What this report is about

In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.

This analysis includes performance audits, compliance audits and the outcomes of financial audits.

Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.

The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.

Audit findings

The analysis of findings and recommendations is structured around four key themes related to effective regulation:

• governance and accountability
• processes and procedures
• data and information management
• support and guidance.

The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.

In this report, we also draw out insights for agencies that provide a public sector stewardship role.

The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.

The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.

Read the PDF report

What this report is about

Transport for NSW (TfNSW) uses the Driver vehicle System (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.

DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.

DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.

This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.

Audit findings

TfNSW has not effectively planned the replacement of DRIVES.

It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.

In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.

TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.

TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.

TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.

Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.

Audit recommendations

TfNSW should:

• implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
• ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
• ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
• ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
• develop a clear statement of the future role in whole of government service delivery for the system
• resolve key issues currently faced by the DRIVES replacement program including by:
  • clearly setting out a strategy and design for the replacement
  • preparing a specific business case for replacement.

Read the PDF report

Parliamentary reference - Report number #388 - released 20 February 2024

What this report is about

Results of the Enterprise, Investment and Trade portfolio of financial statement audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued for all completed Enterprise, Investment and Trade portfolio agencies.

An 'other matter' paragraph was included in the Jobs for NSW Fund's 30 June 2022 independent auditor's report to reflect the non-compliance with the Jobs for NSW Act 2015 (the Act). The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Premier's Department, and five ministerial appointments. The board has consisted of two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.

Financial statements were not prepared for the Responsible Gambling Fund, a special deposit account. Financial statements should be prepared unless NSW Treasury releases a Treasurer's Direction under section 7.8 of the GSF Act that will exempt the SDA from financial reporting requirements.

What the key issues were

The number of issues reported to management decreased from 65 in 2021–22 to 44 in 2022–23. Forty-six per cent of issues were repeated from the prior year.

Two high-risk issues were identified across the portfolio. One was a repeat issue where the Jobs for NSW Fund did not comply with legislation. The other high-risk issue was first identified in 2022–23 when the Department for Enterprise, Investment and Trade incorrectly recorded grants that did not meet the requirements of Australian Accounting Standards.

What we recommended

The Department should develop a robust model to ensure it only provides for grants that meet the eligibility criteria.

This report provides Parliament and other users of the Enterprise, Investment and Trade portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Enterprise, Investment and Trade portfolio of agencies (the portfolio) for 2023.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Enterprise, Investment and Trade portfolio.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What this report is about

Results of the Regional NSW financial statements audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued on all completed audits in the Regional NSW portfolio agencies.

The number of monetary misstatements identified in our audits increased from 28 in 2021–22 to 30 in 2022–23.

What the key issues were

Effective 1 July 2023, staff employed in the Northern Rivers Reconstruction Corporation Division of the Department of Regional NSW transferred to the NSW Reconstruction Authority Staff Agency.

The Regional NSW portfolio agencies were migrated into a new government wide enterprise resourcing planning system.

The total number of audit management letter findings across the portfolio of agencies decreased from 36 to 23.

A high risk matter was raised for the NSW Food Authority to improve the internal controls in the information technology environment including monitoring and managing privilege user access.

What we recommended

Local Land Services should prioritise completing all mandatory early close procedures.

Portfolio agencies should:

• ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards
• prioritise and address internal control deficiencies identified in audit management letters.

This report provides Parliament and other users of the Regional NSW portfolio of agencies financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW portfolio of agencies (the portfolio) for 2023.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW portfolio.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What this report is about

Result of the Customer Service portfolio agencies' financial statement audits for the year ended 30 June 2023.

What we found

Unmodified audit opinions were issued for all completed 30 June 2023 financial statements audits of Customer Service portfolio agencies. Two audits are ongoing.

What the key issues were

The total number of misstatements in the financial statements and findings reported to management decreased compared to the prior year.

For the first time since its establishment in 2015, GovConnect NSW received unqualified audit opinions for business process internal controls and information technology general controls managed by service providers.

The department controls Finance Co Trust (Fin Co), a special purpose trust created as part of its project to replace flammable cladding for eligible residential apartment buildings. Fin Co did not prepare financial statements which is a breach of the Government Sector Finance Act 2018 (GSF Act).

The department's land titling database was overstated by $42.5 million due to errors in the valuation model.

The New South Wales Government Telecommunications Authority corrected a prior period error of $10.2 million overstatement of property, plant and equipment.

A high-risk finding was reported to Service NSW regarding gaps in policies, systems and processes for administering and financial reporting on grant programs.

Recommendations were made to address these deficiencies.

This report provides Parliament and other users of the Customer Service portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service portfolio of agencies (the portfolio) for 2023.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service portfolio.

Appendix one – Misstatements in financial statements submitted for audit 

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

Effective radio communications are crucial to NSW's emergency services organisations.

The Critical Communications Enhancement Program (CCEP) aims to deliver an enhanced public safety radio network to serve the five emergency services organisations (ESOs), as well as a range of other users.

This report assesses whether the NSW Telco Authority is effectively managing the CCEP.

What we found

Where it has already been delivered (about 50% of the state), the enhanced network meets most of the requirements of ESOs.

The CCEP will provide additional infrastructure for public safety radio coverage in existing buildings agreed to with ESOs. However, radio coverage inside buildings constructed after the CCEP concludes will be at risk because building and fire regulations do not address the need for in-building public safety radio coverage.

Around 98% of radios connected to the network can be authenticated to protect against cloning, though only 42% are.

The NSW Telco Authority has not settled with ESOs on how call encryption will be used across the network. This creates the risk that radio interoperability between ESOs will not be maximised.

When completed, the public safety radio network will be the only mission critical radio network for ESOs. It is unclear whether governance for the ongoing running of the network will allow ESOs to participate in future network operational decisions.

The current estimated capital cost for the NSW Telco Authority to complete the CCEP is $1.293 billion. This is up from an estimated cost of $400 million in 2016. The estimated capital cost was not publicly disclosed until $1.325 billion was shown in the 2021–22 NSW Budget Papers.

