This report analyses the results of our audits of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Planning, Industry and Environment cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Planning, Industry and Environment cluster agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.

An 'Other Matter' paragraph was included in the Independent Planning Commission's (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983 (PF&A Act). The financial reporting provisions of the Government Sector Finance Act 2018 now require the IPC to prepare financial statements.

The number of identified misstatements increased from 51 in 2019–20 to 54 in 2020–21.

The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements are incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. Management has commenced actions to improve the governance and financial management of the Corporation. These audits are currently in progress and the 2020–21 audit will commence shortly.

There are 609 State controlled Crown land managers (CLMs) across New South Wales that predominantly manage small parcels of Crown land.

Eight CLMs prepared and submitted 2019–20 financial statements by the revised deadline of 30 June 2021. A further 24 CLMs did not prepare financial statements in accordance with the PF&A Act. The remaining CLMs were not required to prepare 2019–20 financial statements as they met NSW Treasury's financial reporting exemption criteria.

The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 CLMs are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21.

There are also 120 common trusts that have never submitted financial statements for audit. Common trusts are responsible for the care, control and management of land that has been set aside for specific use in a certain locality, such as grazing, camping or bushwalking.

What the key issues were

The number of matters we reported to management increased from 135 in 2019–20 to 180 in 2020–21, of which 40 per cent were repeat findings.

Seven high-risk issues were identified in 2020–21:

• system control deficiencies at the department relating to user access to HR and payroll management systems, vendor master data management and journal processing, which require manual reviews to mitigate risks
• deficiencies related to the Centennial Park and Moore Park Trust's tree assets valuation methodology
• the Lord Howe Island Board did not regularly review and monitor privileged user access rights to key information systems
• the Natural Resources Access Regulator identified and adjusted three prior period errors retrospectively, which indicate deficiencies within the financial reporting processes
• deficiencies relating to the Parramatta Park Trust's tree assets valuation methodology
• lease arrangements have not been confirmed between the Planning Ministerial Corporation and Office of Sport regarding the Sydney International Regatta Centre
• the Wentworth Park Sporting Complex land manager (the land manager) has a $6.5 million loan with Greyhound Racing NSW (GRNSW). GRNSW requested the land manager to repay the loan. However, the land manager subsequently requested GRNSW to convert the loan to a grant. Should this request be denied, the land manager would not be able to continue as a going concern without financial support. This matter remains unresolved for many years.

There continues to be significant deficiencies in Crown land records. The department uses the Crown Land Information Database (CLID) to record key information relating to Crown land in New South Wales that are managed and controlled by the department and land managers (including councils and land managers controlled by the state). The CLID system was not designed to facilitate financial reporting and the department is required to conduct extensive adjustments and reconciliations to produce accurate information for the financial statements.

The department is implementing a new system to record Crown land (the CrownTracker project). The department advised that the project completion date will be confirmed by June 2022.

What we recommended

The department should ensure CLMs and common trusts meet their statutory reporting obligations.

Cluster agencies should prioritise and action recommendations to address internal control deficiencies, with a focus on addressing high-risk and repeat issues.

The department should prioritise action to ensure the Crown land database is complete and accurate. This will allow the department and CLMs to be better informed about the Crown land they control.

This report provides parliament and other users of the Planning, Industry and Environment cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Premier and Cabinet cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Premier and Cabinet cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Premier and Cabinet cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The number of monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.

The Library Council of New South Wales corrected a prior period error of $325 million. In 2017, the council split its collection assets into six asset classes, but not the related asset revaluation reserves. To correct this error, some revaluation decrements previously recognised in asset revaluation reserves were reclassified to accumulated funds.

Eight agencies did not complete all of the mandatory early close procedures.

What the key issues were

The Premier and Cabinet cluster was impacted by three Machinery of Government (MoG) changes during 2020–21.

The changes resulted in the transfer of activities and functions in and out of the cluster and the creation of a new entity - Investment NSW.

The transferor entities continued to provide services to Investment NSW subsequent to 30 June 2021. There were no formal service level agreements in place for the provision of these services.

