Refine search Expand filter

Audit progress

- Any -

Sector

- Any -

Year

- Any -

Report type

- Any -

Topic

- Any -

Reports

Published

Management of the Critical Communications Enhancement Program

Finance
Health
Justice
Whole of Government
Cyber security
Information technology
Infrastructure
Internal controls and governance
Project management
Risk
Service delivery
Shared services and collaboration

What the report is about

Effective radio communications are crucial to NSW's emergency services organisations.

The Critical Communications Enhancement Program (CCEP) aims to deliver an enhanced public safety radio network to serve the five emergency services organisations (ESOs), as well as a range of other users.

This report assesses whether the NSW Telco Authority is effectively managing the CCEP.

What we found

Where it has already been delivered (about 50% of the state), the enhanced network meets most of the requirements of ESOs.

The CCEP will provide additional infrastructure for public safety radio coverage in existing buildings agreed to with ESOs. However, radio coverage inside buildings constructed after the CCEP concludes will be at risk because building and fire regulations do not address the need for in-building public safety radio coverage.

Around 98% of radios connected to the network can be authenticated to protect against cloning, though only 42% are.

The NSW Telco Authority has not settled with ESOs on how call encryption will be used across the network. This creates the risk that radio interoperability between ESOs will not be maximised.

When completed, the public safety radio network will be the only mission critical radio network for ESOs. It is unclear whether governance for the ongoing running of the network will allow ESOs to participate in future network operational decisions.

The current estimated capital cost for the NSW Telco Authority to complete the CCEP is $1.293 billion. This is up from an estimated cost of $400 million in 2016. The estimated capital cost was not publicly disclosed until $1.325 billion was shown in the 2021–22 NSW Budget Papers.

We estimate that the full cost to government, including costs to the ESOs, of implementing the enhanced network is likely to exceed $2 billion.

We made recommendations about

  • The governance of the enhanced Public Safety Network (PSN) to support agency relationships.
  • The need to finalise a Traffic Mitigation Plan for when the network is congested.
  • The need to provide advice to the NSW Government about the regulatory gap for ensuring adequate network reach in future buildings.
  • The need to clarify how encryption and interoperability will work on the enhanced network.
  • The need for the NSW Telco Authority to comply with its policy on Infrastructure Capacity Reservation.
  • Expediting measures to protect against the risk of cloning by unauthenticated radios.

Public safety radio networks are critical for operational communications among Emergency Services Organisations (ESOs), which in New South Wales include:

  • NSW Ambulance
  • Fire and Rescue NSW
  • NSW Police Force
  • NSW Rural Fire Service
  • NSW State Emergency Service.1

Since 1993, these five ESOs have had access to a NSW Government owned and operated radio communications network, the Public Safety Network (PSN), to support their operational communications. Around 60 to 70 other entities also have access to this network, including other NSW government entities, Commonwealth government entities, local councils, community organisations, and utility companies.

Pursuant to the Government Telecommunications Act 2018 ('the Act'), the New South Wales Government Telecommunications Authority ('NSW Telco Authority') is responsible for the establishment, control, management, maintenance and operation of the PSN.2

Separate to the PSN, all ESOs and other government entities have historically maintained their own radio communication capabilities and networks. Accordingly, the PSN has been a supplementary source of operational radio communications for these entities.

These other radio networks maintained by ESOs and other entities are of varying size and capability, with many ageing and nearing their end-of-life. There was generally little or no interoperability between networks, infrastructure was often co-located and duplicative, and there were large gaps in geographic coverage.

In 2016, the NSW Telco Authority received dedicated NSW Government funding to commence the Critical Communications Enhancement Program (CCEP).

According to NSW Telco Authority's 2021–22 annual report, the CCEP is a transformation program for operational communications for NSW government agencies. The CCEP '…aims to deliver greater access to public safety standard radio communications for the State’s first responders and essential service agencies'. The objective of CCEP is to consolidate the large number of separate radio networks that are owned and operated by various NSW government entities and to enhance the state’s existing shared PSN. The program also aims to deliver increased PSN coverage throughout New South Wales.

The former NSW Government intended that as the enhanced PSN was progressively rolled-out across NSW, ESOs would migrate their radio communications to the enhanced network, before closing and decommissioning their own networks.

About this Audit

This audit assessed whether the CCEP is being effectively managed by the NSW Telco Authority to deliver an enhanced PSN that meets ESOs' requirements for operational communications.

We addressed the audit objective by answering the following two questions:

  1. Have agreed ESO user requirements for the enhanced PSN been met under day-to-day and emergency operational conditions?
  2. Has there been adequate transparency to the NSW Government and other stakeholders regarding whole-of-government costs related to the CCEP?

In answering the first question, we also considered how the agreed user requirements were determined. This included whether they were supported by evidence, whether they were sufficient to meet the intent of the CCEP (including in considering any role for new or alternative technologies), and whether they met any relevant technical standards and compliance obligations (including for cyber security resilience).

