What the report is about

The term ‘machinery of government’ refers to the way government functions and responsibilities are organised.

The decision to make machinery of government changes is made by the Premier. Changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day.

Larger machinery of government changes typically occur after an election or a change of Premier.

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet (DPC) and NSW Treasury in overseeing machinery of government changes.

What we found

The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of benefits has not been monitored. The costs of the changes were not tracked or reported.

DPC and NSW Treasury provided principles to guide implementation but did not require departments to collect or report information about the benefits or costs of the changes.

The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled.

Major implementation challenges included negotiation about the allocation of corporate support staff and the integration of complex corporate and ICT systems.

What we recommended

DPC and NSW Treasury should:

• consolidate existing guidance on machinery of government changes into a single document that is available to all departments and agencies
• provide guidance for departments and agencies to use when negotiating corporate services staff transfers as a part of machinery of government changes, including a standard rate for calculating corporate services requirements
• progress work to develop and implement common processes and systems for corporate services in order to support more efficient movement of staff between departments and agencies.

The term ‘machinery of government’ refers to the way government functions and responsibilities are allocated and structured across government departments and agencies. A machinery of government change is the reorganisation of these structures. This can involve establishing, merging or abolishing departments and agencies and transferring functions and responsibilities from one department or agency to another.

The decision to make machinery of government changes is made by the Premier. These changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day. Machinery of government changes are formally set out in Administrative Arrangements Orders, which are prepared by the Department of Premier and Cabinet, as instructed by the Premier, and issued as legislative instruments under the Constitution Act 1902.

The heads of agencies subject to machinery of government changes are responsible for implementing them. For more complex changes, central agencies are also involved in providing guidance and monitoring progress.

The NSW Government announced major machinery of government changes after the 2019 state government election. These changes took place between April and June 2019 and involved abolishing five departments (Industry; Planning and Environment; Family and Community Services; Justice; and Finance, Services and Innovation) and creating three new departments (Planning, Industry and Environment; Communities and Justice; and Customer Service). This also resulted in changes to the 'clusters' associated with departments. The NSW Government uses clusters to group certain agencies and entities with related departments for administrative and financial management. Clusters do not have legal status. Most other departments that were not abolished had some functions added or removed as a part of these machinery of government changes. For example, the functions relating to regional policy and service delivery in the Department of Premier and Cabinet were moved to the new Department of Planning, Industry and Environment.

Our Report on State Finances 2019, tabled in October 2019, outlined these changes and identified several issues that can arise from machinery of government changes if risks are not identified early and properly managed. These include: challenges measuring the costs and benefits of machinery of government changes; disruption to services due to unclear roles and responsibilities; and disruption to control environments due to staff, system and process changes.

In April 2020, the Department of Regional NSW was created in a separate machinery of government change. This involved moving functions and agencies related to regional policy and service delivery from the Department of Planning, Industry and Environment into a standalone department.

This audit assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet and NSW Treasury in overseeing machinery of government changes. The audit investigated whether:

• DPIE and DRNSW have integrated new responsibilities and functions in an effective and timely manner
• DPIE and DRNSW can demonstrate the costs of the machinery of government changes
• The machinery of government changes have achieved or are achieving intended outcomes and benefits.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #359 - released (17 December 2021).

What the report is about

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.

Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.

NSW Treasury estimates these risks could have significant costs.

What we found

DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.

In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.

DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.

There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.

DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.

NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.

In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.

What we recommended

DPIE and NSW Treasury should, in partnership:

• enhance the coordination of climate risk management across agencies
• implement climate risk management across their clusters.

DPIE should:

• update information and strengthen education to agencies, and monitor progress
• review relevant land-use planning, development and building guidance
• deliver a climate change adaptation action plan for the state.

NSW Treasury should:

• strengthen climate risk-related guidance to agencies
• coordinate guidance on resilience in infrastructure planning
• review how climate risks have been assured in agencies’ asset management plans.

According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.

According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.

The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.

In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.

The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:

• use robust climate projection information to understand the potential climate impacts
• undertake sound climate risk assessments, within an enterprise risk management framework
• implement adaptation plans that reduce these risks, and harness opportunities.

Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.

According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.

This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.

Appendix one – Response from agencies

Appendix two – Timeline of key activities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #355 - released (7 September 2021).

What the report is about

This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020. 

The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications. 

DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:

• deliver jobs
• progress to the next stage of development within six months of determination
• deliver public benefit.

The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.

What we found

Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.

Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.

DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19. 

Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments. 

What we recommended

DPIE should:

• strengthen controls over conflicts of interest 
• evaluate the Fast-tracked Assessment Program.

In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.

In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:

• deliver jobs – particularly in the construction industry
• be capable of progressing to the next stage of development within six months of determination
• deliver public benefit.

At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.

This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.

Appendix one – Response from agency

Appendix two – Planning determination pathways

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #354 - released (27 July 2021).

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

The Auditor-General for New South Wales, Margaret Crawford, released a report today that examined the effectiveness of the waste levy and grants for waste infrastructure in minimising the amount of waste sent to landfill and increasing recycling rates.  

The audit found that the waste levy has a positive impact on diverting waste from landfill. However, while the levy rates increase each year in line with the consumer price index, the EPA has not conducted a review since 2009 to confirm whether they are set at the optimal level. The audit also found that there were no objective and transparent criteria for which local government areas should pay the levy, and the list of levied local government areas has not been reviewed since 2014. 

Grant funding programs for waste infrastructure administered by the EPA and the Environmental Trust have supported increases in recycling capacity. However, these grant programs are not guided by a clear strategy for investment in waste infrastructure. 

The Auditor-General made six recommendations aimed at ensuring the waste levy is as effective as possible at meeting its objectives and ensuring funding for waste infrastructure is contributing effectively to recycling and waste diversion targets.