We estimate that the full cost to government, including costs to the ESOs, of implementing the enhanced network is likely to exceed $2 billion.

We made recommendations about

• The governance of the enhanced Public Safety Network (PSN) to support agency relationships.
• The need to finalise a Traffic Mitigation Plan for when the network is congested.
• The need to provide advice to the NSW Government about the regulatory gap for ensuring adequate network reach in future buildings.
• The need to clarify how encryption and interoperability will work on the enhanced network.
• The need for the NSW Telco Authority to comply with its policy on Infrastructure Capacity Reservation.
• Expediting measures to protect against the risk of cloning by unauthenticated radios.

Public safety radio networks are critical for operational communications among Emergency Services Organisations (ESOs), which in New South Wales include:

• NSW Ambulance
• Fire and Rescue NSW
• NSW Police Force
• NSW Rural Fire Service
• NSW State Emergency Service.¹

Since 1993, these five ESOs have had access to a NSW Government owned and operated radio communications network, the Public Safety Network (PSN), to support their operational communications. Around 60 to 70 other entities also have access to this network, including other NSW government entities, Commonwealth government entities, local councils, community organisations, and utility companies.

Pursuant to the Government Telecommunications Act 2018 ('the Act'), the New South Wales Government Telecommunications Authority ('NSW Telco Authority') is responsible for the establishment, control, management, maintenance and operation of the PSN.²

Separate to the PSN, all ESOs and other government entities have historically maintained their own radio communication capabilities and networks. Accordingly, the PSN has been a supplementary source of operational radio communications for these entities.

These other radio networks maintained by ESOs and other entities are of varying size and capability, with many ageing and nearing their end-of-life. There was generally little or no interoperability between networks, infrastructure was often co-located and duplicative, and there were large gaps in geographic coverage.

In 2016, the NSW Telco Authority received dedicated NSW Government funding to commence the Critical Communications Enhancement Program (CCEP).

According to NSW Telco Authority's 2021–22 annual report, the CCEP is a transformation program for operational communications for NSW government agencies. The CCEP '…aims to deliver greater access to public safety standard radio communications for the State’s first responders and essential service agencies'. The objective of CCEP is to consolidate the large number of separate radio networks that are owned and operated by various NSW government entities and to enhance the state’s existing shared PSN. The program also aims to deliver increased PSN coverage throughout New South Wales.

The former NSW Government intended that as the enhanced PSN was progressively rolled-out across NSW, ESOs would migrate their radio communications to the enhanced network, before closing and decommissioning their own networks.

About this Audit

This audit assessed whether the CCEP is being effectively managed by the NSW Telco Authority to deliver an enhanced PSN that meets ESOs' requirements for operational communications.

We addressed the audit objective by answering the following two questions:

1. Have agreed ESO user requirements for the enhanced PSN been met under day-to-day and emergency operational conditions?
2. Has there been adequate transparency to the NSW Government and other stakeholders regarding whole-of-government costs related to the CCEP?

In answering the first question, we also considered how the agreed user requirements were determined. This included whether they were supported by evidence, whether they were sufficient to meet the intent of the CCEP (including in considering any role for new or alternative technologies), and whether they met any relevant technical standards and compliance obligations (including for cyber security resilience).

While other NSW government agencies and entities use the PSN, we focused on the experience of the five primary ESOs because these will be the largest users of the enhanced PSN.

Both the cost and time required to complete the CCEP roll-out have increased since 2016. While it was originally intended to be completed in 2020, this is now forecast to be 2027. Infrastructure NSW has previously assessed the reasons for the increases in time and cost. A summary of the findings made by Infrastructure NSW is presented in Chapter 1 of this report. Accordingly, as these matters had already been assessed, we did not re-examine them in this performance audit.

The auditee for this performance audit is the NSW Telco Authority, which is a statutory authority within the Department of Customer Service portfolio.

In addition to being responsible for the operation of the PSN, section 5 of the Act also prescribes that the NSW Telco Authority is:

• to identify, develop and deliver upgrades and enhancements to the government telecommunications network to improve operational communications for government sector agencies
• to develop policies, standards and guidelines for operational communications using telecommunications networks.

The NSW Telco Authority Advisory Board is established under section 10 of the Act. The role of the board is to advise the NSW Telco Authority and the minister on any matter relating to the telecommunications requirements of government sector agencies and on any other matter relating to the functions of the Authority. As of 2 June 2023, the responsible minister is the Minister for Customer Service and Digital Government.

The five identified ESOs are critical stakeholders of the CCEP and therefore they were consulted during this audit. However, the ESOs were not auditees for this performance audit.

The NSW Telco Authority established and tracked its own costs for the CCEP

Over the course of the program from 2016, the NSW Telco Authority prepared a series of business cases and program reviews that estimated its cost of implementing the program in full, including those shown in Exhibit 6 below.

In response to the 2016 CCEP business case, the then NSW Government approved the NSW Telco Authority implementing the CCEP in full, with funding provided in stages. The NSW Telco Authority tracked its costs against approved funding, with monthly reports provided to the multi-agency Program Steering Committee

Throughout the program, the NSW Government was informed of increasing costs being incurred by the NSW Telco Authority for the CCEP

The various business cases, program updates, and program reviews prepared by the NSW Telco Authority were provided to the NSW Government through the required Cabinet process when seeking approval for the program proceeding and requests for both capital and operational funding. These provided clear indication of the changing overall cost of the CCEP to the NSW Telco Authority, as well as the delays that were being experienced.

There was no transparency to the Parliament and community about changes in the capital cost of the CCEP until the 2021–22 NSW Budget

As the business cases for the CCEP were not publicly available, the only sources of information about capital cost were NSW Budget papers and media releases. The information provided in the annual Budget papers prior to the 2021–22 NSW Budget provided no visibility of the estimated full capital cost to complete all stages of the CCEP. As shown in Exhibit 7 below, this information was fragmented and complex.

Media releases about the progress of the CCEP did not provide the estimated total cost to the NSW Telco Authority of $1.325 billion to complete all stages of the CCEP until June 2021. Prior to this date, media releases only provided funding for the initial stages of the program or for the stages subject to a funding announcement.

