What this report is about

In this report, we present findings and recommendations relevant to regulation from selected reports between 2018 and 2024.

This analysis includes performance audits, compliance audits and the outcomes of financial audits.

Effective regulation is necessary to ensure compliance with the law as well as to promote positive social and economic outcomes and minimise risks with certain activities.

The report is a resource for public sector leaders. It provides insights into the challenges and opportunities for more effective regulation.

Audit findings

The analysis of findings and recommendations is structured around four key themes related to effective regulation:

• governance and accountability
• processes and procedures
• data and information management
• support and guidance.

The report draws from this analysis to present insights for agencies to promote effective regulation. It also includes relevant examples from recent audit reports.

In this report, we also draw out insights for agencies that provide a public sector stewardship role.

The report highlights the need for agencies to communicate a clear regulatory approach. It also emphasises the need to have a consistent regulatory approach, supported by robust information about risks and accompanied with timely and proportionate responses.

The report highlights the need to provide relevant support to regulated parties to facilitate compliance and the importance of transparency through reporting of meaningful regulatory information.

Read the PDF report

What this report is about

Results of the Health portfolio of agencies' financial statement audits for the year ended 30 June 2023.

The audit found

Unmodified audit opinions were issued for all Health portfolio agencies' financial statements. 

The number of monetary misstatements increased in 2022–23, driven by key accounting issues, including the first-time recognition of paid parental leave and plant and equipment fair value adjustments. 

The key audit issues were 

NSW Health identified errors regarding the recognition and calculation of long service leave entitlements for employees with ten or more years of service that had periods of part time service in the first ten years, resulting in prior period restatements. 

Comprehensive revaluation of buildings at the Graythwaite Charitable Trust found errors in the previous year's valuation, resulting in prior period restatements. 

New parental leave legislation increased employee liabilities for portfolio agencies. The Ministry of Health corrected the consolidated financial statements to record parental leave liabilities for all agencies within the Health portfolio.   

A repeat high-risk issue relates to processing time records by administrators that have not been reviewed prior to running the pay cycle.   

Thirty per cent of reported issues were repeat issues. 

The audit recommended 

Portfolio agencies should ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards. 

Portfolio agencies should address deficiencies that resulted in qualified reports on:   

• the design and operation of shared service controls
• prudential non-compliance at residential aged care facilities.

This report provides Parliament and other users of the Health portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Health portfolio of agencies (the portfolio) for 2023.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines observations and insights from our financial statement audits of agencies in the Health portfolio.  

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What this report is about

Results of the Premier and Cabinet portfolio of agencies' financial statement audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued for all Premier and Cabinet portfolio agencies.

What the key issues were

The Administrative Arrangements Orders, effective 1 July 2023, changed the name of the Department of Premier and Cabinet to the Premier's Department and transferred parts of Department of Premier and Cabinet to The Cabinet Office.

The number of monetary misstatements identified in our audits decreased from 15 in 2021–22 to 12 in 2022–23.

The total number of management letter findings across the portfolio of agencies increased from ten in 2021–22 to 20 in 2022–23.

Thirty per cent of all issues were repeat issues. The most common repeat issues related to deficiencies in controls over financial reporting.

What we recommended

Portfolio agencies should:

• ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards
• prioritise and address internal control deficiencies identified in Audit Office management letters.

This report provides Parliament and other users of the Premier and Cabinet portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet portfolio of agencies (the portfolio) for 2023.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet portfolio.

Appendix one – Early close procedures

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

Effective radio communications are crucial to NSW's emergency services organisations.

The Critical Communications Enhancement Program (CCEP) aims to deliver an enhanced public safety radio network to serve the five emergency services organisations (ESOs), as well as a range of other users.

This report assesses whether the NSW Telco Authority is effectively managing the CCEP.

What we found

Where it has already been delivered (about 50% of the state), the enhanced network meets most of the requirements of ESOs.

The CCEP will provide additional infrastructure for public safety radio coverage in existing buildings agreed to with ESOs. However, radio coverage inside buildings constructed after the CCEP concludes will be at risk because building and fire regulations do not address the need for in-building public safety radio coverage.

Around 98% of radios connected to the network can be authenticated to protect against cloning, though only 42% are.

The NSW Telco Authority has not settled with ESOs on how call encryption will be used across the network. This creates the risk that radio interoperability between ESOs will not be maximised.

When completed, the public safety radio network will be the only mission critical radio network for ESOs. It is unclear whether governance for the ongoing running of the network will allow ESOs to participate in future network operational decisions.

The current estimated capital cost for the NSW Telco Authority to complete the CCEP is $1.293 billion. This is up from an estimated cost of $400 million in 2016. The estimated capital cost was not publicly disclosed until $1.325 billion was shown in the 2021–22 NSW Budget Papers.

We estimate that the full cost to government, including costs to the ESOs, of implementing the enhanced network is likely to exceed $2 billion.

We made recommendations about

• The governance of the enhanced Public Safety Network (PSN) to support agency relationships.
• The need to finalise a Traffic Mitigation Plan for when the network is congested.
• The need to provide advice to the NSW Government about the regulatory gap for ensuring adequate network reach in future buildings.
• The need to clarify how encryption and interoperability will work on the enhanced network.
• The need for the NSW Telco Authority to comply with its policy on Infrastructure Capacity Reservation.
• Expediting measures to protect against the risk of cloning by unauthenticated radios.

Public safety radio networks are critical for operational communications among Emergency Services Organisations (ESOs), which in New South Wales include:

• NSW Ambulance
• Fire and Rescue NSW
• NSW Police Force
• NSW Rural Fire Service
• NSW State Emergency Service.¹

Since 1993, these five ESOs have had access to a NSW Government owned and operated radio communications network, the Public Safety Network (PSN), to support their operational communications. Around 60 to 70 other entities also have access to this network, including other NSW government entities, Commonwealth government entities, local councils, community organisations, and utility companies.

Pursuant to the Government Telecommunications Act 2018 ('the Act'), the New South Wales Government Telecommunications Authority ('NSW Telco Authority') is responsible for the establishment, control, management, maintenance and operation of the PSN.²

Separate to the PSN, all ESOs and other government entities have historically maintained their own radio communication capabilities and networks. Accordingly, the PSN has been a supplementary source of operational radio communications for these entities.

These other radio networks maintained by ESOs and other entities are of varying size and capability, with many ageing and nearing their end-of-life. There was generally little or no interoperability between networks, infrastructure was often co-located and duplicative, and there were large gaps in geographic coverage.