The New South Wales Electoral Commission (the Commission) and Sydney Opera House Trust obtained letters of financial support from their relevant Minister and/or NSW Treasury in 2020–21. The postponement of local government elections impacted the Commission's operations due to increased planned expenditure to support a COVID-safe election. Sydney Opera House Trust's ability to generate revenue was impacted due to the closure of the Concert Hall partly due to COVID-19 and planned renovations.

The number of repeated audit issues raised with management and those charged with governance increased from 22 in 2019–20 to 24 in 2020–21.

There were 47 moderate risk and 28 low risk findings identified. Of the total findings there were 24 repeat issues.

What we recommended

Investment NSW should ensure services received from other agencies are governed by service level agreements.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Regional NSW cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Regional NSW cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Regional NSW cluster (the cluster) agencies’ financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all completed 30 June 2021 financial statement audits of cluster agencies. Four audits are ongoing.

The number of misstatements identified in the financial statements of cluster agencies decreased from 27 in 2019–20 to seven in 2020–21.

The Department corrected an understatement of $82.2 million in prepaid income related to the Bushfire Clean-up Program.

What the key issues were

Local Land Services (LLS) undertook a comprehensive revaluation of asset improvements on land reserves used for moving stock (travelling stock reserves).

The revaluation process identified that improvements on land reserves, with a value of $93.0 million, had not been previously recognised in the financial statements. LLS corrected this error by restating the 2019–20 comparative balances in its 2020–21 financial statements.

The Forestry Corporation of NSW revalued its biological assets that comprise approximately 225,000 hectares of softwood plantations and 34,000 hectares of hardwood forests. The current year valuation resulted in $71.4 million decrement in the total biological assets from $824.9 million in 2019–20 to $753.5 million in 2020–21.

The number of matters reported to management decreased from 36 in 2019–20 to 19 in 2020–21. Twelve moderate risk issues were identified and 47 per cent of reported issues were repeat issues.

What we recommended

Cluster agencies should prioritise and action recommendations to address internal control deficiencies.

This report provides Parliament and other users of the Regional NSW cluster agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Regional NSW cluster.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two - Early close procedures

Appendix three - Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

This report highlights the results of the financial audits of NSW Government central agencies. The report focuses on key observations and findings from the most recent financial statement audits of agencies in the Treasury, Premier and Cabinet, and Finance, Services and Innovation clusters.

The report includes a range of findings in respect to service delivery. One repeat finding is that while the Government regularly reports on the 12 Premier's priorities, there is no comprehensive reporting on the 18 State priorities. 

1. Financial reporting and controls

2. Service delivery

3. Government financial services

This report sets out the results of the 30 June 2017 financial statement audits of NSW Government's central agencies and their cluster agencies.

Central agencies play a key role in ensuring policy coordination, good administrative and people management practices and prudent fiscal management. The central agencies and their key responsibilities are set out below.

Confidence in public sector decision‑making and transparency is enhanced when financial reporting is accurate and timely. Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. This chapter outlines our audit observations, conclusions or recommendations related to financial reporting and controls of agencies for 2016–17.

This chapter outlines our audit observations, conclusions and recommendations relating to service delivery for 2016–17. 

This chapter outlines our audit observations, conclusions and recommendations specific to NSW Government agencies providing financial services.

Appendix one - List of 2017 recommendations

Appendix two - Status of 2016 recommendations

Appendix three - Agencies selected for this volume

Appendix four - Timeliness of financial reporting and audit reporting

Appendix five - Financial audit reporting

Appendix six - Financial analysis

Total State Sector Accounts received an unqualified audit opinion for the fifth consecutive year.

There was a $5.7 billion State budget surplus and continued investment in new infrastructure, in part funded by the long-term leases of Ausgrid and Endeavour Energy assets. This report also comments on key accounting matters, including the correction of some previously reported balances and the first time reporting of combined Cabinet members’ compensation in the Total State Sector Accounts.

Pursuant to the Public Finance and Audit Act 1983, I present my Report on State Finances 2017.

You will note that the format of this report has changed from previous years.

The intent of this change is to draw attention to the key matters that have been the focus of our audit and highlight significant factors that have contributed to the outcome.

First, it is pleasing to report once again that I issued a clear audit opinion on the State’s consolidated financial statements. This outcome demonstrates the Government’s continued focus on the quality of financial reporting across the NSW public sector.

