Fire Control Officer.

In 2021 there were approximately 73,000 volunteers located in 1,993 rural fire brigades across the State, making the RFS the largest volunteer fire emergency service in Australia. In addition to brigade volunteers, the RFS has approximately 1,100 salaried staff who occupy leadership and administrative roles at RFS headquarters and in the 44 RFS Districts.

Local councils have legislative responsibilities relating to bushfire planning and management. Some of the core responsibilities of local councils include:

• establishing and equipping rural fire brigades
• contributing to the Rural Fire Fighting Fund
• vested ownership of land-based rural firefighting equipment
• carrying out firefighting fleet maintenance and repairs
• conducting bushfire prevention and hazard reduction activity.

The objective of this audit was to assess the effectiveness of the RFS and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression. From the period of 2017 to 2022 inclusive, we addressed the audit objective by examining whether the NSW RFS and local councils effectively:

• plan for current and future bushfire fleet requirements
• manage and maintain the fleet required to prevent, mitigate, and suppress bushfires in NSW.

This audit did not assess:

• the operational effectiveness of the RFS bushfire response
• the effectiveness of personal protective equipment and clothing
• the process of vesting of rural firefighting equipment with local councils
• activities of any other statutory authorities responsible for managing bushfires in NSW.

As the lead combat agency for the bushfire response in NSW, the RFS has primary responsibility for bushfire prevention, mitigation, and suppression.

Three local councils were selected as case studies for this audit, Hawkesbury City Council, Wagga Wagga City Council and Uralla Shire Council. These case studies highlight the ways in which the RFS and local councils collaborate and communicate in rural fire districts.

The RFS has not made significant changes to the size or composition of the firefighting fleet in the past five years and does not have an overarching strategy to drive fleet development

Since 2017, the RFS has made minimal changes to its firefighting fleet volumes or vehicle types. The RFS is taking a fleet renewal approach to fleet planning, with a focus on refurbishing and replacing ageing firefighting assets with newer appliances and vehicles of the same classification and type. While the RFS has adopted a fleet renewal approach, driven by its Appliance Replacement Program Guide, it does not have a strategy or framework to guide its future-focused fleet development. There is no document that identifies and analyses bushfire events and risks in NSW, and matches fleet resources and fleet technologies to meet those risks. The RFS does not have fleet performance measures or targets to assess whether the size and composition of the fleet is meeting current or emerging bushfire climate hazards, or fuel load risks across its 44 NSW Fire Districts.

The RFS fleet currently comprises approximately 4,000 frontline, operational firefighting assets such as tankers, pumpers, and air and marine craft, and approximately 2,300 logistical vehicles, such as personnel transport vehicles and specialist support vehicles. Of the land-based firefighting vehicles, the RFS has maintained a steady number of approximately 3,800 tankers and 65 pumpers, year on year, for the past five years. This appliance type is an essential component of the RFS land-based, firefighting fleet with capabilities to suppress and extinguish fires.

Since 2017, most RFS fleet enhancement activity has been directed to upgrades and the modernisation of older fleet assets with new safety features. There is limited evidence of research into new fleet technologies for modern firefighting. The RFS fleet volumes and fleet types have remained relatively static since 2017, with the exception of the aerial firefighting fleet. Since 2017, the RFS has planned for, and purchased, six additional aircraft to add to the existing three aircraft in its permanent fleet.

While the RFS has made minimal changes to its fleet since 2017, in 2016 it reduced the overall number of smaller transport vehicles, by purchasing larger vehicles with increased capacity for personnel transport. The consolidation of logistical and transport vehicles accounts for an attrition in fleet numbers from 7,058 in 2016, to 6,315 in 2017 as shown in Exhibit 2.

The firefighting fleet management system is not always updated in a timely manner due to insufficient RFS personnel with permissions to make changes in the system

The RFS uses a fleet management system known as SAP EAM to record the location and status of firefighting fleet assets. The system holds information about the condition of the firefighting fleet, the home location of each fleet asset, and the maintenance, servicing, and inspection records of all assets. The RFS uses the system for almost all functions related to the firefighting fleet, including the location of vehicles so that they can be dispatched during operational exercises or fire responses.

Staff at RFS Headquarters are responsible for creating and maintaining asset records in the fleet management system. RFS District staff have limited permissions in relation to SAP EAM. They are able to raise work orders for repairs and maintenance, upload evidence to show that work has been done, and close actions in the system.

RFS District staff are not able to enter or update some fleet information in the system, such as the location of vehicles. When an RFS District receives a fleet appliance, it cannot be allocated to a brigade until the location of the asset is accurately recorded in the system. The location of the asset must be updated in the SAP EAM system by staff at RFS Headquarters. District staff can request system support from staff at RFS Headquarters to enter this information. At the time of writing, the position responsible for updating the fleet management system at RFS Headquarters was vacant, and RFS District personnel reported significant wait times in response to their service requests.