In 2016, the NSW Telco Authority received dedicated NSW Government funding to commence the Critical Communications Enhancement Program (CCEP).

According to NSW Telco Authority's 2021–22 annual report, the CCEP is a transformation program for operational communications for NSW government agencies. The CCEP '…aims to deliver greater access to public safety standard radio communications for the State’s first responders and essential service agencies'. The objective of CCEP is to consolidate the large number of separate radio networks that are owned and operated by various NSW government entities and to enhance the state’s existing shared PSN. The program also aims to deliver increased PSN coverage throughout New South Wales.

The former NSW Government intended that as the enhanced PSN was progressively rolled-out across NSW, ESOs would migrate their radio communications to the enhanced network, before closing and decommissioning their own networks.

About this Audit

This audit assessed whether the CCEP is being effectively managed by the NSW Telco Authority to deliver an enhanced PSN that meets ESOs' requirements for operational communications.

We addressed the audit objective by answering the following two questions:

1. Have agreed ESO user requirements for the enhanced PSN been met under day-to-day and emergency operational conditions?
2. Has there been adequate transparency to the NSW Government and other stakeholders regarding whole-of-government costs related to the CCEP?

In answering the first question, we also considered how the agreed user requirements were determined. This included whether they were supported by evidence, whether they were sufficient to meet the intent of the CCEP (including in considering any role for new or alternative technologies), and whether they met any relevant technical standards and compliance obligations (including for cyber security resilience).

While other NSW government agencies and entities use the PSN, we focused on the experience of the five primary ESOs because these will be the largest users of the enhanced PSN.

Both the cost and time required to complete the CCEP roll-out have increased since 2016. While it was originally intended to be completed in 2020, this is now forecast to be 2027. Infrastructure NSW has previously assessed the reasons for the increases in time and cost. A summary of the findings made by Infrastructure NSW is presented in Chapter 1 of this report. Accordingly, as these matters had already been assessed, we did not re-examine them in this performance audit.

The auditee for this performance audit is the NSW Telco Authority, which is a statutory authority within the Department of Customer Service portfolio.

In addition to being responsible for the operation of the PSN, section 5 of the Act also prescribes that the NSW Telco Authority is:

• to identify, develop and deliver upgrades and enhancements to the government telecommunications network to improve operational communications for government sector agencies
• to develop policies, standards and guidelines for operational communications using telecommunications networks.

The NSW Telco Authority Advisory Board is established under section 10 of the Act. The role of the board is to advise the NSW Telco Authority and the minister on any matter relating to the telecommunications requirements of government sector agencies and on any other matter relating to the functions of the Authority. As of 2 June 2023, the responsible minister is the Minister for Customer Service and Digital Government.

The five identified ESOs are critical stakeholders of the CCEP and therefore they were consulted during this audit. However, the ESOs were not auditees for this performance audit.

The NSW Telco Authority established and tracked its own costs for the CCEP

Over the course of the program from 2016, the NSW Telco Authority prepared a series of business cases and program reviews that estimated its cost of implementing the program in full, including those shown in Exhibit 6 below.

In response to the 2016 CCEP business case, the then NSW Government approved the NSW Telco Authority implementing the CCEP in full, with funding provided in stages. The NSW Telco Authority tracked its costs against approved funding, with monthly reports provided to the multi-agency Program Steering Committee

Throughout the program, the NSW Government was informed of increasing costs being incurred by the NSW Telco Authority for the CCEP

The various business cases, program updates, and program reviews prepared by the NSW Telco Authority were provided to the NSW Government through the required Cabinet process when seeking approval for the program proceeding and requests for both capital and operational funding. These provided clear indication of the changing overall cost of the CCEP to the NSW Telco Authority, as well as the delays that were being experienced.

There was no transparency to the Parliament and community about changes in the capital cost of the CCEP until the 2021–22 NSW Budget

As the business cases for the CCEP were not publicly available, the only sources of information about capital cost were NSW Budget papers and media releases. The information provided in the annual Budget papers prior to the 2021–22 NSW Budget provided no visibility of the estimated full capital cost to complete all stages of the CCEP. As shown in Exhibit 7 below, this information was fragmented and complex.

Media releases about the progress of the CCEP did not provide the estimated total cost to the NSW Telco Authority of $1.325 billion to complete all stages of the CCEP until June 2021. Prior to this date, media releases only provided funding for the initial stages of the program or for the stages subject to a funding announcement.

Even during the September 2019 and March 2020 Parliamentary Estimate Committee hearings where the costings and delays to the CCEP were raised, the estimated full cost of the CCEP was not revealed.

The original business case for the CCEP included estimated ESO costs, though these costs were not tracked throughout the program

Estimates for ESO costs for operating and maintaining their own radio networks over the four years from 2016–17 were included in the original March 2016 business case. They included $75.2 million for capital expenditure and $95 million for one-off operating costs. These costs, as well as costs incurred by ESOs due to the delay in the program, were not subsequently tracked by the NSW Telco Authority.

In January 2017, Infrastructure NSW reviewed the CCEP business case of March 2016. In this review, Infrastructure NSW recommended that the NSW Telco Authority identify combined and apportioned costs and cashflow for all ESOs over the CCEP funding period reflecting all associated costs to deliver the CCEP. These to include additional incidental capital costs accruing to ESOs, transition and migration to the new network and the cost (capital and operational) of maintaining existing networks. This recommendation was implemented in the November 2017 program review, with ESO capital costs estimated as $183 million.

In 2019, Infrastructure NSW conducted a Deep Dive Review on the progress of the CCEP. In this review, Infrastructure NSW made what it described as a 'critical recommendation' that the NSW Telco Authority:

It should be noted that the delay to CCEP completion now is seven years and that further ‘operational bridging solutions’ have been needed by the ESOs.

'Stay Safe and Keep Operational' costs incurred by ESOs will be significantly higher than originally estimated

Stay Safe and Keep Operational (SSKO) funding was established to provide funding to ESOs to maintain their legacy networks while the CCEP was refreshing and enhancing the PSN. This recognised that much of the network infrastructure relied on by ESOs had reached – or was reaching – obsolescence and would either require extensive maintenance or replacement before the PSN was available for ESOs to migrate to it. ESOs may apply to NSW Treasury for SSKO funding, with their specific proposals being reviewed (and endorsed, where appropriate) by the NSW Telco Authority. Accordingly, SSKO expenditure does not fall within the CCEP budget allocation.

As shown in the table below, extracted from the March 2016 CCEP business case, the total expected cost for SSKO purposes over the course of the CCEP was originally $40 million, assuming the enhanced PSN would be fully available by 2020.