Overall, waste generation in New South Wales (NSW) is increasing. This leads to an increasing need to manage waste in ways that reduce the environmental impact of waste and promote the efficient use of resources. In 2014, the NSW Government set targets relating to recycling rates and diversion of waste from landfill, to be achieved by 2021–22. The NSW Waste and Resource Recovery (WARR) Strategy 2014–21 identifies the waste levy, a strong compliance regime, and investment in recycling infrastructure as key tools for achieving these waste targets.

This audit assessed the effectiveness of the NSW Government in minimising waste sent to landfill and increasing recycling rates. The audit focused on the waste levy, which is paid by waste facility operators when waste is sent to landfill, and grant programs that fund infrastructure for waste reuse and recycling.

The waste levy is regulated by the Environment Protection Authority (EPA) and is generally paid when waste is disposed in landfill. The waste levy rates are set by the NSW Government and prescribed in the Protection of Environment Operations (Waste) Regulation 2014. As part of its broader role in reviewing the regulatory framework for managing waste and recycling, the EPA can provide advice to the government on the operation of the waste levy.

The purpose of the waste levy is to act as an incentive for waste generators to reduce, re-use or recycle waste by increasing the cost of sending waste to landfill. In 2019–20, around $750 million was collected through the waste levy in NSW. The government spends approximately one third of the revenue raised through the waste levy on waste and environmental programs.

One of the waste programs funded through the one third allocation of the waste levy is Waste Less, Recycle More (WLRM). This initiative funds smaller grant programs that focus on specific aspects of waste management. This audit focused on five grant programs that fund projects that provide new or enhanced waste infrastructure such as recycling facilities. Four of these programs were administered by the Environmental Trust and one by the EPA.

Achievement of the 2014–21 state targets for waste and resource recovery (WARR targets) is reliant in part on the availability of infrastructure that supports waste diversion and recycling. The state WARR targets dependent on waste infrastructure are:

• Increase recycling rates to 70 per cent for municipal solid waste and commercial and industrial waste, and 80 per cent for construction and demolition waste.
• Increase waste diverted from landfill to 75 per cent.

A further target — manage problem waste better by establishing or upgrading 86 drop-off facilities or services for managing household problem wastes state-wide — is dependent on accessible community waste drop-off facilities across NSW.

Exhibit 7 identifies the five grant programs that provide funding for new or enhanced waste infrastructure to increase capacity for reuse or recycling of waste. All five of these programs were examined in the audit.
In addition to the grant programs shown in Exhibit 7, other programs provide funding for infrastructure, but at a smaller scale. Examples of these include:

• Bin Trim which provides rebates to small businesses for small scale recycling equipment such as cardboard and soft plastic balers.
• Litter grants which provide funding for litter bins.
• Weighbridges grants for installation of a weighbridge at waste facilities.
• Landfill consolidation and environmental improvement grants for rural councils to replace old landfills with transfer stations or to improve the infrastructure at landfill sites.

Appendix one – Responses from audited agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #343 - released 26 November 2020

A report released today by the Auditor-General for New South Wales, Margaret Crawford found that select advertising campaigns conducted by Service NSW and the NSW Rural Fire Service met most requirements of the Government Advertising Act, regulations, Guidelines and other laws. However, the audit found that Service NSW inappropriately used its post campaign evaluation to measure sentiment towards and confidence in the NSW Government.  

While agency analysis shows that the ‘Cost of Living’ (phases 2 and 3)  and ‘How Fireproof is Your Plan?’ campaigns achieved most of their objectives, the campaign objectives and targets set by both agencies were not sufficient to measure all aspects of campaign effectiveness. 

The report makes two recommendations to the Department of Customer Service. The first is to review its guidance to ensure agencies are not using post campaign evaluations to measure sentiment towards the government. The second, to review its guidance and the new process of peer review to ensure they support agencies to comply with the Act, the regulations and the Guidelines. 

The Government Advertising Act 2011 requires the Auditor General to conduct an annual performance audit of one or more government agencies to see whether their advertising activities were carried out in an effective, economical and efficient manner and in compliance with the Government Advertising Act 2011.
 

Read full report (PDF)

The Government Advertising Act 2011 (the Act) requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit assesses whether a government agency or agencies have carried out activities in relation to government advertising in an effective, economical and efficient manner and in compliance with the Act, the regulations, other laws and the Government Advertising Guidelines (the Guidelines). This audit examined two campaigns run during the 2018–19 and 2019–20 financial years respectively:

• the 'Cost of Living' campaign run by Service NSW (phases 2 and 3 delivered in 2018–19)
• the 'How Fireproof Is Your Plan?' (Fireproof) campaign run by NSW Rural Fire Service (year two of a three-year campaign delivered in 2019–20).

Section 6 of the Act prohibits political advertising. Under this section, material that is part of a government advertising campaign must not contain the name, voice or image of a minister, member of parliament or a candidate nominated for election to parliament or the name, logo or any slogan of a political party. Further, a campaign must not be designed to influence (directly or indirectly) support for a political party.

In 2018–19, Service NSW delivered phases 2 and 3 of the 'Cost of Living' campaign. The Cost of Living advertising campaign aimed to build awareness of the help available to ease the cost of living for people under financial pressure including awareness of specific rebates that can be claimed. As part of the Cost of Living program, Service NSW developed a webpage designed as a single portal to access more than 40 NSW Government savings, rebates and initiatives (which originated from over 12 different agencies). It also launched the Cost of Living service which includes face to face meetings and phone interviews to help people claim rebates from the NSW Government. Phase 2 of the campaign ran from September 2018 to August 2019. Phase 3 of the campaign ran from January 2019 to July 2019. The budgets for phases 2 and 3 were $4.127 million and $934,800 respectively. See Appendix two for more details on this campaign.

Campaign materials we reviewed did not breach section 6 of the Act

The audit team reviewed campaign materials developed as part of the paid advertising campaign including radio transcripts, digital videos and display. The audit team did not review the use of social media outside paid social media content as section four of the Act defines government advertising as the dissemination of information which is funded by or on behalf of a government agency. See Appendix two for examples of campaign materials for this campaign.