Even during the September 2019 and March 2020 Parliamentary Estimate Committee hearings where the costings and delays to the CCEP were raised, the estimated full cost of the CCEP was not revealed.

The original business case for the CCEP included estimated ESO costs, though these costs were not tracked throughout the program

Estimates for ESO costs for operating and maintaining their own radio networks over the four years from 2016–17 were included in the original March 2016 business case. They included $75.2 million for capital expenditure and $95 million for one-off operating costs. These costs, as well as costs incurred by ESOs due to the delay in the program, were not subsequently tracked by the NSW Telco Authority.

In January 2017, Infrastructure NSW reviewed the CCEP business case of March 2016. In this review, Infrastructure NSW recommended that the NSW Telco Authority identify combined and apportioned costs and cashflow for all ESOs over the CCEP funding period reflecting all associated costs to deliver the CCEP. These to include additional incidental capital costs accruing to ESOs, transition and migration to the new network and the cost (capital and operational) of maintaining existing networks. This recommendation was implemented in the November 2017 program review, with ESO capital costs estimated as $183 million.

In 2019, Infrastructure NSW conducted a Deep Dive Review on the progress of the CCEP. In this review, Infrastructure NSW made what it described as a 'critical recommendation' that the NSW Telco Authority:

It should be noted that the delay to CCEP completion now is seven years and that further ‘operational bridging solutions’ have been needed by the ESOs.

'Stay Safe and Keep Operational' costs incurred by ESOs will be significantly higher than originally estimated

Stay Safe and Keep Operational (SSKO) funding was established to provide funding to ESOs to maintain their legacy networks while the CCEP was refreshing and enhancing the PSN. This recognised that much of the network infrastructure relied on by ESOs had reached – or was reaching – obsolescence and would either require extensive maintenance or replacement before the PSN was available for ESOs to migrate to it. ESOs may apply to NSW Treasury for SSKO funding, with their specific proposals being reviewed (and endorsed, where appropriate) by the NSW Telco Authority. Accordingly, SSKO expenditure does not fall within the CCEP budget allocation.

As shown in the table below, extracted from the March 2016 CCEP business case, the total expected cost for SSKO purposes over the course of the CCEP was originally $40 million, assuming the enhanced PSN would be fully available by 2020.

In October 2022, the expected completion date for the CCEP was re-baselined to August 2027. Accordingly, ESOs will be required to continue to maintain their radio networks using legacy equipment for seven years longer than the original 2020 forecast. This will likely become progressively more expensive and require additional SSKO funding. For example, NSW Telco Authority endorsed SSKO bids for 2022–23 exceeded $35 million for that year alone.

Compared to the original forecast made in the March 2016 CCEP business case of $40 million, we found ESOs had estimated SSKO spending to 2027 will be $292.5 million.

A refresh of paging network used by ESOs and the decommissioning of redundant sites were both removed from the original 2016 scope of the CCEP

Paging

A paging network is considered an important user requirement by the Fire and Rescue NSW, NSW Rural Fire Service, and NSW State Emergency Service. The 2016 CCEP business case included a paging network refresh within the program scope of works. This was reiterated in the November 2017 internal review of the program. These documents did not estimate a cost for this refresh. The March 2020 and October 2020 business cases excluded paging from the program scope. The audit is unable to identify when, why or by whom the decision was made to remove paging from the program scope, something that was also not well communicated to the affected ESOs.

In 2021, after representations from the affected ESOs, the NSW Telco Authority prepared a separate business case for a refresh of the paging network at an estimated capital cost of $60.31 million. This program was subsequently approved by the NSW Government and included in the 2022–23 NSW Budget.

In determining an estimated full whole-of-government cost of delivering the enhanced PSN, we have included the budgeted cost of the paging network refresh on the basis that:

• it was expressly included in the original approved March 2016 business case
• the capability is deemed essential to the needs of three ESOs.

Decommissioning costs

The 2016 CCEP business case included cost estimates for decommissioning surplus sites (whether ‘old’ GRN sites or sites belonging to ESOs’ own networks). These estimates were provided for both the NSW Telco Authority ($38 million) and for the ESOs ($55 million). However, while these estimates were described, they were not included as part of the NSW Telco Authority's estimated capital cost ($400 million) or (more relevantly) operating cost ($37.3 million) for the CCEP. This is despite decommissioning being included as one of eight planned activities for the rollout of the program.

In the October 2020 business case, an estimate of $201 million was included for decommissioning agency networks based on a model whereby:

• funding would be coordinated by the NSW Telco Authority
• scheduling and reporting through an inter-agency working group and
• where appropriate, agencies would be appointed as the most appropriate decommissioning party.

This estimated cost is not included in the CCEP budget.

In determining an estimated full whole-of-government cost of the enhanced PSN, we have included the estimated cost of decommissioning on the basis that:

• decommissioning was included in the 2016 CCEP business case as one of eight 'planned activities for the rollout of the program'
• effective decommissioning of surplus sites and equipment (including as described in the business case as incorporating asset decommissioning, asset re-use, and site make-good) is an inherent part of the program management for an enhanced PSN
• costs incurred in decommissioning are entirely a consequence of the CCEP program.

The estimated minimum cost of building an enhanced PSN consistent with the original proposal is over $2 billion

We have derived two estimated minimum whole-of-government costs for delivering an enhanced PSN. These are:

• $2.04 billion when calculated from NSW Telco Authority data – shown as estimate A in Exhibit 9 below.
• $2.26 billion when calculated from ESO supplied data – shown as estimate B in Exhibit 9.

Both totals include:

• budgeted amounts for both CCEP capital expenditure ($1,292.8 million) and operating expenditure ($139 million)
• the NSW Telco Authority's 2020 estimated cost for decommissioning ($201 million)
• the NSW Telco Authority's approved funding for paging refresh ($60.3 million).

The two estimated totals primarily vary around the capital expenditure of ESOs (particularly SSKO funding). To determine these costs, we used ESO provided actual SSKO costs to date, as well as their estimates for maintaining their legacy radio networks through to 2027.