The RFS conducts annual audits of SAP EAM system information to ensure data is accurate and complete. RFS staff are currently doing data cleansing work to ensure that fleet allocations are recorded correctly in the system.

Communication between brigades, local councils and the RFS needs improvement to ensure that fleet information is promptly updated in the fleet management system

RFS brigade volunteers do not have access to the fleet management system. When fleet assets are used or moved, volunteers report information about the location and condition of the fleet to RFS District staff using a paper-based form, or by email or phone. Information such as vehicle mileage, engine hours, and defects are all captured by volunteers in a logbook which is scanned and sent to RFS District staff. RFS District staff then enter the relevant information into the fleet management system, or raise a service ticket with RFS Headquarters to enter the information.

Brigade volunteers move fleet assets for a range of reasons, including for fire practice exercises. If volunteers are unable to report the movement of assets to RFS District staff in a timely manner, this can lead to system inaccuracies. Lapses and backlogs in record keeping can occur when RFS staff at district offices or at Headquarters are not available to update records at the times that volunteers report information. A lack of accurate record keeping can potentially impact on RFS operational activities, including fire response activity.

Brigade volunteers notify RFS District staff when fleet appliances are defective, or if they have not been repaired properly. District staff then enter the information into the fleet management system. The inability of volunteers to enter information into the system means they have no visibility over their requests, including whether they have been approved, actioned, or rejected.

Local councils are responsible for servicing and maintaining the firefighting fleet according to the Rural Fires Act, but this responsibility can be transferred to the RFS through arrangements described in local service agreements. Council staff record all fleet servicing and maintenance information in their local systems. The types of fleet information that is captured in local council records can vary between councils. RFS staff described the level of council reporting, and the effectiveness of this process, as 'mixed'.

Councils use different databases and systems to record fleet assets, and some councils are better resourced for this activity than others

Firefighting fleet information is recorded in different asset management systems across NSW. Each council uses its own asset management system to record details about the vested fleet assets. All three councils that were interviewed for this audit had different systems to record information about the fleet. In addition, the type of information captured by the three councils was varied.

Local councils have varying levels of resources and capabilities to manage the administrative tasks associated with the firefighting fleet. Some of the factors that impact on the ability of councils to manage administrative tasks include: the size of the council; the capabilities of the information management systems, the size of the staff team, and the levels of staff training in asset management.

Uralla Shire Council is a small rural council in northern NSW. This council uses financial software to record information about the firefighting fleet. While staff record information about the condition of the asset, its replacement value, and its depreciation, staff do not record the age of the asset, or its location. Staff manually enter fleet maintenance information into their systems. Uralla Shire Council would like to purchase asset maintenance software that generates work orders for fleet repairs and maintenance. However, the council does not have trained staff in the use of asset management software, and the small size of the fleet may not make it financially worthwhile.

The Hawkesbury City Council uses a single system to capture financial and asset information associated with the firefighting fleet. Hawkesbury is a large metropolitan council located north-west of Sydney, with a relatively large staff team in comparison with Uralla Shire Council. The Hawkesbury City Council has given RFS District staff access to their fleet information system. RFS District staff can directly raise work orders for fleet repairs and maintenance through the council system, and receive automated notifications when the work is complete.

Two of the three audited councils report that they conduct annual reviews of fleet assets to assess whether the information they hold is accurate and up-to-date.

More than half of the fleet maintenance service agreements between the RFS and local councils have not been reviewed in ten years, and some do not reflect local practices

Local councils have a legislated responsibility to service, repair, and maintain the firefighting fleet to service standards set by the RFS. Councils may transfer this responsibility to the RFS through District Service Agreements. The RFS Districts are responsible for ensuring that the service agreements are current and effective.

The RFS does not have monitoring and quality control processes to ensure that service agreements with local councils are reviewed regularly. The RFS has 73 service agreements with local councils or groups of councils. Sixty-three per cent of service agreements had not been reviewed in the last ten years. Only four service agreements specify an end date and, of those, one agreement expired in 2010 and had not been reviewed at the time of this audit.

The RFS does not have a framework to ensure that service agreements with local councils reflect actual practices. Of the three councils selected for audit, one agreement does not describe the actual arrangements for fleet maintenance practices in RFS Districts. The service agreement with Hawkesbury City Council specifies that the RFS will maintain the firefighting fleet on behalf of council when, in fact, council maintains the firefighting fleet. The current agreement commenced in 2012, and at the time of writing had not been updated to reflect local maintenance practices.

When District Service Agreements are not reviewed periodically, there is a risk that neither local councils nor the RFS have clear oversight of the status of fleet servicing, maintenance, and repairs.