In October 2022, the expected completion date for the CCEP was re-baselined to August 2027. Accordingly, ESOs will be required to continue to maintain their radio networks using legacy equipment for seven years longer than the original 2020 forecast. This will likely become progressively more expensive and require additional SSKO funding. For example, NSW Telco Authority endorsed SSKO bids for 2022–23 exceeded $35 million for that year alone.

Compared to the original forecast made in the March 2016 CCEP business case of $40 million, we found ESOs had estimated SSKO spending to 2027 will be $292.5 million.

A refresh of paging network used by ESOs and the decommissioning of redundant sites were both removed from the original 2016 scope of the CCEP

Paging

A paging network is considered an important user requirement by the Fire and Rescue NSW, NSW Rural Fire Service, and NSW State Emergency Service. The 2016 CCEP business case included a paging network refresh within the program scope of works. This was reiterated in the November 2017 internal review of the program. These documents did not estimate a cost for this refresh. The March 2020 and October 2020 business cases excluded paging from the program scope. The audit is unable to identify when, why or by whom the decision was made to remove paging from the program scope, something that was also not well communicated to the affected ESOs.

In 2021, after representations from the affected ESOs, the NSW Telco Authority prepared a separate business case for a refresh of the paging network at an estimated capital cost of $60.31 million. This program was subsequently approved by the NSW Government and included in the 2022–23 NSW Budget.

In determining an estimated full whole-of-government cost of delivering the enhanced PSN, we have included the budgeted cost of the paging network refresh on the basis that:

• it was expressly included in the original approved March 2016 business case
• the capability is deemed essential to the needs of three ESOs.

Decommissioning costs

The 2016 CCEP business case included cost estimates for decommissioning surplus sites (whether ‘old’ GRN sites or sites belonging to ESOs’ own networks). These estimates were provided for both the NSW Telco Authority ($38 million) and for the ESOs ($55 million). However, while these estimates were described, they were not included as part of the NSW Telco Authority's estimated capital cost ($400 million) or (more relevantly) operating cost ($37.3 million) for the CCEP. This is despite decommissioning being included as one of eight planned activities for the rollout of the program.

In the October 2020 business case, an estimate of $201 million was included for decommissioning agency networks based on a model whereby:

• funding would be coordinated by the NSW Telco Authority
• scheduling and reporting through an inter-agency working group and
• where appropriate, agencies would be appointed as the most appropriate decommissioning party.

This estimated cost is not included in the CCEP budget.

In determining an estimated full whole-of-government cost of the enhanced PSN, we have included the estimated cost of decommissioning on the basis that:

• decommissioning was included in the 2016 CCEP business case as one of eight 'planned activities for the rollout of the program'
• effective decommissioning of surplus sites and equipment (including as described in the business case as incorporating asset decommissioning, asset re-use, and site make-good) is an inherent part of the program management for an enhanced PSN
• costs incurred in decommissioning are entirely a consequence of the CCEP program.

The estimated minimum cost of building an enhanced PSN consistent with the original proposal is over $2 billion

We have derived two estimated minimum whole-of-government costs for delivering an enhanced PSN. These are:

• $2.04 billion when calculated from NSW Telco Authority data – shown as estimate A in Exhibit 9 below.
• $2.26 billion when calculated from ESO supplied data – shown as estimate B in Exhibit 9.

Both totals include:

• budgeted amounts for both CCEP capital expenditure ($1,292.8 million) and operating expenditure ($139 million)
• the NSW Telco Authority's 2020 estimated cost for decommissioning ($201 million)
• the NSW Telco Authority's approved funding for paging refresh ($60.3 million).

The two estimated totals primarily vary around the capital expenditure of ESOs (particularly SSKO funding). To determine these costs, we used ESO provided actual SSKO costs to date, as well as their estimates for maintaining their legacy radio networks through to 2027.

The equivalent cost estimates from the NSW Telco Authority were sourced from the November 2017 internal review and the October 2020 business case for CCEP. It should be noted that the amounts for both estimates are not audited, or verified, but do provide an indication of how whole-of-government costs have grown over the course of the program.

The increase in and reasons for the increase in total CCEP costs (capital and one-off operating) incurred or forecast by the NSW Telco Authority (from $437.3 million in 2016 to $1,431.8 million in 2022) have been provided to the NSW Government through various business cases and reviews prepared by the NSW Telco Authority, as well as by reviews conducted by Infrastructure NSW as part of its project assurance responsibilities.

However, the growth in ESO costs and other consequential costs, such as paging and decommissioning, from around $263 million in the 2016 CCEP business case to between $600 million and $800 million, has to a large degree remained invisible and unexplained to the NSW Government and other stakeholders

Appendix one – Response from agency

Appendix two – Trunked public safety radio networks

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #383 - released 23 June 2023

What the report is about

Result of Health cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for the financial statements for all Health cluster agencies.

The COVID-19 pandemic continued to increase the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2021–22 was $353.3 million, of which $186.7 million related to an increase in the impairment provision for Rapid Antigen Tests (RATs).

A qualified audit opinion was issued on the Annual Prudential Compliance Statement related to five residential aged care facilities. There were 20 instances (19 in 2020–21) of non-compliance with the prudential responsibilities within the Aged Care Act 1997.

What the key issues were

The total number of matters we reported to management across the cluster decreased from 116 in 2020–21 to 67 in 2021–22. Of the 67 issues raised, four were high risk (three in 2020-21) and 37 were moderate risk (57 in 2020–21). Nearly half of all control deficiencies reported in 2021–22 were repeat issues.

Three unresolved high-risk issues were:

• COVID-19 inventories impairment – we continued to identify issues relating to management’s impairment model which relies on anticipated future consumption patterns. RATs had not been assessed for impairment.

• Asset capitalisation threshold – management has not reviewed the appropriateness of the asset capitalisation threshold since 2006.

• Forced-finalisation of HealthRoster time records – we continued to observe unapproved rosters being finalised by system administrators so payroll can be processed on time. 2.6 million time records were processed in this way in 2021–22.

What we recommended

• COVID-19 inventories impairment – ensure consumption patterns are supported by relevant data and plans.

• Assets capitalisation threshold – undertake further review of the appropriateness of applying a $10,000 threshold before capitalising expenditure on property, plant and equipment.

• Forced-finalisation of HealthRoster time records – develop a methodology to quantify the potential monetary value of unapproved rosters being finalised.

This report provides Parliament and other users of Health cluster (the cluster) agencies' financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting

• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

Result of the Premier and Cabinet cluster financial statement audits for the year ended 30 June 2022. 