While other NSW government agencies and entities use the PSN, we focused on the experience of the five primary ESOs because these will be the largest users of the enhanced PSN.

Both the cost and time required to complete the CCEP roll-out have increased since 2016. While it was originally intended to be completed in 2020, this is now forecast to be 2027. Infrastructure NSW has previously assessed the reasons for the increases in time and cost. A summary of the findings made by Infrastructure NSW is presented in Chapter 1 of this report. Accordingly, as these matters had already been assessed, we did not re-examine them in this performance audit.

The auditee for this performance audit is the NSW Telco Authority, which is a statutory authority within the Department of Customer Service portfolio.

In addition to being responsible for the operation of the PSN, section 5 of the Act also prescribes that the NSW Telco Authority is:

  • to identify, develop and deliver upgrades and enhancements to the government telecommunications network to improve operational communications for government sector agencies
  • to develop policies, standards and guidelines for operational communications using telecommunications networks.

The NSW Telco Authority Advisory Board is established under section 10 of the Act. The role of the board is to advise the NSW Telco Authority and the minister on any matter relating to the telecommunications requirements of government sector agencies and on any other matter relating to the functions of the Authority. As of 2 June 2023, the responsible minister is the Minister for Customer Service and Digital Government.

The five identified ESOs are critical stakeholders of the CCEP and therefore they were consulted during this audit. However, the ESOs were not auditees for this performance audit.

Conclusion

In areas of New South Wales where the enhanced Public Safety Network has been implemented under the Critical Communications Enhancement Program, the NSW Telco Authority has delivered a radio network that meets most of the agreed requirements of Emergency Services Organisations for routine and emergency operations.
In April 2023, the enhanced Public Safety Network (PSN) was approximately 50% completed. In areas where it is used by Emergency Services Organisations (ESOs), the PSN generally meets agreed user requirements. This is demonstrated through extensive performance monitoring and reporting, which shows that agreed performance standards are generally achieved. Reviews by the NSW Government and the NSW Telco Authority found that the PSN performed effectively during major flood events in 2021 and 2022.

Where it is completed, PSN coverage is generally equal to or better than each ESO's individual pre-existing coverage. The NSW Telco Authority has a dedicated work program to address localised coverage gaps (or 'blackspots') in those areas where coverage has otherwise been substantively delivered. Available call capacity on the network far exceeds demand in everyday use. Any operational issues that may occur with the PSN are transparent to ESOs in real time.

The NSW Telco Authority consulted extensively with ESOs on requirements for the enhanced PSN, with relatively few ESO requirements not being included in the specifications for the enhanced PSN. Lessons from previous events, including the 2019–20 summer bushfires, have informed the design and implementation of the enhanced PSN (such as the need to ensure adequate backup power supply to inaccessible sites). The network is based on the Project 25 technical standards for mission-critical radio communications, which is widely-accepted in the public safety radio community throughout Australia and internationally.

There is no mechanism to ensure adequate radio coverage within new building infrastructure after the CCEP concludes, but the NSW Telco Authority and ESOs have agreed an approach to prioritise existing in-building sites for coverage for the duration of the CCEP.
The extent to which the PSN works within buildings and other built structures (such as railway tunnels) is of crucial importance to ESOs, especially the NSW Police Force, NSW Ambulance, and Fire and Rescue NSW. This is because a large proportion of their operational communications occurs within buildings.

There is no mechanism to ensure the adequacy of future in-building coverage for the PSN in new or refurbished buildings after the CCEP concludes. Planning, building, and fire regulations are silent on this issue. We note there are examples in the United States of how in-building coverage for public safety radio networks can be incorporated into building or fire safety codes.

In regard to existing buildings, it is not possible to know whether a building requires its own in-building PSN infrastructure until nearby outside radio sites, including towers and antennae, have been commissioned into the network. Only then can it be determined whether their radio transmissions are capable of penetrating inside nearby buildings. Accordingly, much of this work for in-building coverage cannot be done until outside radio sites are finished and operating.

In March 2023, the NSW Telco Authority and ESOs agreed on a list of 906 mandatory and 7,086

non-mandatory sites for in-building PSN coverage. Most of these sites will likely be able to receive radio coverage via external antennae and towers, however this cannot be confirmed until those nearby external PSN sites are completed. The parties also agreed on an approach to prioritising those sites where coverage is needed but not provided by antennae and towers. Available funding will likely only extend to ensuring coverage in sites deemed mandatory, which is nonetheless expected to meet the overall benchmark of achieving 'same or better' coverage than what ESOs had previously.

There is a risk that radio interoperability between ESOs will not be maximised because the NSW Telco Authority has not settled with ESOs how encryption will be used across the enhanced PSN.
End-to-end encryption of radio transmissions is a security feature that prevents radio transmissions being intercepted or listened to by people who are not meant to. The ability of the PSN to provide end-to-end encryption of operational communications is of critical importance to the two largest prospective users of the PSN: the NSW Police Force and NSW Ambulance. Given that encryption excludes other parties that do not have the requisite encryption keys, its use creates an obstacle to achieving a key intended benefit of the CCEP, that is a more interoperable PSN, where first responders are better able to communicate with other ESOs.