The equivalent cost estimates from the NSW Telco Authority were sourced from the November 2017 internal review and the October 2020 business case for CCEP. It should be noted that the amounts for both estimates are not audited, or verified, but do provide an indication of how whole-of-government costs have grown over the course of the program.

The increase in and reasons for the increase in total CCEP costs (capital and one-off operating) incurred or forecast by the NSW Telco Authority (from $437.3 million in 2016 to $1,431.8 million in 2022) have been provided to the NSW Government through various business cases and reviews prepared by the NSW Telco Authority, as well as by reviews conducted by Infrastructure NSW as part of its project assurance responsibilities.

However, the growth in ESO costs and other consequential costs, such as paging and decommissioning, from around $263 million in the 2016 CCEP business case to between $600 million and $800 million, has to a large degree remained invisible and unexplained to the NSW Government and other stakeholders

Appendix one – Response from agency

Appendix two – Trunked public safety radio networks

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #383 - released 23 June 2023

What this report is about

This report draws together the financial impact of natural disasters on agencies integral to the response and impact of natural disasters during 2021–22.

What we found

Over the 2021–22 financial year $1.4 billion from a budget of $1.9 billion was spent by the NSW Government in response to natural disasters.

Total expenses were less than the budget due to underspend in the following areas:

• clean-up assistance, including council grants
• anticipated temporary accommodation support
• payments relating to the Northern Rivers Business Support scheme for small businesses.

Natural disaster events damaged council assets such as roads, bridges, waste collection centres and other facilities used to provide essential services. Additional staff, contractors and experts were engaged to restore and repair damaged assets and minimise disruption to service delivery.

At 30 June 2022, the estimated damage to council infrastructure assets totalled $349 million.

Over the first half of the 2022–23 financial year, councils experienced further damage to infrastructure assets due to natural disasters. NSW Government spending on natural disasters continued with a further $1.1 billion spent over this period.

Thirty-six councils did not identify climate change or natural disaster as a strategic risk despite 22 of these having at least one natural disaster during 2021–22.

Click here for the Easy English version of the report highlights

The Easy English version of the report highlights is intended to meet the needs of some people with lower literacy skills, some people with an intellectual disability, and some people from different cultural backgrounds.

The Easy English document is not the final audit report that has been prepared and tabled in NSW Parliament under s.38EB and s.38EC of the Government Sector Audit Act 1983. It should not be relied on or quoted from as the final audit report.

What this report is about

This audit assessed whether NSW Trustee and Guardian is effectively delivering public guardianship and financial management services in line with legislative requirements and standards.

What we found

NSW Trustee and Guardian is delivering guardianship and financial management services in line with its broad legal authority.

However, NSW Trustee and Guardian does not have sufficient oversight to ensure that its services are consistent with legislative principles which aim to promote positive client outcomes.

The agency's governance and practices could be better supported by relevant training and guidance to account for the diversity of its clients.

It does not track the actual costs of service delivery, the quality of services or client experiences and key findings from previous reviews remain unresolved.

Government funding for public guardianship services and direct financial management services for low-wealth clients has not kept pace with the growth in clients.

There is a risk that some fee-paying clients are unknowingly subsidising others.

NSW Trustee and Guardian has applied additional funding to increase frontline staff, but gaps in monitoring and IT system constraints create a risk that it will not address service quality issues, nor be able to demonstrate the impact of this new funding.

What we recommended

We recommended that NSW Trustee and Guardian:

• Broaden governance arrangements to enable input to key decisions from people with lived experience, relevant peak bodies and representatives of diverse communities.
• Implement mechanisms to seek feedback on the effectiveness and quality of services from clients under orders.
• Assess staff competency and implement regular training in effectively serving clients with disability, dementia, mental illness, cognitive impairments and other factors relevant to decision-making incapacity.
• Implement a risk-based quality framework to assess whether public guardian and financial management decisions are in line with policy and the legislative principles.
• Improve data collection and monitoring to track performance, the costs to serve, and client outcomes and report on these publicly.

NSW Trustee and Guardian is a NSW Government agency in the Stronger Communities cluster. It supports the NSW Trustee and the Public Guardian in the exercise of their statutory functions. It is accountable to the relevant Minister, the Attorney General.

The legislative responsibilities for the Public Guardian and the NSW Trustee are provided in separate statutes (NSW Trustee and Guardian Act 2009 and Guardianship Act 1987). Together, these establish a number of functions and services that NSW Trustee and Guardian as an agency is expected to deliver, including:

• acting as executor and administrator of deceased estates
• acting as a trustee responsible for managing trust property on behalf of another person or organisation in line with the trust terms
• drafting Will, Power of Attorney and Enduring Guardianship instruments, and educating the community about the importance of having these documents in place
• making decisions on behalf of people under guardianship or financial management orders as a guardian or a financial manager 'of last resort', or overseeing and assisting private financial managers.

This audit focuses on the last of these - NSW Trustee and Guardian's financial management and guardianship services.

The NSW Trustee and the Public Guardian are appointed to provide direct financial management and/or guardianship services (respectively) to over 13,300 people (as at 30 June 2022) who are deemed by a court or tribunal unable to manage their own affairs. This involves making decisions for people under a relevant court or tribunal order, within the terms of the order. The court or tribunal order enables the appointed guardian or financial manager to make decisions on behalf of the person for whom the order is made. The legislation allows the financial manager or guardian to exercise all the functions of the person under management has or would have were they not incapable of managing for themselves. From a legal perspective, these 'substitute decisions' have the same effect as if the person had made the decision themselves. While the legal presumption is that a person has capacity to care for themselves and manage their own affairs, a financial manager or guardian can be appointed without the person's consent if the court or tribunal finds the person does not have relevant decision-making capacity.

There can be a range of factors that impact on a person's decision-making capacity, including cognitive impairment, intellectual disability, dementia, mental illness and addiction. Guardianship (of both the person and their estate) developed as a response, through European and English law over hundreds of years. In Australia, it was a function of the Supreme Court of NSW before the establishment of government agencies. What is now known as substitute decision-making can sometimes be referred to as a 'protective' function because:

• it relates to decisions or actions that need to be taken, which the person under an order cannot take because they are incapable of managing their own affairs
• due to this lack of competence, the person may be disadvantaged in the conduct of their affairs (for example, their money or property may be dissipated or lost, they may enter agreements unwisely or they may be at risk of abuse or exploitation)
• substitute decisions must be made in the best interests of the person on whose behalf they are made.