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The machinery of government changes within the Premier and Cabinet cluster resulted in the transfer of net assets of $1 billion from the Department of Premier and Cabinet.

The Department of Premier and Cabinet, Public Service Commission and Parliamentary Counsel's Office accepted changes to their office leasing arrangements managed by Property NSW. These changes resulted in the collective de-recognition of $167.3 million of right-of-use assets, $225.1 million in lease liabilities and recognition of $47.8 million of other gains/losses. 

What the key issues were

The number of issues we reported to management decreased. 

Forty per cent of issues were repeated from the prior year.

Four moderate risk issues were reported in the management letters for Department of Premier and Cabinet and New South Wales Electoral Commission. Three out of the four moderate risk issues were repeat issues. 

The repeat issues related to internal control deficiencies in agencies' including lack of updated procurement policies and procedures and information technology general controls.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Appendix one – Early close procedures

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

• Integrity and transparency
• Performance and monitoring
• Governance and oversight
• Cyber security and data
• System planning for disruption
• Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

• Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
• Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
• Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Health cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Health cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Health cluster (the cluster) agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for the financial statements of all Health cluster agencies.

The COVID-19 pandemic increased the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2020–21 was $250.2 million, of which $226.0 million were pandemic related.

A qualified audit opinion was issued on the Annual Prudential Compliance Statement. The basis of the qualification related to 19 instances (18 in 2018–19) of non-compliance relating to three of the 20 prudential requirements across five aged care facilities.

What the key issues were

The total number of matters we reported to management across the cluster increased from 112 in 2019–20 to 116 in 2020–21. Of the 116 issues raised in 2020–21, three were high risk (one in 2019–20) and 57 were moderate risk (47 in 2019–20). Nearly one half of the issues were repeat issues.

The three new high-risk issues identified were:

Hotel Quarantine (HQ) fees

The absence of a tailored debt recovery strategy, data integrity issues and uncertainties around future HQ arrangements increased risks around the recoverability of HQ fees from travellers.

COVID-19 inventories

Data errors and anomalies in the impairment model and difficulties forecasting key factors impacting the management of Personal Protective Equipment (PPE) increased uncertainty associated with the valuation and impairment of COVID-19 inventories.

COVID-19 vaccines

The Commonwealth did not provide information about the cost of vaccines provided to NSW free of charge, which required the performance of internal valuations to reflect the consumption of vaccines in the financial statements.

What we recommended

Hotel Quarantine (HQ) fees

Develop a tailored assessment methodology to estimate recoverability of HQ fees and work with Revenue NSW to develop a tailored debt recovery strategy.

COVID-19 inventories

Review the current stocktaking and impairment methodology to incorporate validation of data key to the management of COVID-19 related PPE.

COVID-19 vaccines

Work with the Commonwealth to obtain primary price information on COVID-19 vaccines.

This report provides Parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making. This chapter outlines our observations and insights from our financial statement audits of agencies in the Health cluster.

Findings reported to management

The number of findings reported to management has increased, with 47.4 per cent of all issues being repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of cluster agencies. The Audit Office does this through our management letters, which include observations, implications, recommendations and risk ratings.

In 2020–21, there were 116 findings raised across the cluster (112 in 2019–20). 47.4 per cent of all issues were repeat issues (38.4 per cent in 2019–20).

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

Complexities arising from the COVID-19 response

The 2020–21 audit identified three new high-risk findings

COVID-19 has presented the cluster with several new accounting challenges. New and evolving matters arose from changes to operating conditions, which characterised the 2020–21 financial reporting period. Issues with a high degree of estimation uncertainty will require ongoing attention as the strategies employed to deal with the COVID-19 pandemic evolve.

Expected rate of recovery of outstanding Hotel Quarantine invoices

The estimation of the amount likely to be recovered is complicated not only by the uncertainties that exist regarding the assumptions those estimations rely upon, but also the debt collection processes and strategies put into place to manage the accumulated debtors' balance. Debt collection is not administered by the cluster, but rather Revenue NSW. We observed an absence of a methodology to assess the likelihood of recovery. Instead, Sydney Local Health District was relying on Revenue NSW to develop and execute on a collection strategy. Sydney Local Health District was using the same approach to hotel quarantine debts as it did to other Health receivables. As the approach to managing international borders evolves over time, so too will the cluster's need to develop robust estimation models to assess the likely collectability of debtors. 

Procurement, management and impairment of COVID-19 inventories

$656.2 million of COVID-19 inventories were procured in 2020–21, with $220.2 million consumed; $558.7 million impaired and a further $217.1 million written off. Estimates of the degree to which inventories are expired, not fit for purpose or are faulty is often based on management judgement at all stages in the procurement cycle.

With respect to the stocktaking methodology applied, the following issues were identified:

• discrepancies noted in the stock bin listing provided for audit
• discrepancies in the recount sheet generated
• inconsistent application of the stocktake methodology
• inconsistent labelling of quarantined stock
• a lack of an approach for validating stock expiry dates, which is a key input to the impairment calculations.

Although management had developed processes and a methodology to count as well as to assess the level of inventory that was not fit for purpose, ongoing attention to the operating environment that emerges post pandemic will be important in assessing the degree to which existing COVID-19 inventories can be integrated into a ‘business as usual’ model going forward. Further refinement of the key elements of the stocktaking methodology will also be required to ensure that key inputs upon which management relies to calculate the year-end inventory impairment provision can be appropriately validated.

Valuation and recognition of COVID-19 vaccines received from the Commonwealth Government

The 2020–21 financial reporting period saw the Commonwealth acquire COVID-19 vaccines and provide these to state jurisdictions to dispense to their communities. The vaccines, although provided free of charge require recognition. However, Health entities were not responsible for acquiring the vaccines and data on the vaccines' cost was not shared by the Commonwealth. Management undertook a valuation using publicly available data to estimate the value to attribute to the vaccine inventory; developed new systems and leveraged existing pharmacy systems to track physical quantities received from the Commonwealth and ultimately distributed to NSW citizens. As the response to the pandemic evolves, larger quantities, and new lines of vaccine stock will be dealt with, and policy settings will need to adapt when patterns of distribution of those vaccines (e.g., timing of third booster shots) emerge. The Ministry of Health will need to ensure that the valuations applied to the prices of inventory distributed and held in stock are as accurate as possible. This can be done through further refinement of the existing valuation methodology, obtaining price information from the Commonwealth and engaging specialist pharmaceutical valuers.