High quality financial management and reporting are crucial to properly inform the public and build community confidence in our system of government.

The Treasury’s Financial Management Transformation program also aims to improve financial governance, budgeting and reporting arrangements across the sector. My Office is working collaboratively with The Treasury on reforms to reduce the burden of reporting, without weakening established safeguards.

The reforms should include measures to provide independent assurance of the budget process, of outcome reporting by agencies, and the power to “follow the dollar” given the increasing use of non-government organisations to deliver Government programs.

This Report also highlights another year of strong financial performance. The State’s budget result was a $5.7 billion surplus, and investment in new infrastructure has continued, in part funded by the long-term leases of Ausgrid and Endeavour Energy assets.

Finally, could I take this opportunity to thank the staff of The Treasury for the way they approached this audit. Our partnership is critical to ensuring NSW is an exemplar of quality financial management and reporting.

Margaret Crawford 
24 October 2017

A clear audit opinion on the State’s consolidated financial statements was issued.

Timely and accurate financial reporting is essential for informed decision making, effective management of public funds and enhancing public accountability.

This year’s clear audit opinion reflects the Government’s continued efforts to improve the quality of financial reporting across the NSW public sector.

Since the introduction of ‘early close procedures’ in 2011-12, the number of significant errors in financial statements of agencies has generally fallen largely due to identifying and resolving complex accounting issues early. Agencies’ 2016-17 financial statements submitted for audit contained nine errors exceeding $20 million. All errors were subsequently corrected in the individual agencies financial statements.

Agencies should continue to respond to key accounting issues as soon as they are identified. Where issues are identified, accounting position papers should be prepared for consideration by the Audit Office, their Audit and Risk Committee members, and when relevant, The Treasury.

The State addressed the following key accounting matters during 2016-17. 

The State recognised rail tunnels and earthworks valued at $8.5 billion.

Some rail tunnels and earthworks have never been valued by the State. These include the City Circle, the country rail network and other tunnels and earthworks built before the year 2000. Some of these tunnels and earthworks date back to the early 1900s.

For many years, the State did not account for these assets as they believed that their value could not be reliably measured. This year an independent valuer was engaged to perform a comprehensive valuation. The methodology used demonstrated
that the assets could have been reflected in the financial statements earlier.

The State recorded an additional $8.5 billion to correct the value of infrastructure assets at 1 July 2016.

Cabinet member’s compensation and related party transactions were reviewed.

Due to changes in Accounting Standards, the State had to consider 'related party information' in the financial statements. Previously this only applied to for-profit entities.

This year, requirements to report related party information extended to members of Cabinet, considered to be “key management personnel” of the State, as defined by Accounting Standards.

The Treasury implemented a process to assess and report Cabinet member’s compensation, and transactions between Cabinet members and/or their close family members, and government agencies.

Collectively, Cabinet members’ remuneration was $8.8 million, which was mainly salaries and allowances, and $3.5 million of non-monetary benefits such as security and drivers. The Treasury determined there were no other specific “related party” transactions or balances that required disclosure in the State’s financial statements.

Information system limitations continue at TAFE NSW.

TAFE NSW has experienced ongoing issues with its student administration system.

TAFE NSW has again implemented additional processes to verify the accuracy and completeness of revenue from sales of goods and services.

TAFE NSW expects to spend up to $89 million on a new information system to address these issues. Modules of the new student enrolment system are expected to be in place for the 2018 enrolment period.

Restatements relating to the General Government Sector's investment in the commercial sector.

The State corrected two previously reported balances relating to the General Government Sector’s investment in the commercial sector.

Accounting Standards require the General Government Sector to effectively store gains or losses related to its investment in the commercial sector in reserves until the investment is derecognised.

When these investments are disposed of, the cumulative gains and losses must be cleared and recognised in the operating result. However, the Government had previously cleared the cumulative gains and losses directly to Accumulated Funds within equity.

To comply with Accounting Standards, a total of $6 billion previously reported as a movement in equity  at 30 June 2016, has now been corrected to the operating result.

In addition, Accounting Standards only allow gains or losses on its investments to be stored in reserves. In past years, the State recognised all changes in the value of its investment in Available for Sale Reserves, including the capital contributed to establish the State’s investment. In 2016-17, a total of $23.4 billion of contributed capital was corrected to accumulated funds at 1 July 2015.