An alternative model is 'supported decision-making'. This refers to processes and approaches that assist people with impaired decision-making capacity to exercise their autonomy and legal capacity by supporting them to make decisions. This approach seeks to give effect to the will and preferences of the person requiring decision-making support wherever possible, including decisions involving risk. There has been a longstanding legal and community push for Australian guardianship and administration systems to move from substituted to supported decision-making. However, the legislation in New South Wales provides for 'best interests' substitute decision-making and this is the framework against which we have audited NSW Trustee and Guardian.

The Public Guardian and the NSW Trustee may be appointed as substitute decision makers by the NSW Civil and Administrative Tribunal (NCAT) and the Supreme Court. The NSW Trustee may also be appointed by the Mental Health Review Tribunal for financial management orders only.¹ They are intended to be appointed as a 'last resort' when there is no one willing or suitable to fill the role, or there is significant family conflict regarding decision-making for the person. The Public Guardian and the NSW Trustee cannot refuse to accept a court or tribunal appointment to administer an order for guardianship or financial management.

Public Guardian decisions cover healthcare, lifestyle, accommodation and/or medical decisions such as where a person should live (for example: at home, in an aged care facility or disability group home), what disability or other support services they receive, who can have access to them (for example: through establishing visiting schedules between conflicting family members) and consent to the use of restrictive practices on the advice of independent experts (for example: seclusion, chemical restraint such as anti-psychotic medication, environmental restraints such as limiting access to knives).

Under a financial management order where the NSW Trustee is appointed as financial manager, the NSW Trustee carries out such functions as securing and collecting assets, income and entitlements, paying expenses, debts and designing budgets, investing financial assets, lodging tax returns and paying maintenance for dependents, taking or defending legal proceedings and managing other financial and legal affairs for the person. This is referred to as direct financial management.

A court or tribunal may appoint a private financial manager, such as a family member, friend, private trustee company or other commercial provider. Where a private manager is appointed, the NSW Trustee provides authorisation and directions to the private manager and oversees their performance. As at 30 June 2022, over 6,200 people had private managers.

As an agency, the majority of NSW Trustee and Guardian's overall revenue is from fees (including for services outside the scope of the audit, such as will preparation) and investments. The remainder is from the NSW Government as funding for non-commercial services including guardianship services and subsidised financial management services for low-wealth clients. Public guardian clients do not pay fees. Financial management clients pay fees, but these are subsidised where the client does not have capacity to pay full fees. NSW Trustee and Guardian is considered a self-funded agency by NSW Treasury definitions.

Demand for financial management and guardianship services, and the complexity of clients' circumstances for these services, has grown over the last decade. In November 2020, NSW Trustee and Guardian advised the Attorney General that it had run an operating deficit in 2019–20 driven by an increase in non/low fee paying customers and an increase in the complexity of matters. NSW Trustee and Guardian advised the Attorney General that government funding was no longer meeting the full cost of guardianship services, and of direct financial management services for people with low balances. NSW Trustee and Guardian's analysis had identified a shortfall in government funding of $8.4 million in 2019–20 that was expected to increase over the forward estimates. A working group was established with officers from NSW Trustee and Guardian, NSW Treasury and the Department of Communities and Justice to advise the government on options for improving the financial sustainability of NSW Trustee and Guardian overall.

NSW Trustee and Guardian subsequently received a funding boost of $41.5 million across four years in the 2021–22 State Budget. NSW Trustee and Guardian applied the majority of the budget enhancement to recruit approximately 120 new roles mostly in financial management and guardianship services.

The objective of this audit was to assess whether NSW Trustee and Guardian is effectively delivering guardianship and financial management services in line with legislative requirements and relevant non-legislative standards. These include a legislative duty to observe certain principles when exercising the relevant legislative functions, including to: give primary consideration to clients’ welfare and interests, restrict their freedom of decision and action as little as possible, take account of their views, and encourage their self-reliance.

The audit was guided by three questions:

• Does NSW Trustee and Guardian align its service delivery with its legislative functions and principles, and relevant standards?
• Does NSW Trustee and Guardian drive and monitor performance to give effect to its legislative functions and principles, and relevant standards?
• Has NSW Trustee and Guardian effectively planned the use of additional funding to improve service delivery and adherence to its legislative functions and principles, and relevant standards?

The audit review period was the five years between 1 July 2017 - 30 June 2022.

Throughout this report:

• 'client' refers to a person who is under a guardianship order and/or whose estate is under financial management, for whom the Public Guardian and/or the NSW Trustee is appointed to act or responsible to oversee their private financial manager
• 'financial management' refers to clients under financial management orders (direct and private financial management) and/or the services provided by NSW Trustee and Guardian to these clients or their private managers
• 'guardianship' refers to clients under guardianship orders where the Public Guardian is appointed, and/or the services provided by the Public Guardian to these clients
• 'frontline staff' refers to the staff responsible for engagement with, and decision-making for, clients and private managers (titled client service officers, senior client service officers and principal client service officers in NSW Trustee and Guardian)
• Aboriginal refers to the First Nations peoples of the land and waters now called Australia and includes Aboriginal and Torres Strait Islander peoples.

NSW Trustee and Guardian has only recently identified measures to track the performance of its financial management and guardianship services

Between 2021 and 2022, NSW Trustee and Guardian developed new divisional key performance indicators which aim to track the quality of services delivered to people under financial management and guardianship orders. These measures are reported quarterly to the organisation's executive leadership team. The divisions have started measuring some of these new performance indicators, but many will require changes to consumer engagement processes and IT legacy systems to collect additional data. At this stage it is unclear when these necessary changes will occur, and when relevant data will begin to be collected and analysed.

Before 2021, NSW Trustee and Guardian measured the performance of some of its financial management and guardianship operational processes. While these operational measures identify whether it is fulfilling some of its legislative functions, they are predominantly activity measures and do not inform on the quality of decision-making for direct financial management or guardianship clients, or on client experiences and outcomes.