Section 6 of the Act prohibits political advertising as part of a government advertising campaign. A government advertising campaign must not:

• be designed to influence (directly or indirectly) support for a political party
• contain the name, voice or image of a minister, a member of parliament or a candidate nominated for election to parliament
• contain the name, logo, slogan or any other reference to a political party.

The audit found no breaches of section 6 of the Act in the campaign material we reviewed. 

Post-campaign evaluations measured sentiment towards and confidence in the NSW Government

The post-campaign evaluation for phases 2 and 3 measured levels of confidence with the statement ‘the NSW Government has your best interests at heart’, despite the fact this was not a stated objective of the campaign. This is not an appropriate use of the post-campaign evaluation, which should measure the success of the campaign against its stated objectives. The post-campaign evaluation for phase 3 found that exposure to the campaign improved sentiment towards the government amongst those who did not have confidence in the NSW Government.

Service NSW advised that it was important to measure the sentiment of the advertising including the wording 'best interests' as it did not want the whole of government brand to be detrimental to customer engagement with applying for the rebates.

Following phase 2, Service NSW conducted analysis of media sentiment using the key words 'cost of living' and the names of the Premier, Treasurer and Minister for Customer Service. The analysis presented the level of positive, negative and neutral media sentiment. The Government Advertising Guidelines 2012 list the purposes that government advertising may serve which do not include improving the perception of the government. The inclusion of this analysis in Service NSW's post-campaign evaluation creates a risk that the results may be used for party political purposes.

Section 10 of the Act restricts agencies from carrying out a campaign after 26 January in the calendar year before the Legislative Assembly is due to expire and before the election for the Legislative Assembly in that year. Service NSW authorised a media agency to book media in line with the media plans for the campaign. The media plans for the campaign show that Service NSW did not authorise or plan to run any advertisements between 27 January 2019 and 23 March 2019.

Service NSW did not set targets for all rebates advertised in phase 2

Service NSW did not set targets for four of the seven rebates that were advertised as part of phase 2 of the campaign. These rebates were the Family Energy Rebate, Appliance Replacement Offer, National Parks Concession Offer and the Pensioner Travel Voucher. As a result, it was unable to evaluate whether the advertisements for these rebates were effective. Service NSW advised that at the time the campaign went to peer review, when campaign objectives are set, it did not know which rebates would be included in the advertisements.

Service NSW stated in its submission to the Department of Premier and Cabinet that it may change the creative content for phase 2 as it announced new initiatives and rebates. The peer review process should have ensured that Service NSW set targets for any additional rebates or savings it intended to advertise before that advertising commenced to ensure a strategic approach to the campaigns that clearly demonstrated anticipated benefits were in place.

The post-campaign evaluation for phase 2 shows that the advertising campaign met most of its objectives

Service NSW set overall campaign objectives and specific targets for some rebates advertised as part of phase 2 of the campaign. The objectives, targets and results for phase 2 are shown in Exhibit 5. In phase 2, Service NSW established baseline data on levels of awareness of government rebates during the peer review process. The baseline level of awareness for government rebates was 44 per cent. The level of awareness for specific rebates was 46 per cent for the Compulsory Third Party (CTP) green slip refund, and 21 per cent for both Active Kids and Toll Relief.

Post-campaign evaluation reports for phase 2 show that the campaign met its objective to raise awareness of NSW Government rebates, achieving a 16 per cent increase in awareness from 44 per cent to 51 per cent. The campaign did not meet its target to increase awareness of the CTP green slip refund by ten per cent.

Service NSW did not report the results of the uptake of the CTP green slip refund, Active Kids and Toll Relief in its post campaign effectiveness report submitted to the Department of Premier and Cabinet. However, other post-campaign evaluation documentation, which Service NSW advise was submitted to the Department of Premier and Cabinet, show that these targets were met.

Service NSW did not report to the Department of Premier and Cabinet on whether it achieved the target of a ten per cent increase of average monthly visits to the Cost of Living webpage. Service NSW reported that it had achieved an average of 11,753 visitors to the webpage per day during the campaign. These average daily results indicate that the target was met.

Exhibit 5: Phase 2 - campaign objectives, targets and results

Campaign objectives and targets	Does the post-campaign evaluation show that the target was met?
1. a) Increase awareness of rebates from the NSW Government by ten per cent.	Image
b) Increase average monthly visits to the Cost of Living webpage by ten per cent.	Image
2. Increase awareness of rebates and savings by ten per cent for:
CTP green slip refund	Image
Active Kids	Image
Toll Relief.	Image
3. Increase awareness that NSW Government initiatives relating to the cost of living are available via Service NSW by ten per cent.	Image
4. Increase the uptake of rebates and savings for the CTP green slip refund, Active Kids and Toll Relief by ten per cent.	Image

Key

Image

Yes

Image

Not Fully

The post-campaign evaluation for phase 3 shows that the advertising campaign met most of its objectives

Service NSW set overall campaign objectives and specific targets for the two rebates advertised as part of phase 3 of the campaign. The objectives, targets and results for phase 3 are shown in Exhibit 6.

In phase 3, Service NSW established baseline data on levels of awareness during the peer review process. The baseline level of awareness for government rebates was 44 per cent. This is the same baseline that was used to measure performance for phase 2 of the campaign. Service NSW did not set baselines for awareness and uptake of Energy Switch and Creative Kids as these were new services.

Post-campaign evaluation reports for phase 3 show that the campaign met its objective to raise awareness of NSW Government rebates by ten per cent, achieving a 30 per cent increase in awareness from 44 per cent to 57 per cent. The overall increase in message take-out was met with 43 per cent agreeing with the message that the NSW Government is taking steps to ease the cost of living. The campaign achieved awareness and uptake targets for the specific rebates included in phase 3, except for awareness of Creative Kids which achieved 28 per cent awareness, falling short of the 30 per cent awareness target.