RFS District Service Agreements set out a requirement that RFS and local councils establish a liaison committee. Liaison committees typically include council staff, RFS District staff, and RFS brigade volunteers. While service agreements state that liaison committees must meet periodically to monitor and review the performance of the service agreement, committee members determine when and how often the committee meets.

RFS District staff and staff at the three audited councils are not meeting routinely to review or update their service agreements. At Wagga Wagga City Council, staff meet with RFS District staff each year to report on activity to fulfil service agreement requirements. Uralla Shire Council staff did not meet routinely with RFS District staff before 2021. When liaison committees do not meet regularly, there is a risk that the RFS and local councils have incorrect or outdated information about the location, status, or condition of the firefighting fleet. Given that councils lack systems to track and monitor fleet locations, regular communication between the RFS and local councils is essential.

The RFS has not established processes to ensure that local councils and RFS District personnel meet and exchange information about the fleet. Of the three councils selected for this audit, one council had not received information about the number, type, or status of the fleet for at least five years, and did not receive an updated list of appliances until there was a change in RFS District personnel. This has impacted on the accuracy of council record keeping. Councils do not always receive notification about new assets or information about the location of assets from the RFS, and therefore cannot reflect this information in their accounting and reporting.

RFS area commands audit system records to ensure fleet inspections occur as planned, but central systems are not always updated, creating operational risks

RFS District staff are required by the Rural Fires Act to ensure the firefighting fleet is inspected at least once a year. Regular inspections of the fleet are vital to ensure that vehicles are fit-for-purpose and safe for brigade volunteers. Inspections are also fundamental to the operational readiness and capability of RFS to respond to fire incidents.

RFS Area Command personnel conduct audits of fleet maintenance data to ensure that fleet inspections are occurring as planned. These inspections provide the RFS with assurance that the fleet is being maintained and serviced by local council workshops, or third-party maintenance contractors.

Some RFS Districts run their own fleet management systems outside of the central management system. They do this to manage their fleet inspection activity effectively. Annual fleet inspection dates are programmed by staff at RFS Headquarters. Most of the inspection dates generated by RFS Headquarters are clustered together and RFS Districts need to separate inspection times to manage workloads over the year. Spreading inspection dates is necessary to avoid exceeding the capacity of local council workshops or third party contractors, and to ensure that fleet are available during the bushfire season.

The fleet inspection records at RFS Headquarters are not always updated in a timely manner to reflect actual inspection and service dates of vehicles. District staff are not able to change fleet inspection and service dates in the central management system because they do not have the necessary permissions to access the system. The usual practice is for RFS District staff to notify staff at RFS Headquarters, and ask them to retrospectively update the system. As there is a lag in updating the central database, at a point in time, the actual inspection and service dates of vehicles can be different to the dates entered in the central fleet management system.

Fleet inspection and maintenance records must be accurately recorded in the central RFS management system for operational reasons. RFS Headquarters personnel need to know the location and maintenance status of fleet vehicles at all times in order to dispatch vehicles to incidents and fires. The RFS fleet management system is integrated with a new Computer Aided Dispatch System. The Computer Aided Dispatch System assigns the nearest and most appropriate vehicles to fire incidents. The system relies on accurate fleet locations and fleet condition information in order to dispatch these vehicles.

There is a risk that RFS Headquarters' systems do not contain accurate information about the location and status of vehicles. Some may be in workshops for servicing and repair, while the system may record them as available for dispatch. As there are many thousands of fleet vehicles, all requiring an annual service and inspection, a lack of accurate record keeping has wide implications for State fire operations.

RFS is currently exploring ways to improve the ways in which fleet inspections are programmed into the fleet management system.

RFS provides funds to councils to assist with maintaining the firefighting fleet, but does not receive fleet maintenance cost information from all local councils

Each year the RFS provides local councils with a lump sum to assist with the cost of repairing and maintaining the firefighting fleet. This lump sum funding is also used for meeting the costs of maintaining brigade stations, utilities, and other miscellaneous matters associated with RFS business.

In 2020–21, the RFS provided NSW local councils with approximately $23 million for maintenance and repairs of appliances, buildings, and utilities. Ninety councils were provided with lump sum funding in 2021, receiving on average $257,000. The amounts received by individual councils ranged from $56,200 to $1,029,884.

Some councils provide itemised repairs and maintenance reports to RFS District staff, showing the work completed and the cost of that work. However, not all councils collect this information or provide it to the RFS. Local councils collect fleet maintenance information in their local council systems. In some cases, the responsibility for fleet maintenance is shared across a group of councils, and not all councils have oversight of this process.

The RFS has not taken steps to require local councils to provide itemised maintenance costings for the firefighting fleet. Thus, the RFS does not have a clear understanding of how local councils are spending their annual fleet maintenance funding allocations. The RFS does not know if the funding allocations are keeping pace with the actual cost of repairing and maintaining the fleet.