Operational performance targets and measures have only recently been developed and used to centrally track the time elapsed between requests for certain decisions and the decisions made or relevant actions taken by relevant frontline staff. Baseline data for these measures show that target timeframes are not close to being met for minor medical decisions for people under guardianship orders, or for first customer payment, and redirection of income for people who are directly financially managed.

NSW Trustee and Guardian has proactively developed a benefits realisation framework to monitor the expected benefits from the additional funding received in 2021–22

NSW Trustee and Guardian has developed a benefits realisation framework to monitor the expected benefits from the additional funding (and other elements of the budget bid including increased fees and business improvements for efficiencies). This is not a requirement imposed by NSW Treasury, but a proactive step taken by NSW Trustee and Guardian to account for the use of the additional funding and to attempt to identify its impacts.

The benefits realisation framework includes interim and preferred measures, which reflect the things that can be tracked with existing data, and those that require new data collection, respectively. The measures are underpinned by separate program logics for direct and private financial management, and guardianship, and an overall investment logic. 'Logics' articulate the inputs, outputs and short/medium/long term outcomes expected from a project, program or investment, as well as the underpinning assumptions about how desired changes will occur (the 'mechanism' or 'theory' of change).

The targets and measures for NSW Trustee and Guardian's benefits realisation framework are the responsibility of the organisational divisions delivering guardianship and financial management services. The baseline data against which change will be measured is 30 June 2021, as the budget enhancement funds were allocated from 1 July 2021. The audit has been provided with baseline data, but not first year results (covering 2021–22) and as such, cannot assess whether any progress has been made towards the targets.

The benefits realisation framework may not provide the information needed to demonstrate the effectiveness of the budget enhancement

A lack of available data and limited measures in the benefits realisation framework may mean NSW Trustee and Guardian will not be able to meaningfully assess the impact of the additional funding.

The 22 measures in the benefits realisation framework across guardianship and financial management functions are predominantly monitoring activity and outputs which seek to track staff caseloads, the number of decisions made, the timeliness of key actions/tasks, and annual consumer engagements.

There is one service quality outcome measure: that customers, family and carers report an improved experience. The metrics for this measure will initially be monitored using the whole-of-government customer satisfaction measurement survey administered by the Department of Customer Service, until such time as other additional sources are developed. The whole-of-government survey is built around six core customer commitments relating to respondents' experiences with government services and staff - that they are: 'easy to access, act with empathy, respect my time, explain what to expect, resolve the situation and engage the community'. It is not clear whether or how the whole-of-government survey targets and engages people with impaired decision-making capacity or accessible communication needs.

Some measures in the NSW Trustee and Guardian benefits realisation framework do not yet have targets set, such as the ratio of the number of clients to the number of guardians or financial managers. Many relate to compliance with internal operational policies.

One interim measure for a direct financial management service indicator is 'increased personalised face-to-face consultations by phone or virtually'. It is intended to be replaced with the preferred measure 'ensure the client’s story is understood by staff and systems by consulting stakeholders and adding to the client’s story in the IT system'. However, the interim measure would better align with the national standards regarding regular and accessible engagement (discussed above).

A lack of availability of key data to track the preferred measures was identified by NSW Trustee and Guardian as an enterprise risk, and issues with existing data collected were identified early on, including that:

• data can be entered into systems inconsistently by staff
• current systems mask some issues – for example, a task can be completed within internal timeframes but not reflect the actual waiting time of consumers
• current systems cater to measuring outputs rather than service quality.

IT system improvements are slated in order to allow data to be collected to inform on preferred measures, but these depend on capital funding that has not yet been secured. At the time of writing, data sources were yet to be identified for three of the 22 measures, and NSW Trustee and Guardian did not have staff trained and available to run and analyse data for the benefits realisation framework.

The mechanisms of change and the underlying assumptions in the program and investment logics are also not clearly articulated in the benefits realisation framework, and nor is the underpinning evidence (such as from earlier reviews, research or pilots, or experiences elsewhere). Identifying and evidencing these would give some confidence that the assumptions are sound and that the mechanisms of change will operate as expected (for example, that a decline in frontline staff caseloads will translate into more time spent on individual matters, and improved service quality).

Given these limitations in measures, data collection and logics, there is a risk that the benefits realisation framework may not provide the performance and impact evidence necessary to assess the effectiveness of the budget enhancement, or to justify further additional funding in the future.

NSW Trustee and Guardian cannot track its financial management and guardianship service performance over time

NSW Trustee and Guardian's operational performance activity measures have changed over the audit review period, which limits NSW Trustee and Guardian’s ability to identify whether it has sustained or improved performance in its guardianship and financial management services over time.

NSW Trustee and Guardian has consistently tracked the number and themes of complaints about financial management and guardianship services, which do provide some insight into service quality and experiences. However, this is an incomplete measure as people under financial management and guardianship orders are a more vulnerable cohort than other NSW Trustee and Guardian customers and may require support to make a complaint. There is also a structural power imbalance between clients and their guardian or financial manager which may dissuade clients and their stakeholders from raising concerns. Therefore, it is not clear whether the numbers and themes in complaints received are representative of broader experiences.

Appendix one – Response

Appendix two – Client characteristics

Appendix three – Easy English, Easy Read and Plain English formats

Appendix four – Financial management fees

Appendix five – NSW Trustee and Guardian Common Funds

Appendix six – About the audit

Appendix seven – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #379 - released 18 May 2023

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

• Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
• Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.

Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).

The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

We assessed this objective through two lines of inquiry:

1. Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
2. Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?

The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.

Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.

Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.

The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.

Establishment of Cyber Security NSW

Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.

The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).

The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.

Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.

Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.

NSW Government Cyber Security Strategy

The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:

• lead
• prepare
• prevent
• detect 
• respond 
• recover.

The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:

• increase NSW Government cyber resiliency
• help NSW cyber security businesses grow
• enhance cyber security skills and workforce 
• support cyber security research and innovation.

Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.

NSW Government Cyber Security Policy

The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.

The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including: 

• annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements 
• that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).