Exhibit 6: Phase 3 - campaign objectives, targets and results

Campaign objectives and targets	Does the post-campaign evaluation show that the target was met?
1. Increase message takeout that ‘The NSW Government is taking steps to help ease the cost of living in NSW’ by ten per cent for those who can recall the campaign.
2. Increase awareness that the NSW Government has a range of rebates and savings by ten per cent.
3. Generate awareness with NSW residents aged 18+ of:
Energy Switch (15 per cent awareness)
Creative Kids (30 per cent awareness).
4. Create uptake of Energy Switch and Creative Kids (8,356 clicks on the Energy Switch website and 107,938 Creative Kids vouchers downloaded with 70 per cent conversion).

Key

Yes

Not Fully

The timing of campaign phases meant that it was difficult for Service NSW to evaluate each distinct campaign phase and reduced opportunities to incorporate learnings from previous phases

Service NSW commenced planning for phase 2 of the campaign while phase 1 was still underway. This limited the opportunity for Service NSW to incorporate learnings from phase 1 into phase 2. There was some overlap in the timing of phase 2 and the start of phase 3 of the campaign, making it difficult to evaluate the effectiveness of each distinct campaign phase. Both phases 2 and 3 had the same high-level outcome objective to raise awareness of rebates by ten per cent. The baseline measures that were used to evaluate performance for phase 3 were the same as those used to evaluate phase 2. As a result, Service NSW was not able to separately evaluate these two phases of the campaign. This is important given the budgets for phases 2 and 3 were $4.127million and $934,800 respectively.

Service NSW allocated 7.5 per cent of its media budget to communications with culturally and linguistically diverse (CALD) and Aboriginal audiences

The NSW Government CALD and Aboriginal Advertising Policy requires that agencies spend at least 7.5 per cent of an advertising campaign media budget on direct communications with CALD and Aboriginal audiences. Service NSW authorised a media company to book media in line with the media plans for the campaign. The media plans for phases 2 and 3 of the campaign indicate that Service NSW met this requirement, with 7.5 per cent of the budget allocated to these audiences in phase 2 and 10.4 per cent in phase 3.

The post campaign evaluation for phases 1 and 2 of the Cost of Living campaign contained a recommendation to look at other opportunities to reach CALD audiences. Effective communication with CALD audiences was particularly important in phase 3 of the campaign, where they made up 30 per cent of the target audience for the Creative Kids advertisement. The post-campaign analysis for phase 3 showed that the campaign performed well with some, but not all CALD audiences. The post-campaign analysis also showed low awareness and uptake with Aboriginal audiences. Pre-campaign focus groups in phase 3 found Aboriginal audiences had a negative reaction to the campaign tag line ‘NSW Government is helping with the cost of living’ however this tagline was still used in some advertisements in phase 3.

The cost-benefit analysis (CBA) for phase 2 did not accurately assess the benefits of the campaign and did not assess the costs and benefits of alternatives to advertising

Under the Government Advertising Act 2011, agencies are required to prepare a CBA when the cost of the campaign is likely to exceed $1 million. The CBA conducted by Service NSW for phase 2 includes $8 million in benefits attributed to the advertisements for the Energy Switch tool and $6.9 million in benefits attributed to the advertisements for Creative Kids vouchers. These benefits should not have been included in the CBA for phase 2 as they were not included in this phase of the campaign. The CBA did not estimate the benefits of some other rebates and savings advertised in phase 2 of the campaign. This means that the CBA did not accurately assess the benefits of the campaign. Service NSW advised that at the time the CBA was developed it had not selected the rebates to be included in the campaign.

The Government Advertising Guidelines require agencies to consider options other than advertising to achieve the desired objective including a comparison of costs and benefits. The CBA developed as part of phase 2 identified using existing NSW Government communication channels as an alternative to advertising but did not assess the costs and benefits of this alternative.

This is a repeat finding from two previous government advertising audits. The report ‘Government Advertising: 2015–16 and 2016–17’ found that both agencies subject to the audit did not meet the requirements in the guidelines to consider alternatives to advertising. The report made a recommendation to the Department of Premier and Cabinet to work with Treasury to ensure the requirements of the guidelines are fully reflected in the 'Cost-Benefit Analysis Framework for Government Advertising and Information Campaigns'. The report ‘Government advertising 2017–18’ found that one agency subject to the audit did not identify to what extent the benefits could be achieved without advertising, nor did it consider alternatives to advertising which could achieve the same impact as the advertising campaign.

Service NSW negotiated with a single creative agency in phase 2, making it difficult to demonstrate value for money

Agencies are required to obtain three quotes when procuring a creative agency on the prequalification scheme if the estimated cost of the creative content is greater than $150,000. In phase 2 of the campaign, Service NSW extended the contract with the creative agency used for phase 1 of the campaign and did not obtain three quotes despite the cost of the creative content for phase 2 being $731,480. The requirement to obtain three quotes was met in phase 1 when initially selecting this creative agency.

Service NSWs procurement policy details that direct negotiation may be appropriate where there is a compelling reason to renew or rollover a contract beyond temporal or convenience reasons or in the cases of a genuine emergency. In its briefing to the Chief Executive, Service NSW stated that this contract extension was sought due to the time-sensitive nature of the project and that if work was delayed by a tender process, Service NSW may not be able to meet marketing milestones and this could result in limited customer uptake. This reason is not a genuine emergency and is not compelling as it does not explain what consequences would occur if it did not meet the marketing milestones or if there was limited customer uptake.

Service NSW's procurement policy also states that under no circumstances must Service NSW employees enter into discussions with a supplier until the delegate has formally made their decision to enter into direct negotiation. Service NSW briefed the Chief Executive of Service NSW in relation to extending the contract on 5 September 2018. The briefing states that the creative agency had already begun developing creative content for phase 2 and Service NSW had already received quotes from the creative provider for the proposed work prior to 5 September 2018. Procurement sign-offs were not completed until 7 September 2018. The engagement of the creative provider prior to appropriate approvals was contrary to Service NSWs procurement policy.