Emerging trends

Recognition of provisions without sufficient support

Several NSW Health entities raised accruals and provisions in 2020–21, which did not have an appropriate basis for recognition. Liabilities can only be recognised where there is a present obligation to make a payment arising from a past event. A number of these errors remain uncorrected in the financial statements of those entities as they are not material, individually or in aggregate to the financial statements as a whole. Increased training and guidance are required to ensure that treatment within the cluster is consistent and reflects events that have occurred and give rise to obligations.

Treatment of Commonwealth funding

In the 2020–21 and 2019–20 financial reporting periods, we observed prior period errors arising from the treatment of Commonwealth funding. These errors related to recognising revenue under funding agreements entered into with the Commonwealth in the incorrect period. The conditions of these funding arrangements, the transactional information requiring validation and the circumstances when revenue should be recognised are not always clear and can be complex. Early and continuous engagement with the Commonwealth is required to ensure that revenue recognition principles are consistently applied across the cluster.

Key repeat issues

Management of excessive annual leave

NSW Treasury guidelines stipulate annual leave balances exceeding 30 days are considered excess annual leave balances. Managing excess annual leave balances has been reported as an issue for the cluster for more than five years, with the average percentage of employees with excessive leave balances over the last five years being 36.1 per cent (35.5 per cent over five years covering 2015–16 to 2019–20).

The operational demands required to manage the COVID-19 pandemic have presented new challenges for the cluster in trying to manage its excessive leave balances. 39.2 per cent of employees now have excess leave balances at 30 June 2021 (35.4 per cent at 30 June 2020).

The state's leave policy C2020-12 Managing Accrued Recreation Leave Balances requires agencies to manage excessive leave balances to 30 days or less to maintain their workforces physical and mental health.

Accurate time recording

Forced-finalisation of time records by system administrators within HealthRoster remains an issue and we continue to observe time records forced-finalised by system administrators so pay runs can be finalised on a timely basis. During 2020–21, a total of two million (2.2 million in 2019–20) time records were force approved, which represents 5.7 per cent of total time records (6.9 per cent in 2019–20).

Existence, completeness and accuracy of key agreements

Delivery of major capital projects

Health Infrastructure (a division of the Health Administration Corporation) is responsible for the delivery of major capital projects with a budgeted spend of more than $10.0 million. Health Infrastructure oversee the planning, design, procurement, and construction phases. Capital works in progress are recognised in the financial statements of the health entity that intends to use those assets upon completion. The health entities recognise both the capital work in progress and the revenue associated with the capital funding from the Ministry for the construction of the assets. Capital funding is currently agreed with health entities as part of the annual Service Agreement. The assumption that the health entities control the assets during their construction is consistent with Health Infrastructure's role as an agent for the health entity and the Ministry's policy directive PD2020-033 'Management and control of Health Administration Corporation owned Real Property'.

We continued to observe a lack of clarity regarding agreements between Health Infrastructure, the Ministry and the cluster agency that will eventually receive the completed asset. This can lead to confusion and uncertainty around the rights and obligations of each party to the transaction.

Cross border patient funding arrangements

When patients require medical care in a jurisdiction where they are not generally domiciled, there are arrangements in place to provide funding to support cross border patient treatments. We have previously observed that agreements between NSW and other jurisdictions have not been finalised, and this continues to be the case. In the case of Victoria, no agreement has been finalised for the past seven years.

We continue to note that the cluster has long outstanding receivables and payables with other states. The absence of formal agreements between the states hampers the settlement of the debts relating to the treatment of cross border patients. The following table shows the status of Cross Border Agreements between NSW and other jurisdictions:

Albury Base Hospital

Albury Base hospital is located on the border of NSW and Victoria and services residents of both states. Documentation supporting the extension of the expired Intergovernmental Agreement 2009–2017 between NSW and Victoria in relation to the integration of health services in Wodonga and Albury could not be located.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining NSW Health’s management of health and safety risks to nurses and junior doctors in high demand hospital wards over the past five years, including during the first six months of the 2020 COVID-19 health emergency.

The Auditor-General found that while NSW Health effectively managed most incidents and risks to the physical health and safety of hospital staff during ‘business as usual’ activities, systems and resources are not fully effective to manage staff psychological and wellbeing risks, particularly for nurses.

The Auditor-General found that NSW Health was effective in managing most COVID-19 health and safety risks to hospital staff. Overall effectiveness could have been improved had pandemic preparedness training been delivered across all Local Health Districts. Additionally, state-wide communication systems could have been improved to provide hospital clinicians with access to a ‘single source of truth’ with the latest advice from NSW Health authorities.

NSW Health’s planning and preparation for the supply of Personal Protective Equipment (PPE) was partially effective. At various times, some PPE items could not be sourced from established suppliers. Face masks, goggles and protective gowns were substituted with products that differed in shape, size and fitting from usual items, and in some hospitals, substituted masks were used without being locally fit tested by hospital staff.

The Auditor-General made seven recommendations aimed at enhancing hospital health and safety risk reporting practices, along with a recommendation that NSW Health conduct a post pandemic 'lessons learned' review and make policy and operational recommendations for future pandemic responses.

Over the past decade, there have been increases in the numbers of health and safety incidents affecting nurses and junior doctors in NSW hospitals. These increases have been associated with higher numbers of patients with acute mental health conditions, age-related cognitive impairments, and patients presenting in emergency departments under the influence of drugs and alcohol.  

This audit commenced in August 2019, with a focus on the health, safety and wellbeing of nurses and junior doctors in high demand hospital wards. Our audit focused on emergency departments, mental health wards and aged care wards during 'business as usual’ periods of hospital operations. 

In the early months of 2020, the novel coronavirus (COVID-19) brought new health and safety risks to hospital staff. These risks included the potential for infection amongst health workers, increased staff workloads, and impacts on staff wellbeing.  

In May 2020, we expanded the focus of the audit to assess the effectiveness of NSW Health’s management of the health and safety risks to staff during the COVID-19 health emergency. We assessed the impacts on emergency departments and intensive care units, as these were the wards where staff were most likely to come into contact with COVID-19.  

The Audit Office acknowledges the ongoing health and safety challenges that the pandemic has brought to NSW Health staff – in particular to hospital clinicians and the managers who support them.  

This audit assessed the effectiveness of NSW Health’s:

• systems, forums and workplace cultures to support reporting and generate data about risk
• initiatives to support safe workplaces and effectively respond to health and safety incidents
• actions to continuously improve staff health, safety and wellbeing in hospital environments.