The Policy sets out that Cyber Security NSW:

• may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
• will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.

As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.

This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:

• there was a sound, evidence-based rationale for why Cyber Security NSW was established
• the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
•  there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.

This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #374 - released 8 February 2023

What the report is about

The Bushfire Local Economic Recovery (BLER) program was created after the 2019–20 bushfires, and commits $541.8 million to bushfire affected areas in New South Wales. It is co-funded by the Commonwealth and NSW governments.

This audit assessed how effectively the Department of Regional NSW (the department) and Resilience NSW administered rounds one and two of the BLER program. These rounds were:

• Round one: early co-funding, split between two streams:
  • ­Fast-Tracked projects 
  • ­Sector Development Grants (SDG)
• Round two: open round.

What we found

The Department of Regional NSW did not effectively administer the Fast-Tracked stream of the BLER. 

The administration process lacked integrity, given it did not have sufficiently detailed guidelines and the assessment process for projects lacked transparency and consistency. 

At the request of the Deputy Premier's office, a $1 million threshold was applied, below which projects were not approved for funding. The department advises that some of the projects excluded were subsequently funded from other programs. 

This threshold resulted in a number of shortlisted projects in areas highly impacted by the bushfires being excluded, including all shortlisted projects located in Labor Party-held electorates.

The department's administration of the SDG stream had a detailed and transparent assessment process. However, conflicts of interest were not effectively managed. 

The department's administration of the open round included a clearly documented, detailed and transparent assessment framework. Some weaknesses in the approach to conflicts of interest remained.

What we recommended

The Department of Regional NSW should ensure that for all future grant programs it:

1. establishes and follows guidelines that align with relevant good practice guidance 
2. ensures a communications plan is in place, including the communication of guidelines to potential applicants
3. ensures staff declare conflicts of interest prior to the commencement of a grants stream, and that these conflicts of interest are recorded and managed
4. ensures regular monitoring is in place as part of funding deeds 
5. documents all key decisions and approvals in line with record keeping obligations.

This audit assessed how effectively the Department of Regional NSW and Resilience NSW administered rounds one and two of the Bushfire Local Economic Recovery (BLER) program.

As noted in this report, Resilience NSW was involved in the set-up and ongoing administration and monitoring of the BLER program. During the audited period, Resilience NSW was tasked with working with the Department of Regional NSW to create program objectives, guidelines and criteria. Their role also involved liaising with the Commonwealth Government, which provided co-funding for the program. Resilience NSW also had an ongoing role in quality assurance and compliance to ensure agencies administering disaster assistance did so in accordance with relevant guidelines. On 16 December 2022, the NSW Government abolished Resilience NSW.

Our work for this performance audit was completed on 3 November 2022, when we issued the final report to the two audited agencies. The audit report does not make specific recommendations to Resilience NSW. On 24 November 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

During the 2019–20 bushfire season, New South Wales experienced 11,774 fire incidents, burning 5.5 million hectares of the state. There were 26 fatalities and 2,476 homes destroyed. The agriculture sector was heavily impacted with 601,858 hectares of pasture damaged.

Due to the widespread impacts of these fires on the state, the NSW and Commonwealth governments committed $4.4 billion toward bushfire response, recovery, and preparedness. This included the establishment of the Bushfire Local Economic Recovery (BLER) program, with $541.8 million committed to support job retention and creation in areas impacted by bushfires. The program also aims to strengthen community resilience and reduce the impact of future natural disasters. The BLER program is co-funded, with the Commonwealth and NSW governments funding 50% each.

The BLER program is comprised of three funding rounds:

• round one early co-funding, split between
  • Fast-Tracked projects
  • Sector Development Grants (SDG)
• round two: open round
• round three: final projects and initiatives.

Resilience NSW was involved in setting up the BLER program and the Department of Regional NSW (the department) is responsible for administering it. The Commonwealth National Recovery and Resilience Agency must also endorse any projects proposed by the NSW Government for funding as part of the funding agreement between the State and Commonwealth governments.

Successful projects under the SDG stream were announced in September 2020 and projects funded through the Fast-Tracked stream were announced in October 2020. Round two (the open round) was administered after these two streams and successful projects were announced in June 2021.

The Department of Premier and Cabinet established the 'Good Practice Guide to Grants Administration' (the Good Practice Guide) in 2010 to assist the NSW Government in ensuring grants administration was performed consistently across all NSW Government grants programs. Compliance with the Good Practice Guide was not compulsory, but provided an outline of best practice covering the entire lifecycle of a grants program. This guide was in place at the time these grants were designed and administered.

The design and delivery of round one of the program occurred quickly, as part of the response to the 2019–20 bushfires, and was responding to a request from the Commonwealth Government for rapid project identification.

The objective of this audit was to assess how effectively the Department of Regional NSW and Resilience NSW administered rounds one and two of the BLER program. Round three was excluded from this audit because it had not been announced at the time of the audit.

We addressed this objective by examining whether the audited agencies:

• effectively planned administration of the BLER program and established appropriate guidelines
• implemented an effective assessment process for the BLER program
• are effectively monitoring implementation of projects and program outcomes.

1. Recommendations

To promote integrity and transparency, the Department of Regional NSW should ensure that for all future grant programs it:

1. establishes and follows guidelines that align with relevant good practice guidance including accountabilities, key assessment steps and clear assessment criteria
2. ensures a communications plan is in place, including the communication of guidelines to potential applicants
3. ensures staff declare conflicts of interest prior to the commencement of a grants stream, and that these conflicts of interest are recorded and managed
4. ensures regular monitoring is in place as part of funding deeds
5. documents all key decisions and approvals in line with record keeping obligations.

Stage one of the BLER program consisted of early co-funded projects valued at a total of $180 million. This included 22 Fast-Tracked priority projects valued at a total of $107.8 million. The purpose of these projects was to deliver immediate and significant economic impacts to high and moderate bushfire-impacted areas.

A timeline of key dates may be found at Exhibit 5.

Fifty-two projects worth a total of $73.2 million were funded through the SDG stream. One grantee withdrew their project from the stream in early 2021, leaving a total of 51 projects (of which 49 are co-funded with the Commonwealth Government).