Further planning and collaboration between PSN participants are necessary to consider how these dual benefits can be achieved, including in what operational circumstances encrypted interoperability is necessary or appropriate.

The capital cost to the NSW Telco Authority of the CCEP, originally estimated at $400 million in 2016, was not made public until the 2021–22 NSW Budget disclosed an estimate of $1.325 billon.
The estimated capital cost to complete all stages of the CCEP increased over time. This increasing cost was progressively disclosed to the NSW Government through Cabinet processes between 2015–16 and 2021–22.

In 2016, the full capital cost to the NSW Telco Authority of completing the CCEP was estimated to be $400 million. This estimated cost was not publicly disclosed, nor were subsequent increases, until the cost of $1.325 billion was publicly disclosed in the 2021–22 NSW Budget (revised down in the 2022–23 NSW Budget to $1.293 billion).

There has been no transparency about the whole-of-government cost of implementing the enhanced PSN through the CCEP.
In addition to the capital costs incurred directly by the NSW Telco Authority for the CCEP, ESOs have incurred costs to maintain their own networks due to the delay in implementing the CCEP. The ESOs will continue to incur these costs until they are able to fully migrate to the enhanced PSN, which is expected to be in 2027. These costs have not been tracked or reported as part of transparently accounting for the whole-of-government cost of the enhanced PSN. This is despite Infrastructure NSW in 2019 recommending to the NSW Telco Authority that it conduct a stocktake of such costs so that a whole-of-government cost impact is available to the NSW Government.
1 The definition of 'emergency services organisation' is set out in the State Emergency and Rescue Management Act 1989 (NSW). In addition to the five ESOs discussed in this report, the definition also includes: Surf Life Saving New South Wales; New South Wales Volunteer Rescue Association Inc; Volunteer Marine Rescue NSW; an agency that manages or controls an accredited rescue unit; and a non-government agency that is prescribed by the regulations for the purposes of this definition.
2 Section 15(1) of the Government Telecommunications Act 2018 (NSW).

The NSW Telco Authority established and tracked its own costs for the CCEP

Over the course of the program from 2016, the NSW Telco Authority prepared a series of business cases and program reviews that estimated its cost of implementing the program in full, including those shown in Exhibit 6 below.

Exhibit 6: Estimated costs to fully implement the CCEP
Source Capital cost ($ million) Operating cost
($ million)		 Completion date
March 2016 business case 400 37.3 2020
November 2017 internal review 476.7 41.7 2022
March 2020 business case 950–1,050 -- 2025
October 2020 business case 1,263.1 56.1 2026
Source: CCEP business cases as identified.

In response to the 2016 CCEP business case, the then NSW Government approved the NSW Telco Authority implementing the CCEP in full, with funding provided in stages. The NSW Telco Authority tracked its costs against approved funding, with monthly reports provided to the multi-agency Program Steering Committee

Throughout the program, the NSW Government was informed of increasing costs being incurred by the NSW Telco Authority for the CCEP

The various business cases, program updates, and program reviews prepared by the NSW Telco Authority were provided to the NSW Government through the required Cabinet process when seeking approval for the program proceeding and requests for both capital and operational funding. These provided clear indication of the changing overall cost of the CCEP to the NSW Telco Authority, as well as the delays that were being experienced.

There was no transparency to the Parliament and community about changes in the capital cost of the CCEP until the 2021–22 NSW Budget

As the business cases for the CCEP were not publicly available, the only sources of information about capital cost were NSW Budget papers and media releases. The information provided in the annual Budget papers prior to the 2021–22 NSW Budget provided no visibility of the estimated full capital cost to complete all stages of the CCEP. As shown in Exhibit 7 below, this information was fragmented and complex.

Media releases about the progress of the CCEP did not provide the estimated total cost to the NSW Telco Authority of $1.325 billion to complete all stages of the CCEP until June 2021. Prior to this date, media releases only provided funding for the initial stages of the program or for the stages subject to a funding announcement.

Even during the September 2019 and March 2020 Parliamentary Estimate Committee hearings where the costings and delays to the CCEP were raised, the estimated full cost of the CCEP was not revealed.

Exhibit 7: CCEP funding in NSW Budget papers from 2015–16 to 2022–23
Financial year Type of major work Description of expenditure Forecast estimate to complete ($ million) Estimated duration
2015–16 New work Infrastructure Rationalisation Program: Planning and Pilot 18.3 2015–16
2016–17 Work in progress CCEP Planning and Pilot 18.3 2015–17
New work CCEP 45 2016–17
2017–18 New work CCEP 190.75 2017–21
2018–19 Work in progress CCEP North Coast and State-wide Detailed Design 190.75 2017–21
New work CCEP Greater Metropolitan Area 236 2018–22
2019–20 Work in progress CCEP 426.9 2018–22
2020–21 Work in progress CCEP 664.8 2018–22
2021–22 Work in progress CCEP 1,325 2018–26
2022–23 Work in progress CCEP 1,292.8 2018–26
Source: NSW Treasury, Annual State Budget Papers.