The economy of the campaign may have been limited by not meeting the procurement requirements in phase 2. It is possible that the creative provider may have offered a more competitive rate if it was aware that Service NSW was seeking quotes from other creative providers. Additionally, it is possible that another creative provider could have provided better value for money.

In phase 3 of the campaign, the estimated cost of the creative exceeded $150,000 however Service NSW chose to contract two different creative agencies, and the cost for each agency fell below the threshold to obtain three quotes. Agencies are permitted to obtain one quote when using a creative provider on the prequalification scheme if the cost is between $50,000 to $150,000. Service NSW advised that it contracted two creative providers as two different project teams were responsible for the rebates, each with separate marketing budgets.

Service NSW allowed sufficient time for cost-efficient media placement

During the peer review process, the Department of Premier and Cabinet advised agencies about the time they should allow to ensure cost-efficient media placement. For example, the Department of Premier and Cabinet advised that agencies book television advertising six to 12 weeks in advance and that agencies book radio advertising two to eight weeks in advance.

Service NSW allowed sufficient time between the completion of the peer review process and the commencement of the first advertising. Service NSW signed the agreement with the approved Media Agency Services provider with sufficient time to achieve cost-efficient media placement for all types of media used in this campaign.

The campaign may have been misleading for some people who were not eligible for rebates

Advertisements we reviewed focused on the amount of savings that could be obtained from rebates, for example ‘Save up to $285’, and ended with a statement ‘To save, visit service.nsw.gov.au. This directed viewers to the Cost of Living website which contains eligibility information. However, the advertisements in phases 2 and 3 we reviewed did not contain any details on the eligibility for these rebates and not all advertisements stated that eligibility criteria apply. Service NSW advised that the eligibility criteria for each rebate is extensive and that it was not possible to include this in the creative material.

Post-campaign evaluations in phase 3 recommended that advertisements for Creative Kids should indicate eligibility (e.g. age criteria) as statements on savings have the potential to be misleading when not all viewers will be eligible for rebates. Social media analysis conducted following phase 2 showed ineligibility or inability to claim rebates or refunds caused anger for some respondents.

Some advertisements in phase 2 stated ‘we've got something for everyone’. However, as rebates were subject to eligibility criteria, it is possible that some residents in NSW would not be eligible for any rebates as part of the Cost of Living initiative. As such, this statement has the potential to be misleading.

The campaign included statements that underestimated the savings that some customers could obtain

The Guidelines require accuracy in the presentation of all facts, statistics, comparisons and other arguments. The Guidelines also require that all claims of fact included in government advertising campaigns must be able to be substantiated.

In phase 2, the possible savings customers could obtain for two rebates or savings exceeded the amounts stated in the advertising campaign. Exhibit 7 shows some advertisements in phase 2 which stated, ‘My Green Slip Saving Save up to $60’. However, the State Insurance Regulatory Authority website shows that savings for some types of motor vehicles under the 2017 CTP scheme exceed $60. The State Insurance Regulatory Authority website states that the average saving under this scheme has been $129. Service NSW advised that these advertisements were designed for regional markets and that it used different advertisements for metropolitan areas which contained different amounts of savings.

Some advertisements in phase 2 stated, ‘My Toll Relief save up to $700’. The Service NSW website states that drivers can obtain free vehicle registration if they have spent $1,352 or more in tolls in the previous financial year. The cost of registration for some vehicles exceeds $700. This means the savings detailed in the advertisement were lower than what some customers could actually save.

NSW Rural Fire Service conducted the 'How FireProof Is Your Plan?' (Fireproof) campaign. The Fireproof campaign is a three-year campaign which ran in 2018–19 (year one), 2019–20 (year two) and is planned for 2020–21 (year three). This audit examined year two of the campaign (2019–20).

The Fireproof campaign is a public safety campaign encouraging people to plan and prepare for bush fires across the summer period. The campaign aims to improve the quality of bush fire planning and preparation in the community and decrease the impact of fires on the community when they occur.

Campaign materials we reviewed did not breach section 6 of the Act

The audit team reviewed campaign materials developed as part of the paid advertising campaign for example radio advertisements, television commercials and digital displays. The audit team did not review the use of social media outside paid social media content as section four of the Act defines government advertising as the dissemination of information which is funded by or on behalf of a government agency. Examples of campaign materials are shown in Appendix two.

Section 6 of the Act prohibits political advertising as part of a government advertising campaign. A government advertising campaign must not:

• be designed to influence (directly or indirectly) support for a political party
• contain the name, voice or image of a minister, a member of parliament or a candidate nominated for election to parliament
• contain the name, logo, slogan or any other reference to a political party.

The audit found no breaches of section 6 of the Act in the campaign material we reviewed. 

NSW Rural Fire Service did not set targets for the second year of the campaign

The second year of the Fireproof campaign (2019–20) had the same objectives as the first year of the campaign (2018–19), however no specific targets were set for the second year. The advertising submission for the first year of the campaign (2018–19) details the targets for each objective as an increase of ten per cent against the baseline data to be achieved by March 2021, at the end of the three-year campaign.

The second year of the Fireproof campaign (2019–20) was one of the first campaigns approved under the new budget and peer review processes introduced by the Department of Customer Service in 2019–20. The new process for peer review introduced a new template for campaign submissions. The former template for campaign submissions contained more prompts for agencies to ensure the submission contained sufficient detail of campaign objectives, baseline measures, targets, dates for measurement and detail on how they would measure objectives. Despite this, the peer review process should have identified that NSW Rural Fire Service did not set targets for the second year of the campaign.

The 2016 Guidelines for Implementing NSW Government Evaluation Framework for Advertising and Communications requires campaign objectives to be SMART (specific, measurable, achievable, realistic and timed). NSW Rural Fire Service did not meet this requirement for year two of the Fireproof campaign.