The first three chapters of this report describe the effectiveness of NSW Health’s ‘business as usual’ health and safety risk management. The fourth and fifth chapters describe the effectiveness of NSW Health’s health and safety risk management during the COVID-19 pandemic.  

1. Audit recommendations

By December 2021, NSW Health should:

1. Evaluate the effectiveness of the new incident management system to enable full reporting of health and safety incidents and risks in all hospital wards, including those where incidents and risks are common, and monitor for consistency of reporting over time
2. Expand the categories of hospital incident data reported to Ministry executives in the Work Health and Safety Dashboard reports, including by linking injury data to incident types by hospital ward category, and monitor in conjunction with Local Health Districts for emerging trends and improvement over time
3. Ensure that nurses and junior doctors have regular opportunities to report on risks to their psychological health and wellbeing, and that system managers have access to aggregate data to guide responses to mitigate these risks
4. Develop and implement an evidence-based guiding framework and strategy to support hospital staff in the aftermath of traumatic or unexpected workplace incidents, and monitor implementation
5. At regular intervals, publicly report aggregate Root Cause Analysis data detailing the hospital system factors that contribute to clinical incidents
6. Develop and implement a systemwide platform for sharing research and information about hospital health and safety initiatives across the health system
7. Conduct a post-pandemic 'lessons learned' review focusing on the effectiveness of key strategies deployed in the management of the COVID-19 pandemic and make policy and operational recommendations for future pandemic responses. In particular, ensure:
   • regular scenario-based pandemic training for hospital staff
   • updated policies and protocols for hospital infection controls
   • capability to upscale authoritative communication with frontline health workers at the earliest notification of a health emergency and for the duration of the emergency
   • systems and safeguards to ensure the supply and availability of clinically appropriate personal protective equipment (PPE) during all phases of a pandemic.

Local Health Districts were effective in leading health and safety infection control activity

According the NSW Health Influenza Pandemic Plan (Pandemic Plan), the Chief Executives of Local Health Districts have ultimate responsibility for public health unit preparations during health emergencies. If necessary, they can ‘draw on the support of the State Pandemic Management Team and local emergency management resources’.

During the preparations and early response phases to the COVID-19 pandemic, Local Health Districts were at the forefront of most NSW hospital activity. They took the lead role in developing hospital infection control protocols and guidance about the appropriate uses of Personal Protective Equipment (PPE). Each Local Health District established its own responses to the health emergency, based on the best clinical advice available to them. The localised approach meant that there were some minor differences in infection control practices across the NSW health system.

Throughout February and March 2020, there was limited centralised policy or guidance from the Ministry and its Pillar Health agencies about COVID-19 infection control practices. It was not possible to mandate practices at a time when information about the virus was evolving. Clinical responses were changing as more became known about COVID-19, especially about its patterns of transmission and its impacts on people with the disease.

During February and March 2020, Local Health District executives communicated with hospital staff via a range of methods. Some sent daily e-memos with the latest updates. Some scheduled more regular meetings with hospital clinicians. Some Districts set up extensive staff training sessions and information briefings to keep all personnel updated with the latest advice. Physical distancing made it difficult to bring staff together in large groups, so a range of communications measures were implemented.

Clinical staff also utilised their clinical training and expertise to prepare their wards and train frontline staff in infection control procedures. Some sourced information from national and international colleagues to add to localised knowledge of the virus.

When the first evidence of COVID-19 community transmission was identified in the Northern Sydney Local Health District, hospital staff followed infection control protocols that were based on local guidance and information. With the support from the District executive team and infectious diseases experts, hospital clinicians set up their own infection control protocols and PPE protections. Within a week the District had produced a matrix to guide staff in the uses of PPE during COVID-19 procedures, and had circulated the guidance to all hospital clinicians.

At the end of March 2020, a version of the Northern Sydney PPE matrix was published on the Clinical Excellence Commission’s website and it has now become NSW Health’s standard guideline for PPE during COVID-19 procedures. Once this guideline was published centrally, infection control practices were standardised across NSW hospitals.

This form of District-led policy making is not ‘business as usual’ practice for NSW Health. Policy making processes were somewhat reversed during the early response phases to COVID-19. This flexible policy approach supports the governance arrangements described in the Pandemic Plan, which assigns responsibility for ‘supporting and maintaining quality care across health services and implementing infection control measures as appropriate’ to Local Health Districts.

In non-health emergency situations, clinical policy and protocols are usually initiated and developed by the Ministry and the Clinical Excellence Commission and are subsequently shared across the health system after a quality control process. The localised approach adopted in the months from February to March 2020, allowed for rapid and flexible responses to changing information – to protect the health and safety of the hospital workforce and the wider community.

Hospital staff across NSW would have been better prepared for COVID-19 if pandemic training had been delivered across all Local Health Districts in the past decade

Local Health Districts are responsible for training hospital staff in preparation for public health emergencies. NSW’s policy describing Public Health Emergency Response Preparedness Minimum Standards requires that clinical staff participate in at least one annual emergency training exercise if they hold a position where they are likely to be called upon in an emergency. Staff must participate in an actual response exercise or a relevant training session. The training must also include re-familiarisation with PPE.

Available evidence about emergency response training in NSW indicates that at least two Local Health Districts have delivered pandemic focussed training in the past decade. Our interviews with managers of emergency departments and intensive care units indicates that most other Districts have focused their emergency training on mass patient trauma incidents such as plane crashes, train crashes and terrorist attacks. While the potential for these types of mass trauma events is real, and warrants training and preparation, significant global outbreaks of diseases have also had potential to threaten NSW communities. In previous decades, global health communities have been at risk of diseases such as the Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).

In the two Districts where pandemic training was provided in NSW, staff participated in community influenza vaccination exercises. These were focused on upskilling staff to follow emergency command structures, manage high volume patient flows, and organise sanitisation logistics during a hospital-based training exercise.

Our interviews with nurse managers in emergency departments and intensive care units indicate that in the majority of other Local Health Districts, key personnel were unaware of the NSW Pandemic Plan. Interviewed staff also reported insufficient scenario-based training in pandemic responses over the last ten years.

The Ministry, the Clinical Excellence Commission and the Health Education and Training Institute (HETI) are responsible for online training and 'state-wide strategies and resources to maintain high levels of compliance with infection control and patient safety recommendations'. The HETI website contains online training modules in infection control and PPE donning and doffing procedures. Other infection control information and research is available on the websites of the Clinical Excellence Commission and the Agency for Clinical Innovation.