The original business case for the CCEP included estimated ESO costs, though these costs were not tracked throughout the program

Estimates for ESO costs for operating and maintaining their own radio networks over the four years from 2016–17 were included in the original March 2016 business case. They included $75.2 million for capital expenditure and $95 million for one-off operating costs. These costs, as well as costs incurred by ESOs due to the delay in the program, were not subsequently tracked by the NSW Telco Authority.

In January 2017, Infrastructure NSW reviewed the CCEP business case of March 2016. In this review, Infrastructure NSW recommended that the NSW Telco Authority identify combined and apportioned costs and cashflow for all ESOs over the CCEP funding period reflecting all associated costs to deliver the CCEP. These to include additional incidental capital costs accruing to ESOs, transition and migration to the new network and the cost (capital and operational) of maintaining existing networks. This recommendation was implemented in the November 2017 program review, with ESO capital costs estimated as $183 million.

In 2019, Infrastructure NSW conducted a Deep Dive Review on the progress of the CCEP. In this review, Infrastructure NSW made what it described as a 'critical recommendation' that the NSW Telco Authority:

…coordinate a stocktake of the costs of operational bridging solutions implemented by PSAs [ESOs] as a result of the 18-month delay, so that a whole-of-government cost impact is available to the NSW Government.  

It should be noted that the delay to CCEP completion now is seven years and that further ‘operational bridging solutions’ have been needed by the ESOs.

'Stay Safe and Keep Operational' costs incurred by ESOs will be significantly higher than originally estimated

Stay Safe and Keep Operational (SSKO) funding was established to provide funding to ESOs to maintain their legacy networks while the CCEP was refreshing and enhancing the PSN. This recognised that much of the network infrastructure relied on by ESOs had reached – or was reaching – obsolescence and would either require extensive maintenance or replacement before the PSN was available for ESOs to migrate to it. ESOs may apply to NSW Treasury for SSKO funding, with their specific proposals being reviewed (and endorsed, where appropriate) by the NSW Telco Authority. Accordingly, SSKO expenditure does not fall within the CCEP budget allocation.

As shown in the table below, extracted from the March 2016 CCEP business case, the total expected cost for SSKO purposes over the course of the CCEP was originally $40 million, assuming the enhanced PSN would be fully available by 2020.

Exhibit 8: Stay Safe and Keep Operational forecast costs, 2017 to 2020
Year 2017 2018 2019 2020 Total
SSKO forecast ($ million) 12.5 15 10 2.5 40
Source: March 2016 CCEP business case.

In October 2022, the expected completion date for the CCEP was re-baselined to August 2027. Accordingly, ESOs will be required to continue to maintain their radio networks using legacy equipment for seven years longer than the original 2020 forecast. This will likely become progressively more expensive and require additional SSKO funding. For example, NSW Telco Authority endorsed SSKO bids for 2022–23 exceeded $35 million for that year alone.

Compared to the original forecast made in the March 2016 CCEP business case of $40 million, we found ESOs had estimated SSKO spending to 2027 will be $292.5 million.

A refresh of paging network used by ESOs and the decommissioning of redundant sites were both removed from the original 2016 scope of the CCEP

Paging

A paging network is considered an important user requirement by the Fire and Rescue NSW, NSW Rural Fire Service, and NSW State Emergency Service. The 2016 CCEP business case included a paging network refresh within the program scope of works. This was reiterated in the November 2017 internal review of the program. These documents did not estimate a cost for this refresh. The March 2020 and October 2020 business cases excluded paging from the program scope. The audit is unable to identify when, why or by whom the decision was made to remove paging from the program scope, something that was also not well communicated to the affected ESOs.

In 2021, after representations from the affected ESOs, the NSW Telco Authority prepared a separate business case for a refresh of the paging network at an estimated capital cost of $60.31 million. This program was subsequently approved by the NSW Government and included in the 2022–23 NSW Budget.

In determining an estimated full whole-of-government cost of delivering the enhanced PSN, we have included the budgeted cost of the paging network refresh on the basis that:

  • it was expressly included in the original approved March 2016 business case
  • the capability is deemed essential to the needs of three ESOs.

Decommissioning costs

The 2016 CCEP business case included cost estimates for decommissioning surplus sites (whether ‘old’ GRN sites or sites belonging to ESOs’ own networks). These estimates were provided for both the NSW Telco Authority ($38 million) and for the ESOs ($55 million). However, while these estimates were described, they were not included as part of the NSW Telco Authority's estimated capital cost ($400 million) or (more relevantly) operating cost ($37.3 million) for the CCEP. This is despite decommissioning being included as one of eight planned activities for the rollout of the program.