Post-campaign evaluations showed increases against four out of five objectives, however there were no specific targets

NSW Rural Fire Service set three campaign objectives at the time it submitted the second year of the campaign (2019–20) to the Department of Customer Service for peer review. However, the post-campaign effectiveness report submitted to the Department of Customer Service measured campaign effectiveness against five campaign objectives. The objectives in the post-campaign effectiveness report were the same objectives set for the first year of the campaign, which is appropriate as this was a repeat campaign.

NSW Rural Fire Service achieved increases against four of their five objectives. However, as noted above there were no specific targets (such as percentage increases) against which performance of the 2019–20 campaign could be measured. Despite this, at the end of the second year, the Fireproof campaign had already achieved some of the targets that NSW Rural Fire Service had set for the end of the third year of the campaign. The post-campaign research showed that both audience recall and exposure to the campaign increased significantly from the prior year. The campaign objectives and results are shown in Exhibit 8.

For those people who already have a bush fire plan, the campaign aimed to increase the number of those plans which have included two or more elements from the Guide to Making a Bush Fire Survival Plan. Elements from the Guide to Making A Bush Fire Survival Plan include actions such as deciding what to take with you if you leave, ensuring you have the right equipment for defending your home and allocating responsibilities to members of a household. The post-campaign evaluation showed that the campaign did not achieve an increase against this objective for people who planned to stay and defend their property rather than leave.

Exhibit 8: Campaign objectives and results

Campaign objectives	Does the post-campaign evaluation show increases against the objective?
1. Continue to increase the number of people that have discussed and/or written a plan with regards to what they will do in the event of a fire.
2. Of those who indicate they have a plan, increase the number of people who have included two or more elements from the Guide to Making a Bush Fire Survival Plan:
for those who plan to leave
for those who plan to stay and defend.
3. Increase the frequency in completing preparation activities around a person’s property.
4. Increase the number of people who correctly assess it is their responsibility to complete preparation activities and enact their plan without direct intervention from emergency services.
5. Visits to MyFirePlan website.

Key

Yes

No

NSW Rural Fire Service achieved cost efficiencies by reusing creative content developed in the first year of the campaign

Total creative and production costs incurred in year one of the campaign were $1.08 million. Rather than commissioning new creative materials, NSW Rural Fire Service re-used the same creative content in year two of the campaign. NSW Rural Fire Service incurred $100,000 in creative and production costs in year two of the campaign and achieved cost-efficiencies by reusing the same creative developed in the prior year.

NSW Rural Fire Service allowed sufficient time for cost-efficient media placement and received free media placements

The Department of Customer Service advises agencies to work with media contacts to book media in advance to ensure a cost-efficient placement. Prior to 2019–20, the Department of Premier and Cabinet provided suggested timeframes for agencies to book media as part of the peer review process. For example, it advised agencies to book television six to 12 weeks in advance and book radio advertising two to eight weeks in advance. NSW Rural Fire Service allowed sufficient time for a cost-efficient media placement.

NSW Rural Fire Service received $4 million of free advertising time and space donated by media companies due to the extent and impact of the 2019–20 fire season.

The cost benefit analysis (CBA) did not assess the costs and benefits of alternatives to advertising

Under the Government Advertising Act 2011, agencies are required to prepare a CBA when the cost of the campaign is likely to exceed $1 million. As part of the CBA, the Government Advertising Guidelines require agencies to consider options other than advertising to achieve the desired objective including a comparison of costs and benefits.

The CBA for the Fireproof campaign (year two) notes that the proposed campaign is one component of a broader community engagement strategy which has been developed over time and is based on research and evaluation. The CBA considers two options to achieve the objectives of the campaign. The first option is community engagement activities without an advertising campaign and the second option is community engagement activities alongside an advertising campaign. The CBA does not identify and assess the costs and benefits of both of the options in order to assess the most cost-efficient option.

This is a repeat finding from two previous government advertising audits. The report ‘Government Advertising: 2015–16 and 2016–17’ found that both agencies subject to the audit did not meet the requirements in the guidelines to consider alternatives to advertising. The report made a recommendation to the Department of Premier and Cabinet to work with Treasury to ensure the requirements of the guidelines are fully reflected in the 'Cost-Benefit Analysis Framework for Government Advertising and Information Campaigns'. The report ‘Government advertising 2017–18’ found that one agency subject to the audit did not identify to what extent the benefits could be achieved without advertising, nor did it consider alternatives to advertising which could achieve the same impact as the advertising campaign.

Appendix one – Responses from agencies

Appendix two – About the campaigns

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #342 - released 19 November 2020

The Auditor-General for New South Wales, Margaret Crawford, released a report today on how well four councils managed their local infrastructure contributions during the 2017-18 and 2018-19 financial years. 

Local infrastructure contributions, also known as developer contributions, are collected from developers to pay for local infrastructure such as drainage, local roads, open space and community facilities. Controls over local infrastructure contributions help to ensure that all contributions owed are collected, funds are spent as intended, and any contributions paid in the form of works-in-kind or dedicated land are correctly valued.

The audit found that Blacktown City Council and City of Sydney Council provided effective governance over their local infrastructure contributions whereas Central Coast and Liverpool City Councils’ governance arrangements require improvement.

The audit found that three councils had spent local infrastructure contributions in accordance with approved contributions plans. Central Coast Council and the former Gosford City Council had spent $13.2 million on administration costs in breach of the Environmental Planning and Assessment Act 1979. These funds were repaid into the council’s local infrastructure fund during the course of the audit.

The Auditor-General made a number of recommendations for each council relating to improving controls over contributions and increasing transparency. 

Read full report (PDF)
 

This audit examined the effectiveness of governance and internal controls over local infrastructure contributions, also known as developer contributions, held by four councils during the 2017–18 and 2018–19 financial years.

This performance audit was conducted with reference to the legislative and regulatory planning framework that was in place during that period.