RFS District staff report that funding shortfalls are impacting on the prioritisation of fleet servicing and maintenance works in some council areas. When fleet servicing and maintenance is not completed routinely or effectively, there is a risk that it can negatively impact the overall condition and lifespan of the vehicle. Poor processes in relation to fleet maintenance and repair risk impacting on the operational capabilities of the fleet during fire events.

The timeliness and effectiveness of fleet servicing and maintenance is affected by resource levels in RFS Districts and local councils

Local councils have a legislated responsibility to service and maintain the firefighting fleet to the service standards set by the RFS. Fleet maintenance is usually done by the entity with the appropriate workshops and resources, and the maintenance arrangements are described in District Service Agreements. RFS District staff conduct annual inspections to ensure that the firefighting fleet has been serviced and maintained appropriately, and is safe for use by brigade volunteers. If the fleet has not been maintained to RFS service standards or timelines, RFS District staff may work with local councils to support or remediate these works.

The effectiveness of this quality control activity is dependent on relationships and communication between the RFS Districts and local councils. While some RFS staff reported having positive relationships with local councils, others said they struggled to get fleet maintenance work done in a timely manner. Some councils reported that funding shortfalls for fleet maintenance activity was impacting on the prioritisation of RFS fleet maintenance works. When fleet maintenance work is not completed routinely or effectively, it can negatively impact on the overall condition and lifespan of the vehicle. It can also reduce the capacity of the RFS to respond to fire events.

Fleet quality control activities are carried out by RFS District staff. In some of the smaller RFS Districts, one person is responsible for liaising with local councils and brigade volunteers about fleet maintenance and repairs. In the regions where resources are limited, there is less ability to maintain ongoing communication. This is impacting on fleet service and maintenance timelines and the timeliness of fleet monitoring activity.

The RFS has mutual support arrangements with agencies in NSW and interstate, though shared fleet levels are yet to be quantified

The RFS has arrangements with state, federal, and international fire authorities to provide mutual support during fire incidents. In NSW, the RFS has agreements with the three statutory authorities – Fire and Rescue NSW, the Forestry Corporation of NSW, and the NSW National Parks and Wildlife Service. The agreement with Fire and Rescue NSW provides a framework for cooperation and joint operations between the agencies. The agreements with the Forestry Corporation of NSW and the NSW National Parks and Wildlife Service describe the control and coordination arrangements for bush and grass fires across NSW. These arrangements are set out in legislation and incorporated into local Bush Fire Risk Management Plans.

The RFS has agreements with fire authorities in three of the four Australian states and territories that share a border with NSW – the Australian Capital Territory, Queensland, and South Australia. Each agreement sets out the arrangements for mutual assistance and joint operations, including arrangements for sharing aircraft. The agreement between the RFS and Victoria had lapsed. The RFS told the NSW Bushfire Inquiry that the agreement with Victoria would be finalised by June 2020. In June 2022, the RFS reported that the agreement was in the process of being finalised.

The arrangements for mutual aid from Western Australia, Northern Territory and Tasmania, are managed by the National Resource Sharing Centre. These agreements set out the arrangements for interstate assistance between Australian fire services, emergency services, and land management agencies in those states and territories.

These mutual support arrangements may assist during state-based fire events. However, when there are competing demands for resources, such as during the bushfires of 2019–2020, there can be limits on fleet availability. During the 2019–2020 fires, resources were stretched in all jurisdictions as these fires affected NSW, Victoria, and Queensland.

There are opportunities for the RFS and other NSW agencies to quantify fleet resources across the State and identify assets that can be mobilised for different fire activities. This form of fleet planning may be used to enhance surge capabilities during times of high fire activity. There are also opportunities for the RFS and other agencies to match the levels of shared assets to projected bushfire risks.

Appendix one – Responses from agencies 

Appendix two – About the audit 

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #376 - released 27 February 2023

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

• Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
• Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.

Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).

The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

We assessed this objective through two lines of inquiry:

1. Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
2. Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?

The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.

Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.

Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.

The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.

Establishment of Cyber Security NSW

Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.

The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).

The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.

Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.

Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.

NSW Government Cyber Security Strategy

The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:

• lead
• prepare
• prevent
• detect 
• respond 
• recover.

The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:

• increase NSW Government cyber resiliency
• help NSW cyber security businesses grow
• enhance cyber security skills and workforce 
• support cyber security research and innovation.

Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.

NSW Government Cyber Security Policy

The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.

The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including: 

• annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements 
• that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).

The Policy sets out that Cyber Security NSW:

• may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
• will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.

As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.

This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:

• there was a sound, evidence-based rationale for why Cyber Security NSW was established
• the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
•  there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.

This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #374 - released 8 February 2023