In the October 2020 business case, an estimate of $201 million was included for decommissioning agency networks based on a model whereby:

  • funding would be coordinated by the NSW Telco Authority
  • scheduling and reporting through an inter-agency working group and
  • where appropriate, agencies would be appointed as the most appropriate decommissioning party.

This estimated cost is not included in the CCEP budget.

In determining an estimated full whole-of-government cost of the enhanced PSN, we have included the estimated cost of decommissioning on the basis that:

  • decommissioning was included in the 2016 CCEP business case as one of eight 'planned activities for the rollout of the program'
  • effective decommissioning of surplus sites and equipment (including as described in the business case as incorporating asset decommissioning, asset re-use, and site make-good) is an inherent part of the program management for an enhanced PSN
  • costs incurred in decommissioning are entirely a consequence of the CCEP program.

The estimated minimum cost of building an enhanced PSN consistent with the original proposal is over $2 billion

We have derived two estimated minimum whole-of-government costs for delivering an enhanced PSN. These are:

  • $2.04 billion when calculated from NSW Telco Authority data – shown as estimate A in Exhibit 9 below.
  • $2.26 billion when calculated from ESO supplied data – shown as estimate B in Exhibit 9.

Both totals include:

  • budgeted amounts for both CCEP capital expenditure ($1,292.8 million) and operating expenditure ($139 million)
  • the NSW Telco Authority's 2020 estimated cost for decommissioning ($201 million)
  • the NSW Telco Authority's approved funding for paging refresh ($60.3 million).

The two estimated totals primarily vary around the capital expenditure of ESOs (particularly SSKO funding). To determine these costs, we used ESO provided actual SSKO costs to date, as well as their estimates for maintaining their legacy radio networks through to 2027.

The equivalent cost estimates from the NSW Telco Authority were sourced from the November 2017 internal review and the October 2020 business case for CCEP. It should be noted that the amounts for both estimates are not audited, or verified, but do provide an indication of how whole-of-government costs have grown over the course of the program.

The increase in and reasons for the increase in total CCEP costs (capital and one-off operating) incurred or forecast by the NSW Telco Authority (from $437.3 million in 2016 to $1,431.8 million in 2022) have been provided to the NSW Government through various business cases and reviews prepared by the NSW Telco Authority, as well as by reviews conducted by Infrastructure NSW as part of its project assurance responsibilities.

However, the growth in ESO costs and other consequential costs, such as paging and decommissioning, from around $263 million in the 2016 CCEP business case to between $600 million and $800 million, has to a large degree remained invisible and unexplained to the NSW Government and other stakeholders

Exhibit 9: Estimated whole-of-government costs of the enhanced PSN
  Estimated whole-of-government cost, over time
Cost type 20161 20172 20203 2023–Estimate A4 2023–Estimate B5
$ million $ million $ million $ million $ million
CCEP capital expenditure 400a 476.7b 1,263.1c 1,292.8d 1,292.8d
CCEP operating expenditure 37.3a 41.7b 41.5e 139d 139d
CCEP total 437.3 518.4 1,304.6 1,431.8 1,431.8
ESO capital expenditure 75.2a,f 183b,e 75.4e 258.4g 292.5
ESO one-off operating expenditure 93a n.a.l 86.5e 86.5h 273
ESO total 168.2 183 161.9 344.9 565.5
Paging n.a.i n.a.i n.a.j 60.3k 60.3k
Decommissioning 93 n.a.l 201.0 201h 201
Paging and decommissioning total 93 n.a. 201 261.3 261.3
Whole-of-government total 698.5 701.4 1,667.5 2,038 2,258.6
Notes:
  1. Financial year 2016 to Financial year 2020.
  2. Financial year 2016 to Financial year 2021.
  3. Financial year 2016 to Financial year 2025.
  4. Financial year 2016 to Financial year 2026.
  5. Financial year 2022 to Financial year 2025.
  6. Stay Safe and Keep Operational (SSKO) costs plus terminals costs.
  7. November 2017 internal review and October 2020 Business case.
  8. October 2020 Business case.
  9. Included in CCEP capital expenditure at that time.
  10. By 2020, a refresh of the paging network had been removed from the CCEP scope.
  11. A separate business case for a refresh of the paging network was approved by government in 2022.
  12. Figure not included in the source document.
Sources:
  1. March 2016 CCEP business case.
  2. November 2017 Internal Review conducted by the NSW Telco Authority.
  3. October 2020 CCEP business case.
  4. Derived from business cases, with ESO costs drawn from NSW Telco Authority data.
  5. Derived from business cases, with ESO costs based on data provided to the Audit Office of New South Wales by each of the five ESOs.