Our work for this performance audit was completed at the end of March 2020 when we issued the final report to the four audited councils and the Department of Planning, Industry and Environment. We received their respective formal responses to the report’s recommendations during April and May 2020.

Concurrently to this audit, we sought Crown Solicitor’s advice (the ‘Advice’) regarding the use of local infrastructure contributions collected by local councils under the Environmental Planning and Assessment Act 1979 (‘the EPA Act’) for our financial audit work. The Advice clarified the applicable legislative requirements with reference to the application, investment and pooling of local infrastructure contributions. The Advice is included in Appendix 2 of this report. The Advice has not impacted on the findings and recommendations of this report.

Councils collect Local Infrastructure Contributions (LICs) from developers under the Environmental Planning and Assessment Act (1979), the Local Government Act (1993) and the City of Sydney Act (2000) (EP&A Act, LG Act and City of Sydney Act) to fund infrastructure required to service and support new development. At 30 June 2018, councils across NSW collectively held more than $3.0 billion in LICs collected from developers. Just over $1.37 billion in total was held by ten councils. Councils collecting LICs must prepare a contributions plan, which outlines how LICs will be calculated and apportioned across different types of infrastructure. Councils that deliver water and sewer services prepare a development servicing plan (DSP) which allows them to collect contributions for water and sewer infrastructure.

Development timeframes are such that there is often several years between when LICs are collected and the infrastructure is required. Good governance and internal controls are needed over these funds to ensure they are available when needed and spent appropriately.

This audit assessed the effectiveness of governance and internal controls over LICs collected by four councils during the 2017–18 and 2018–19 financial years: Blacktown City Council, Central Coast Council, City of Sydney Council and Liverpool City Council. As at June 2018 these councils held the four highest LIC balances, each in excess of $140 million.

A strong governance framework is important at each council to ensure that the funds are managed well, available when needed and spent as intended. The audit examined the following features of each council's governance framework as they apply to LICs:

• decision-making by councillors and council officers relating to LICs
• monitoring delivery of contributions plans and DSPs including:
  • reviewing assumptions underlying the plans
  • monitoring projected status of plans.

Internal controls over LICs are important to promote accountability, prevent fraud and deliver infrastructure to the required standard at the best possible price. If financial controls are weak or are not implemented well, there is a risk that LICs are misspent or that councils pay too much for infrastructure.

Not all councils' internal controls adequately addressed risks associated with the administration of LICs

The audit examined a number of internal controls that manage risks related to LICs. These included:

• financial controls over receipt and expenditure of LIC funds
• management of conflicts-of-interest when dealing with developers
• independent valuations of works-in-kind and dedicated land
• ensuring delivery and quality of works-in-kind, and obtaining security from developers in the event of non-delivery or poor quality work
• management of variations to VPAs and works-in-kind agreements.

We reviewed controls included in policies and procedures and then checked samples of work to ensure that controls were implemented. We found variation in the controls that councils implemented, and some weaknesses in controls. It is a matter for each council to assess their financial risk and develop internal controls that support the collection, management, and expenditure of LICs. However, councils must be able to assure their communities and developers that they are doing everything possible to collect all LICs owing and that work conducted by developers in lieu of cash payments is properly valued and carried out to the required standard.

Further information about audit findings in relation to internal controls for each council are included in chapters five to eight. The exhibit below demonstrates variation in several controls implemented in the audited councils.

In a 2018 report, the Independent Commission Against Corruption noted that 'the appetite for transparency is expanding in both the public and private sectors'.

The Practice Note and S64 Guidance refer to transparency, including the importance of transparency over:

• calculation and apportionment of LICs
• funding of infrastructure, including where and when infrastructure is delivered
• arrangements made with developers through VPAs.

The LIC system is largely transparent for community members who know where to look

Contributions plans and DSPs are public documents, exhibited to the public before being adopted by council. Councils included in the audit publish their contributions plans and DSPs on their websites and meet statutory requirements with regard to reporting and accessibility of information.

However, other public information relating to the LIC system is fragmented across different websites and reports and varies in detail across councils.

The Practice Note states that councils are accountable for providing the infrastructure for which contributions are collected. Demonstrating that infrastructure has been provided is difficult with fragmented information. As an example of transparent reporting, Blacktown City Council's 2018–19 annual report includes information about infrastructure that has been delivered for every contributions plan, providing transparency over how LICs have been spent.

Use of LICs collected under VPAs is not always transparent

Contributions collected under VPAs are not required to demonstrate the same relationship to a development as LICs collected under section 7.11 of the EP&A Act. VPAs are often negotiated because a developer requests a change to a planning instrument, and it is important that these arrangements, and their outcomes, are transparent to the community.

The EP&A Regulation includes mechanisms to ensure that VPAs are partially transparent. VPAs are exhibited to the public and approved by the elected council. Councils must maintain a VPA Register and make the VPA Deeds of Agreement available on request. However, there is no obligation on council to report on the outcomes or delivery of developers' obligations under VPAs. The four audited councils vary in transparency and accessibility of information available about VPAs.

The Practice Note suggests that councils incorporate the intended use of LICs collected under VPAs in the Deed of Agreement, but there is no guidance relating to transparency over where and when funds have actually been spent. There is merit in councils providing greater transparency over public benefits delivered through VPAs to give communities confidence in VPAs as a planning tool.

Credit arrangements with developers are not always well documented or monitored

When levying LICs, section 7.11(6) of the EP&A Act requires councils to take into account land, money, or works-in-kind that the developer has contributed on other development sites over and above their LIC obligations. This section of the EP&A Act allows a developer to offset a LIC owed on one site against land or works contributed on another. This leads to some developers carrying 'credits' for work delivered to councils, to be paid back by reduced LICs on a future development. Blacktown City Council and Central Coast Council allow developers to carry credits. Liverpool City Council and City of Sydney Council do not permit credits and instead pay the developers for any additional work undertaken.