A timeline of key dates may be found at Exhibit 9.

The department distributed $283 million to 195 successful projects as part of the open round of the BLER program.

A timeline of key dates may be found at Exhibit 11.

The department entered into funding deeds with successful applicants

The Good Practice Guide advises that the agency administering a grant should enter into a formal agreement with each grant recipient which sets out the arrangements under which a grant is provided, received, managed and acquitted. Across all three streams, the department sent out a letter of offer to successful project managers to let them know that they had been successful in receiving funding, and then entered into funding deeds with grantees. The one exception was the project that RNSW managed, discussed below.

The reviewed funding deeds were signed by department staff with the appropriate level of delegation. They contained an appropriate level of information and key clauses that would allow the department to monitor the progress of the grant to ensure its completion as agreed with the grantee. The reviewed funding deeds contained key information, including:

• total value of the grant
• key deliverables at each milestone
• expected completion date of both the overall project and each milestone
• reporting requirements, including provisions to allow the department to request relevant information
• variation procedures.

The department only makes payments after confirming that milestones have been reached

The department has provided payments to grantees only after they could demonstrate that they had completed the agreed milestone. To ensure each milestone has been completed, the department requires grantees to provide evidence that they have fulfilled the milestone. Types of evidence provided includes photographs and invoices. Where the grantee provides insufficient evidence to the department, the department follows-up with the grantee to ensure that enough information is provided to justify the milestone payment.

The department also plans to undertake site visits of projects at select milestones and at the completion of most projects. The department has undertaken a risk assessment of each SDG and open round project, and uses this risk assessment to determine the number of milestones for the project, as well as the number of site visits that the department will undertake. Fast-Tracked projects all had PWA providing either project management or assurance and as such oversight is being provided through that mechanism. The milestones and site visits at each level of risk can be seen in Exhibit 15 for SDG and Exhibit 16 for open round.

The department does not monitor quarterly progress for SDG grants

As part of the LER framework, the department reports to the Commonwealth every quarter on the status and financials of each project, including whether there are any risks to project delivery and the mitigations in place for those risks. For projects funded through the Fast-Tracked stream and the open round, the department collects quarterly progress reports from the grantees. These progress reports allow the department to determine if there are project risks, which can then be reported to the Commonwealth. The progress reports also allow the department to determine if a milestone is likely to be met within the next quarter or whether a project variation may be needed.

While the department monitors projects funded through the Fast-Tracked stream and the open round on a quarterly basis, there is no quarterly monitoring of progress for projects funded through the SDG stream. The SDG funding deeds do not include a provision to require quarterly reporting to the department. The department only collects progress reports from grantees when the grantee reports that it has completed a milestone. Quarterly monitoring of the SDG stream would allow the department to determine if projects require corrective action.

Resilience NSW is not collecting quarterly reports for the Fast-Tracked grant it is responsible for administering

One of the projects funded through the Fast-Tracked stream was the rebuilding of three local halls across two LGAs, for a total value of $3 million. RNSW is responsible for managing this grant and entered into funding deeds with the relevant councils. It is not documented why RNSW is responsible for these funding deeds rather than the department, which is the signatory for all of the other Fast-Tracked stream funding deeds. RNSW advised it was due to the responsible RNSW Director having a strong working relationship with the relevant councils.

The funding deeds which RNSW signed with the relevant councils set out a requirement that the councils would report on this project to RNSW every quarter. The second milestone of each of these projects involved the submission of a quarterly report. However, RNSW was unable to provide evidence that it carried out this monitoring of the project. At the time of the audit, no second milestone payment had been made. Undertaking quarterly monitoring would provide RNSW with assurance that the money is being expended for the proper purpose and whether the projects will be completed by the target date.

RNSW and the relevant councils developed project control groups for each project, which allows it to monitor the implementation of the projects. PWA is also represented on these project control groups and provides an advisory role in the implementation of the projects.

RNSW and the department advised that responsibility for this project will be transitioned to the department and it will be monitored on a quarterly basis, in line with the other Fast-Tracked projects.

The department has a consistent approach to validating variations

The department's funding deeds with grantees allow for the variation of contracts at the department's discretion after the grantee has written to the department. It is important for the department to consider the impact of any project variation request on the overall program objectives, because a project which costs more than was originally planned or which takes additional time may put at risk the objectives of the BLER program. To ensure that requests for variation are handled consistently and appropriately, the department's Grants Management Office (GMO) has developed a process document which applies to variation requests across the BLER program.

For the grants reviewed as part of this audit, the GMO applied this variation process consistently and has documented the outcomes. Larger variations are reviewed at a higher level of delegation and sign-off. To determine whether a variation is accepted, the GMO considers the following factors:

• consistency with BLER program objectives
• delivery within the timeframes of the BLER program
• eligibility under the BLER program guidelines
• financial viability to deliver within the requested budget.

The department is preparing multiple evaluations, but it has delayed its process evaluation

When developing round one of the BLER program, the department developed an evaluation plan. A total of $1.1 million has been reserved for conducting process, outcome, and economic evaluations of the BLER program and two other bushfire recovery grant programs.

To assist with evaluating program outcomes and economic impact, the department is planning a post-completion survey in 2023–24. This timeline will allow most projects to be completed and enough time for project outcomes to be realised. The department advised that the data collected through this survey would allow the department to determine whether the BLER program has achieved its objectives, as it includes information such as the number of jobs created through each project.

The process evaluation was initially planned for March to June 2021. This would have aligned with the announcement of the open round funding and would have allowed for the learnings from rounds one and two of the BLER program to be applied to the development of round three. However, the department did not conduct this evaluation in a timely way. The department advised that this was because funding deed negotiations were still ongoing, and the department was waiting for 50% of funding deeds to be signed. Given this, the department was not in a position to commence its process evaluation. In December 2021, the department revised its evaluation plan and advised that it commenced its process evaluation in April 2022. It is unlikely that this will allow time for the department to apply learnings to round three, which is currently underway.

Appendix one – Responses from agencies

Appendix two – BLER program distribution

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #373 - released 2 February 2023