Appendix one – Response from agency

Appendix two – Trunked public safety radio networks

Appendix three – About the audit

Appendix four – Performance auditing

 

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #383 - released 23 June 2023

 

Published

Integrity of data in the Births, Deaths and Marriages Register

Justice
Premier and Cabinet
Whole of Government
Cyber security
Fraud
Information technology
Internal controls and governance
Management and administration

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

  • Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
  • Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Conclusion

BD&M has processes and controls in place to ensure that the information entered in the Register is accurate and that amendments to the Register are validated. BD&M also has controls in place to prevent and detect unauthorised access to, and activity in the Register. However, there are significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of the information in the Register.

BD&M has detailed procedures for all registrations and amendments to the Register, which include processes for entering, assessing and checking the validity and adequacy of source documents. Where BD&M staff have directly input all the data and for amendments to the Register, a second person is required to check all information that has been input before an event can be registered or an amendment can be made. BD&M carries out regular internal audits of all registration processes to check whether procedures are being followed and to address non-compliance where required.

BD&M authorises access to the Register and carries out regular access reviews to ensure that users are current and have the appropriate level of access. There are audit trails of all user activity, but BD&M does not routinely monitor these. At the time of the audit, BD&M also did not monitor activity by privileged users who could make unauthorised changes to the Register. Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected.

BD&M has no direct oversight of the database environment which houses the Register and relies on DCJ's management of a third-party vendor to provide the assurance it needs over database security. The vendor operates an Information Security Management System that complies with international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's IT controls.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #330 - released 7 April 2020.

Published

Contracting non-government organisations

Community Services
Compliance
Fraud
Management and administration
Procurement
Regulation
Service delivery

This report found the Department of Family and Community Services (FACS) needs to do more to demonstrate it is effectively and efficiently contracting NGOs to deliver community services in the Permanency Support Program (a component of out-of-home-care services) and Specialist Homelessness Services. It notes that FACS is moving to an outcomes-based commissioning model and recommends this be escalated consistent with government policy.

Government agencies, such as the Department of Family and Community Services (FACS), are increasingly contracting non-government organisations (NGOs) to deliver human services in New South Wales. In doing so, agencies are responsible for ensuring these services are achieving expected outcomes. Since the introduction of the Commissioning and Contestability Policy in 2016, all NSW Government agencies are expected to include plans for customer and community outcomes and look for ways to use contestability to raise standards.

Two of the areas receiving the greatest funding from FACS are the Permanency Support Program and Specialist Homelessness Services. In the financial year 2017–18, nearly 500 organisations received $784 million for out-of-home care programs, including the Permanency Support Program. Across New South Wales, specialist homelessness providers assist more than 54,000 people each year and in the financial year 2017–18, 145 organisations received $243 million for providing short term accommodation and homelessness support, including Specialist Homelessness Services.

In the financial year 2017–18, FACS entered into 230 contracts for out-of-home care, of which 49 were for the Permanency Support Program, representing $322 million. FACS also entered into 157 contracts for the provision of Specialist Homelessness Services which totalled $170 million. We reviewed the Permanency Support Program and Specialist Homelessness Services for this audit.

This audit assessed how effectively and efficiently FACS contracts NGOs to deliver community services. The audit could not assess how NGOs used the funds they received from FACS as the Audit Office does not have a mandate that could provide direct assurance that NGOs are using government funds effectively.

Conclusion
FACS cannot demonstrate it is effectively and efficiently contracting NGOs to deliver community services because it does not always use open tenders to test the market when contracting NGOs, and does not collect adequate performance data to ensure safe and quality services are being provided. While there are some valid reasons for using restricted tenders, it means that new service providers are excluded from consideration - limiting contestability. In the service delivery areas we assessed, FACS does not measure client outcomes as it has not yet moved to outcomes-based contracts. 
FACS' procurement approach sometimes restricts the selection of NGOs for the Permanency Support Program and Specialist Homelessness Services
FACS has a procurement policy and plan which it follows when contracting NGOs for the provision of human services. This includes the option to use restricted tenders, which FACS sometimes uses rather than opening the process to the market. The use of restricted tenders is consistent with its procurement plan where there is a limited number of possible providers and the services are highly specialised. However, this approach perpetuates existing arrangements and makes it very difficult for new service providers to enter the market. The recontracting of existing providers means FACS may miss the opportunity to benchmark existing providers against the whole market. 
FACS does not effectively use client data to monitor the performance of NGOs funded under the Permanency Support Program and Specialist Homelessness Services
FACS' contract management staff monitor individual NGO performance including safety, quality of services and compliance with contract requirements. Although FACS does provide training materials on its intranet, FACS does not provide these staff with sufficient training, support or guidance to monitor NGO performance efficiently or effectively. FACS also requires NGOs to self-report their financial performance and contract compliance annually. FACS verifies the accuracy of the financial data but conducts limited validation of client data reported by NGOs to verify its accuracy. Instead, FACS relies on contract management staff to identify errors or inaccurate reporting by NGOs.
FACS' ongoing monitoring of the performance of providers under the Permanency Support Program is particularly limited due to problems with timely data collection at the program level. This reduces FACS' ability to monitor and analyse NGO performance at the program level as it does not have access to ongoing performance data for monitoring service quality.
In the Specialist Homelessness Services program, FACS and NGOs both provide the data required for the National Minimum Data Set on homelessness and provide it to the Australian Institute of Health and Welfare, as they are required to do. However, this data is not used for NGO performance monitoring or management.
FACS does not yet track outcomes for clients of NGOs
FACS began to develop an approach to outcomes-based contracting in 2015. Despite this, none of the contracts we reviewed are using outcomes as a measure of success. Currently, NGOs are required to demonstrate their performance is consistent with the measures stipulated in their contracts as part of an annual check of their contract compliance and financial accounts. NGOs report against activity-based measures (Key Performance Indicators) and not outcomes.
FACS advises that the transition to outcomes-based contracting will be made with the new rounds of funding which will take place in 2020–2021 for Specialist Homelessness Services and 2023 for the Permanency Support Program. Once these contracts are in place, FACS can transition NGOs to outcomes based reporting.
Incomplete data limits FACS' effectiveness in continuous improvement for the Permanency Support Program and Specialist Homelessness Services
FACS has policies and procedures in place to learn from past experiences and use this to inform future contracting decisions. However, FACS has limited client data related to the Permanency Support Program which restricts the amount of continuous improvement it can undertake. In the Specialist Homelessness Support Program data is collected to inform routine contract management discussions with service providers but FACS is not using this data for continuous improvement. 