Councils should formally document credit arrangements and have a robust process to validate and keep track of credit balances and report on them. Central Coast Council does not keep good track of credit arrangements and neither Blacktown City Council or Central Coast Council aggregate or report on outstanding credit balances.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – Advice from the Crown Solicitor

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #339 - released 17 August 2020

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining whether the Department of Communities and Justice had effective governance and partnership arrangements in place to deliver ‘Their Futures Matter’.

Their Futures Matter was intended to place vulnerable children and families at the heart of services, and direct investment to where funding and programs deliver the greatest social and economic benefits. It was a four-year whole-of-government reform in response to the 2015 Tune Review of out-of-home care.

The Auditor-General found that while important foundations were put in place, and new programs trialled, the key objective to establish an evidence-based whole-of-government early intervention approach for vulnerable children and families in NSW was not achieved.

Governance and cross-agency partnership arrangements to deliver Their Futures Matter were found to be ineffective. 'Their Futures Matter lacked mechanisms to secure cross portfolio buy‑in and did not have authority to drive reprioritisation of government investment', the Auditor-General said.

At the reform’s close, the majority of around $380 million in investment funding remains tied to existing agency programs, with limited evidence of their comparative effectiveness or alignment with Their Futures Matter policy objectives. The reform concluded on 30 June 2020 without a strategy or plan in place to achieve its intent.

The Auditor-General made four recommendations to the Department of Communities and Justice, aimed at improving implementation of outstanding objectives, revising governance arrangements, and utilising the new human services data set to address the intent of the reform. However, these recommendations respond only in part to the findings of the audit.

According to the Auditor-General, ‘Cross-portfolio leadership and action is required to ensure a whole-of-government response to delivering the objectives of Their Futures Matter to improve outcomes for vulnerable children, young people and their families in New South Wales.’

Read full report (PDF)

In 2016, the NSW Government launched 'Their Futures Matter' (TFM) - a whole-of-government reform aimed at delivering improved outcomes for vulnerable children, young people and their families. TFM was the government's key response to the 2015 Independent Review of Out of Home Care in New South Wales (known as 'the Tune Review').

The Tune Review found that, despite previous child protection reforms, the out of home care system was ineffective and unsustainable. It highlighted that the system was not client-centred and was failing to improve the long-term outcomes for vulnerable children and families. The review found that the greatest proportion of relevant expenditure was made in out of home care service delivery rather than in evidence-based early intervention strategies to support children and families when vulnerabilities first become evident to government services (such as missed school days or presentations to health services).

The then Department of Family and Community Services (FACS) designed the TFM reform initiatives, in consultation with central and human services agencies. A cross-agency board, senior officers group, and a new unit in the FACS cluster were established to drive the implementation of TFM. In the 2016–17 Budget, the government allocated $190 million over four years (2016–17 to 2019–20) to the reform. This resourced the design and commissioning of evidence-based pilots, data analytics work, staffing for the implementation unit and secretariat support for the board and cross-agency collaboration.

As part of the TFM reform, the Department of Premier and Cabinet, NSW Treasury and partnering agencies (NSW Health, Department of Education and Department of Justice) identified various existing programs that targeted vulnerable children and families (such as the preceding whole-of-government ‘Keep Them Safe’ reform coming to an end in June 2020). Funding for these programs, totalling $381 million in 2019–20, was combined to form a nominal ‘investment pool’. The government intended that the TFM Implementation Board would use this pool to direct and prioritise resource allocation to evidence-based interventions for vulnerable children and families in NSW.

This audit assessed whether TFM had effective governance and partnership arrangements in place to enable an evidence-based early intervention investment approach for vulnerable children and families in NSW. We addressed the audit objective with the following audit questions:

• Was the TFM reform driven by effective governance arrangements?
• Was the TFM reform supported by effective cross-agency collaboration?
• Has the TFM reform generated an evidence base to inform a cross-agency investment approach in the future?

The audit did not seek to assess the outcomes for children, young people and families achieved by TFM programs and projects.

Their Futures Matter (TFM) is a whole-of-government reform to deliver improved outcomes for vulnerable children, young people and their families.

Supported by a cross-agency TFM Board, and the TFM Unit in the then Department of Family and Community Services (FACS), the reform aimed to develop whole-of-government evidence-based early intervention investment approaches for vulnerable children and families in NSW.

Governance refers to the structures, systems and practices that an organisation has in place to:

• assign decision-making authorities and establish the organisation's strategic direction
• oversee the delivery of its services, the implementation of its policies, and the monitoring and mitigation of its key risks
• report on its performance in achieving intended results, and drive ongoing improvements.

We examined whether the TFM reform was driven by effective governance arrangements and cross-agency collaboration.

The reform agenda and timeframe set down for Their Futures Matter (TFM) were ambitious. This chapter assesses whether the TFM Board and TFM Unit had the capability, capacity and clout within government to deliver the reform agenda.

Creating a robust evidence base was important for Their Futures Matter, in order to:

• identify effective intervention strategies to improve supports and outcomes for vulnerable children and families
• make efficient use of taxpayer money to assist the maximum number of vulnerable children and families
• inform the investment-based approach for future funding allocation.

This chapter assesses whether the TFM reform has developed an evidence base to inform cross-agency investment decisions.

Appendix one – Response from agency

Appendix two – TFM governance entities

Appendix three – TFM Human Services Data Set

Appendix four – TFM pilot programs

Appendix five – About the audit

Appendix six – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #337 - released 24 July 2020

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

• Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
• Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #330 - released 7 April 2020.

NSW public sector sick leave is higher than other States. The NSW public sector has the highest reported public sector sick leave in Australia. Public sector efforts to reduce sick leave over the last five years has seen a fall of a quarter of a day since 2004-05, less than its target of one day. On average, public sector workers take just over eight days sick leave annually. Recent surveys of public and private sector organisations show that sick leave in the public sector is higher than the private sector.

Parliamentary reference - Report number #209 - released 8 December 2010