Online training modules are effective for upskilling staff in a range of skills, but are not a substitute for real-time, rapid incident response training. Face-to-face training provides opportunities for first responders to test procedures in hospital environments. Incident response training provides opportunities for staff to assess their levels of compliance with protocols and their competence with equipment in scenario situations. It is the responsibility of Local Health Districts to provide this form of training to the health staff in their District.

Two NSW Health policies that govern clinical arrangements during pandemics are outdated

The Ministry had not updated two policies that had the potential to assist emergency departments and intensive care units in aspects of their ward preparation for the COVID-19 pandemic. Both policies were on the NSW Health website, but neither were shared with hospital staff in the planning phases for the pandemic. Both policies are out of date and have not been revised within required timeframes.

The 2010 Influenza Pandemic - Providing Critical Care policy was due for review in May 2015 and was not updated at the time of the COVID-19 health emergency. Similarly, the 2007 policy Hospital Response to Pandemic Influenza Part 1: Emergency Department Response was due for review in June 2012 and has not been updated.

These policies were designed to assist clinical staff to make necessary ward arrangements for infection control. They set out the steps for rapid identification of contingent workforces, isolation procedures, and management of patient flows to separate those with suspected infection from other patient cohorts. They were a potential addendum to the NSW Pandemic Plan which describes the command and control responsibilities of health agencies in health emergencies.

Our interviews with nurse managers from emergency departments and intensive care units indicate that in the absence of pandemic policy, they sought clinical guidance from external sources and Local Health District experts. Interviewees told us that a lack of policy guidance about ward arrangements and infection control practices in a pandemic increased their workloads and hours of overtime in the early response phases to COVID-19. With the support of Local Health Districts, clinical staff made rapid adjustments in order to respond to changing testing requirements and ward arrangements.

The Ministry was slow to establish a centralised communication channel to communicate with frontline staff

NSW Health’s governance and communication arrangements during a pandemic are set out in the Pandemic Plan. The Plan requires that government agencies ‘commence enhanced arrangements, establish communications measures’ and confirm ‘governance arrangements’ when there is evidence of person to person transmission during an influenza outbreak. NSW Health received the first notifications of the novel coronavirus risks in January 2020.

During the preparation and early response phases to COVID-19, the Ministry and its central agencies were slow in establishing a single, authoritative channel through which to communicate consistent messages to frontline staff. Clinical staff required up-to-date information about COVID-19 testing criteria as requirements were changing rapidly, sometimes daily. While there was no expectation for fixed policy at this time, hospital staff required the latest instructions about treatment requirements, and updates on the numbers of COVID-19 infections in their region.

As information about COVID-19 was evolving, information was communicated across the health system via ‘multiple channels and sources’. While the Ministry and its central agencies communicated extensively with Local Health Districts during March 2020, hospital staff reported to us that they weren’t always sure where they could find the latest advice about testing protocols or infection controls.

Frontline staff told audit office staff that they were checking multiple sources and time-stamping advice to ensure they had the most up to date information on a daily basis. While some Local Health Districts managed clear communication links with frontline staff, nurse managers told us that communication was ‘chaotic’ during the early phases of pandemic preparation. Key personnel were not always available outside business hours and nurse managers advise that they spent hours at the end of shifts, seeking and printing the latest advice for weekend and night shift personnel. By the end of March 2020, the Ministry and the Clinical Excellence Commission websites became better organised to communicate with frontline clinicians.

A recommendation to the Ministry of Health after H1N1 swine flu could be equally applied in the COVID-19 context. The NSW Government’s report: Key Recommendations on Pandemic (H1N1) 2009 Influenza recommended the establishment of ‘clear pathways of communication … so that all employees have confidence in where their information will come from and who they should approach if they need additional information.’

NSW Health acknowledges the challenges and the lessons from the early phases of the COVID-19 pandemic. For example, a strategy released in August 2020, sets out NSW Health’s own recommendation for the future management of PPE including: ‘Aligning a single source of truth for PPE education and evidence-based guidance to ensure clarity of information on appropriate use, supported by an influential network of Infection Prevention and Control (IPC) practitioners at the forefront.

Ministry executives advise that communication with health staff has improved since the early phases of the pandemic. The Ministry now sends weekly COVID-19 updates to over 130,000 health staff via email. In addition, NSW Health now has two COVID-19 tabs on its website with current information, including COVID-19 testing advice. According to Ministry executives, these communication channels could be used or replicated if needed for future health emergencies. The Ministry also provides health information and updates via a phone application called Med App. This App is preferred by doctors and is less likely to be used by nurses. As at October 2020, there are 13,000 users of Med App. Push notifications can be made on Med App through SMS alerts.

Personal protective equipment (PPE) was not always available in required sizes and some hospital masks and gowns were substituted with products that differed from the usual items

Since the emergence of COVID-19 in Australia, all clinicians in NSW hospitals have had access to some form of PPE for their clinical requirements. If staff did not have appropriate equipment for each COVID-19 related procedure, they were guided by the formal advice issued to the NSW Health workforce on 11 March 2020 stating that: ‘The safety of NSW Health staff is a priority at all times, especially during COVID-19. Where safe working practices confirm specific PPE (e.g. face shields/masks or other equipment) are required for the protection of staff due to COVID-19, in all circumstances:

• staff are to wear prescribed PPE as instructed
• staff are not to undertake or be required to undertake tasks requiring PPE if the PPE is not available for use. Any such tasks are not to proceed until required PPE is available
• any staff member who is concerned about their safety must raise their concerns immediately to their manager.’

At periods during March and April 2020, some PPE items were not available in the required sizes or the regular brands to which staff were accustomed. HealthShare NSW was not able to source PPE from usual suppliers. HealthShare NSW sourced PPE including N95 masks from non-traditional suppliers. Some PPE items differed in shape and size from the usual hospital equipment. While senior executives from HealthShare NSW advise that all products were approved by the Therapeutic Goods Administration (TGA), in some hospitals, nurse managers advise that staff were not able to ‘fit test’ substituted masks. Fit testing determines the type and the size of the respirator mask that achieves an adequate seal on an individual’s face.

In March and April 2020, ‘duck bill’ (N95) masks were not available in some hospitals. According to stock managers and clinical managers in Local Health Districts, duck bills are the preferred mask for staff with smaller faces, particularly female staff members. The duck bill mask is a standard PPE product, and as such, is fit tested during mandatory PPE training. During the early response phases to COVID-19, most Local Health Districts were provided with substitute N95 masks. Fit testing of the substituted N95 masks was not able to be conducted in all NSW hospitals during the early phases of COVID-19. During the first wave of COVID-19 in March and April 2020, hospital staff told audit staff that there was no time and a lack of equipment to appropriately fit test substituted N95 masks.