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

 

Parliamentary Reference: Report number #323 - released 26 June 2019

Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Published

Energy rebates for low income households

Planning
Industry
Compliance
Fraud
Internal controls and governance
Management and administration

The Department of Planning and Environment provides more than $245 million in energy rebates to around 27 percent of NSW households. This report highlights that the department is not monitoring the rebate schemes to understand whether they are delivering the best outcomes.

Most rebates are ongoing payments applied directly to energy bills reducing the amount payable by the householder. The structure of these rebates is complex and can be inequitable. Some households are eligible for four different rebates, each with its own eligibility criteria.  Also, some households in very similar circumstances receive different levels of support depending on what type of energy is used in their home or which adult in the house is the energy account holder. For example, a household using both electricity and gas receives more assistance than a household with electricity alone even if total energy bills are the same. 

The Department of Planning and Environment (Department) administers five energy rebate schemes targeted to low-income households. The five rebates are of two key types:

1. Ongoing support to pay energy bills
2. Crisis Support  

More than one million rebates are paid each year to over 800,000, or around 27 per cent, of NSW households. Households learn about rebates from a variety of sources including: Service NSW, government and energy retailer websites, energy retailer welcome packs, Department marketing efforts, information on energy bills, and Centrelink.  

The budget for energy rebates is increasing every year and in 2017–18 is more than $245 million. The Department delivers most rebates through a network of partnership arrangements with:

  • energy retailers, who apply rebates directly onto energy bills
  • more than 340 charities and other NGOs who assess households' eligibility for crisis support and distribute support through the Energy Accounts Payment Assistance scheme (EAPA)
  • Service NSW, who informs NSW households about rebates through their call centre.

The energy rebates budget is substantial and the distribution arrangements are complex. The objective of the audit was to assess whether the current design and distribution of energy rebates schemes is effective.

Conclusion
The Department administers the rebate schemes using partners to ensure funds are directed towards energy bills as intended. Ongoing support schemes provide assistance to low-income households as intended, but have no measurable objectives or outcome measures and therefore can't be assessed for their effectiveness. Crisis support (EAPA) has a clear objective, to keep households experiencing financial crisis connected to energy services, but the Department does not monitor the performance of EAPA against this objective.  

The structure of rebates providing ongoing support is complex and can be inequitable for some households. Reducing the number of separate schemes and simplifying eligibility requirements offers the most scope for improving effectiveness of ongoing support schemes.  

The growth of embedded networks1 represents a future administrative risk to the Department.

Partnering with energy retailers, charities and NGOs delivers advantages, but stronger oversight is required over partner organisations.

The Department and partner organisations administer the rebate schemes as designed

The Department oversees a complex package of rebate schemes in partnership with 25 retailers and around 340 charities and NGOs. The partnership arrangements ensure that funds are distributed directly to energy bills as intended. The schemes provide support to recipients and are administered in line with government decisions about eligibility.  

Communication about rebates does not reach all eligible households

Households learn about rebate schemes through a mix of communication channels including retailer websites and call centres, Department websites, Centrelink, financial counsellors, EAPA Providers, the Energy and Water Ombudsman and Service NSW. Some low-income groups, such as those with poor English language skills, do not find out about energy rebates.

Scheme objectives are not measurable

Rebate schemes that provide ongoing support do not have measurable objectives or outcome measures. Without clear and measurable objectives, the Department cannot report to government on whether the schemes are achieving the intended policy outcomes, nor recommend improvements to ensure the schemes deliver the greatest benefit to the most financially vulnerable households.