Nurse managers in emergency departments advise that in some instances, staff made adaptations to PPE to improve protections, such as doubling masks, adding elastics or bringing their own equipment. These adaptations were not consistent with guidelines. Nurse managers advise that in some cases, adaptations to PPE or ill-fitting masks created pressure sores and contact dermatitis. Just over half of the stock managers of Local Health Districts advised that PPE stock was procured from outside the HealthShare NSW system. Stock managers in some Districts advise that facial shields and goggles sourced from non-traditional suppliers by HealthShare NSW were of a lesser quality than standard equipment. Stock managers and nurse managers reported that the changes in PPE products caused confusion and stress amongst staff.

Local Health Districts were proactive in assisting hospital staff to mitigate risks of COVID-19 infections. Some Local Health Districts assigned ‘tiger teams’ to assist staff with their PPE practices. Tiger teams provide clinical expertise and advice to staff, answer questions about infection control and provide training on PPE practice in hospital ward environments. They assist and support PPE donning and doffing practices to ensure the appropriate sequencing of applying and removing PPE for effective infection control. They provide mask fit checking guidance to assist staff in correct PPE practices.

Districts ran extensive refresher PPE training sessions for clinical staff. Some hospitals ran regular PPE demonstrations so that staff could observe correct PPE procedures at set times during the day. These activities assisted staff to implement appropriate infection control in the period before the Clinical Excellence Commission’s web-based materials and videos became available in late March and early April 2020. These online resources now provide comprehensive guidance to hospital staff in PPE practices.

HealthShare NSW placed limits or caps on some high-demand PPE items that were too low to meet requirements in some Local Health Districts and had to be adjusted to meet actual demand

The NSW Pandemic Plan describes the responsibilities of the Ministry and its central agencies to manage and maintain the State Medical Stockpile of essential PPE supplies and antiviral medications. During a pandemic, HealthShare NSW has responsibility for warehousing, monitoring and distributing health supplies to the health workforce.

Due to a reported global shortage of PPE and limits to the NSW stockpile, HealthShare NSW placed limits on the provision of approximately 100 high-demand items to NSW hospitals. HealthShare NSW advise that the PPE order capping ceilings were implemented ‘to ensure local stockpiling does not occur’. A centralised ordering process was established with Local Health Districts so that PPE product ordering occurred through single hospital locations (214 across the State), rather than at the ward level. Escalation processes were established to allow Districts to request one-off increases to supply, and a process was set up to permanently increase the order cap limit for any PPE item by facility.

According to HealthShare NSW, ‘as incoming central supply has improved, order caps have subsequently increased in line with strong engagement and governance with the Local Health Districts to ensure the appropriate levels of supply are provided’. The original capped levels were determined by assessing PPE usage in wards during the flu season of 2019. As the flu season case numbers of 2019 were relatively low, some Local Health District managers advised that the levels of PPE during 2019 were not comparable to the level of PPE required for the COVID-19 pandemic.

After advocacy from hospital stock managers and clinicians, HealthShare NSW increased capped PPE levels in many Local Health Districts.

Executive members of the State Health Emergency Operations Centre (SHEOC) advise that its PPE supply strategy needs to be carefully developed as there are vast differences in PPE usage rates during 'business as usual' periods and pandemic periods. If NSW Health kept the level of PPE required in planning for a worst-case scenario, this would equate to an extensive surplus of PPE that could not be utilised during business as usual periods. The SHEOC Executive advise that it is not feasible or economical to store this level of PPE. They advise that given the costs of PPE, and the fact that the products have a shelf life, a diversified supply line is a more reliable method for ensuring PPE during surge and non-surge periods.

Early data modelling showed ICU patient numbers at levels not manageable with levels of ventilators and equipment

Early projections of patient numbers requiring acute care for COVID-19, were at levels that would not have been manageable with the equipment and resources of NSW hospitals. Throughout March through to May 2020, government data modelling indicated significant surges of community infections and surges in intensive care patients.

Early estimates were based on overseas trends, and if actual cases had matched projections, NSW hospitals would not have had sufficient ventilators to meet demand. The knowledge of this shortfall caused high levels of anxiety among nursing and medical staff.

While the data was based on the best available information, it had negative implications for the health and safety of the nurse and junior doctor workforce. Managers of intensive care wards and emergency departments reported stress amongst the workforce. Staff concerns were primarily about being faced with ‘the unmanageable’, along with heightened fears about contracting the virus with the knowledge that there was insufficient equipment to treat acute patients.

As it transpired, overall numbers of COVID-19 infections were lower than projected during the early months of the pandemic. The lower infection rates in the general population have meant fewer instances of patients requiring intensive care in NSW hospitals. In addition, HealthShare NSW has been able to increase the numbers of ventilators in NSW hospitals to prepare for future surges in patients requiring acute respiratory care.

SHEOC Executive advise that NSW Health undertook an accelerated procurement strategy in early 2020 to increase its stock of ventilators, and that ventilator capacity has always far-exceeded actual requirements.

NSW Health has developed a strategy to improve the management of PPE for the NSW health workforce

In August 2020, NSW Health released a strategy that sets out its future management and planning approaches to the provision of PPE for the NSW Health workforce. NSW Health’s Personal Protective Equipment (PPE) Strategy describes the learnings and challenges during the COVID-19 pandemic in sourcing and distributing PPE. It sets out the systems and methods for distributing PPE to staff and patients and focuses on how staff are kept informed on the appropriate use of PPE at all times. A supporting communications strategy has been developed to support its implementation.

The strategy contains enhanced transparency measures to regularly inform staff about PPE stock levels and to provide data about PPE usage rates by item types in wards in NSW hospitals. The NSW Health PPE strategy describes a changed approach to ordering, storing and allocating PPE. This includes diversifying the supply lines for PPE products to increase supply options in circumstances where supply lines become disrupted. It includes a centralised system for coordinating the supply of hospital PPE through Local Heath District coordination points and centralised distribution points in large hospitals.

Our interviews with hospital PPE stock managers and nurse managers indicate that staff find the new ordering system to be an improvement upon the previous stock ordering method.

According to the Personal Protective Equipment (PPE) Strategy, NSW health is upgrading its models for monitoring and benchmarking PPE usage across the health system. Systems are being improved for forecasting demand volumes during business as usual periods and during health emergency surges.

Appendix one – Response from agency

Appendix two – Audit methodology

Appendix three – About the audit 

Appendix four – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #344 - released 9 December 2020