The EAPA crisis support scheme has a clearer objective in that it aims to keep households experiencing financial crisis connected to energy services. However, the Department does not measure outcomes from providing this type of support, and does not know if the crisis support achieves this objective.  

The structure of rebate schemes for ongoing support is complex

The Low Income Household Rebate accounts for 80 per cent of the budget for ongoing support rebates. The remaining 20 per cent of the budget is administered through four separate schemes: Gas Rebate, Medical Energy Rebate, Family Energy Rebate and Life Support Rebate.

Each of these rebates has its own eligibility criteria and some require separate application processes. The Family Energy Rebate is complex to access and apply for, and around one third of households do not reapply each year. Eligible households that receive energy through embedded networks apply directly to the Department for rebates, which are paid by the Department into bank accounts. Embedded networks are energy supply arrangements where the manager of a residential facility such as a caravan park, retirement village or apartment block, buys energy in bulk and then on-sells it to residents. The Department is yet to develop strategies to address a forecast increase in such households.

The design of the rebate schemes creates some inequities

Households in similar circumstances can receive different levels of assistance depending on which adult in the house is the energy account holder, the mix of energy types used in the home, or the EAPA Provider they turn to when in financial crisis.

Households with both gas and electricity connections receive more assistance than those with only electricity. Households in rural and regional areas receive the same value rebate as households closer to Sydney, despite higher distribution charges. Family Energy Rebate is a two-tier payment, with a higher amount available to families with greater means. Lower-income families receive a much smaller Family Energy Rebate on the assumption that they already receive Low Income Household Rebate. Charities and NGOs distributing EAPA crisis support apply inconsistent standards when assessing household need, which leads to inequitable levels of assistance.

Departmental oversight of energy retailers and EAPA Providers is not strong enough

While partnering with energy retailers and EAPA Providers delivers advantages, stronger management is needed to ensure that partners follow Departmental guidelines and to minimise the potential for fraud. The Department's accreditation process for potential EAPA Providers does not consider the applicant's financial governance standards and the most recent audit of EAPA Providers was 2013.

[1] Embedded networks are energy supply arrangements where the manager of a residential facility such as a caravan park, retirement village or apartment block, buys energy in bulk and then on-sells it to residents.

By September 2018, the Department of Planning and Environment should:

  1. Ensure effective strategies are in place to make information about rebates available to all eligible, low-income households
     
  2. Evaluate alternative models and develop advice for government to reduce complexity and improve equity of ongoing rebates
     
  3. Establish measurable objectives for schemes that provide ongoing support, and monitor and measure performance of all schemes against objectives and outcome measures
     
  4. Assess the impacts of the forecast increase in embedded networks and develop strategies to manage any increased administrative risk
     
  5. Strengthen assurance that EAPA is being provided in accordance with its objectives and guidelines by implementing accreditation and compliance programs
     
  6. Ensure those eligible for EAPA financial support are not disadvantaged by inflexible payments, inconsistent provider practices, or inability to access an EAPA provider in a timely manner. Options include:
    • moving from a fixed-value voucher to a flexible payment based on need irrespective of energy type
    • establishing a ‘Provider of Last Resort’ facility for households that cannot access an EAPA Provider.

Appendix one - Response from the Agency

Appendix two - About the audit

 

Parliamentary reference - Report number #292 - released 19 September 2017 

Published

Managing Gifts and Benefits

Planning
Finance
Transport
Environment
Compliance
Fraud
Internal controls and governance
Management and administration

Overall, the audited entities are managing some aspects of gifts and benefits effectively but other aspects require improvement. We found that all five entities had gifts and benefits policies that addressed some but not all of the attributes of a sound policy. All five have communicated their gifts and benefits policies to staff and external stakeholders, although in each case we identified opportunities to better communicate their policies.

 

Parliamentary reference - Report number #228 - released 27 March 2013

Published

Police response to fraud

Justice
Fraud
Information technology
Management and administration
Service delivery
Workforce and capability

This audit was initiated following concerns expressed by the Department of Agriculture about the Police’s handling of a suspected fraud that it had first reported in 1996. The Department’s main concern related to the long delays before a full Police investigation took place.

Nevertheless, the current review highlighted a number of areas that, in the opinion of The Audit Office, require closer examination and resolution by the Police Service in implementing their changes. This report highlights those areas and provides recommendations for the Police to consider in its implementation of its reforms. Key areas requiring attention include: service standards are not clearly defined for the police response to fraud, without which it is difficult to ensure that police objectives and public expectations are met; restrictive employment arrangements which limit management’s ability to obtain the appropriate mix of people with skills to investigate fraud and inadequate information systems to support operational, tactical and strategic decision-making.

 

Parliamentary reference - Report number #53 - released 14 October 1998

View our audit program
View audit program
EXPLORE
upcoming audits
Have your say
CONTRIBUTE