The State’s budget result was a $5.7 billion surplus, $2.0 billion higher than the budget estimate.

The Total State Sector comprises 310 entities controlled by the NSW Government.

Of the total, the General Government Sector comprises 215 entities that provide goods and services not directly paid for by consumers.

The non-General Government Sector comprises 95 Government businesses that provide goods and services such as water and electricity, or financial services.

A principal measure of a Government’s overall performance is its Net Operating Balance, or Budget Result. The Net Operating Balance reports the difference between the cost of General Government service delivery and the revenue earned to fund these sectors.

The State has recorded budget surpluses and exceeded the original budget result in nine of the last ten years.

The State maintained its AAA credit rating.

The object of the Act is to maintain the AAA credit rating.

NSW’s finances are managed in alignment with the Fiscal Responsibility Act 2012 (the Act).

The Act established the framework for fiscal responsibility and strategy needed to protect the State’s AAA credit rating and service delivery to the people of NSW.

The purpose of maintaining the AAA credit rating is to reduce the cost of, and ensure the broadest access to, borrowings.

A triple-A credit rating also helps maintain business and consumer confidence so economic activity and employment are sustained. The legislation sets out targets and principles for financial management to achieve this.

New South Wales has credit ratings of AAA/Negative from Standard & Poor’s and Aaa/Stable from Moody’s Investors Service.

The fiscal targets for achieving this objective are:

General Government expenditure growth is lower than long term revenue growth.

General Government expenditure growth was 4.2 per cent in 2016-17, below the long-term revenue growth of 5.6 per cent.

Eliminating unfunded superannuation liabilities by 2030.

The Act sets a target of eliminating unfunded defined benefit superannuation liabilities by 2030. The State’s net superannuation liability was $58.6 billion at 30 June 2017 ($71.2 billion at 30 June 2016).

The Government predicts the 2030 target will be achieved. The State’s funding plan is to contribute amounts escalated by five per cent each year so the schemes will be fully funded by 2030. In 2016-17, the State made employer contributions of $1.5 billion, which is largely consistent with contributions over the past five years.

The liability values in the graph below do not reflect the values recorded in the Total State Sector Accounts. For financial reporting purposes, Accounting Standards (AASB 119 Employee Benefits) require the State to discount its superannuation liability using the government bond rate (refer to page 10 of this report). 

The relevant government bond rate in the current economic climate is 2.62 per cent.

The State’s target for the unfunded superannuation liability is measured using AASB 1056 Superannuation Entities. This is because it adopts a measurement basis that reflects expected earnings on fund assets, which are currently between 5.9 and 7.4 per cent. Using these rates, the liability is $15.0 billion at 30 June 2017 ($16.1 billion at 30 June 2016). The unfunded liability is $2.4 billion less than when the Act was introduced.

The State’s assets grew by $31.6 billion during 2016-17 to $409 billion.

Valuing the State’s physical assets.

When we audit the financial statements, we focus on areas we consider as higher risk. These areas are often complex, and require the use of estimates and judgements.

The State has $307.2 billion of physical assets measured at fair value in accordance with Australian Accounting Standards. Fair value calculations are inherently complex and sensitive to assumptions and estimates, increasing the risk these assets are incorrectly valued.

In our audits, we assess the reasonableness and appropriateness of assumptions used in valuing physical assets. This includes obtaining an understanding of the valuation methodologies applied and judgements made. We also review the completeness of asset registers, and the mathematical accuracy of valuation models.

Net movements between years includes additions, disposals, depreciation and valuations. This year, valuations of physical assets added $16.2 billion to the State’s assets, comprising: 

• Transport for NSW and Railcorp $8.5 billion

• New South Wales Land and Housing Corporation $4.8 billion

• Roads and Maritime Services $930 million

• Crown Entity $400 million.    

The State’s financial assets increased $27.5 billion in 2016-17

The State’s financial assets have increased by 88 per cent over the past four years. In 2016-17, financial assets increased primarily due to proceeds from the sale of government assets and businesses.

The Government implemented reforms to better use the State’s financial assets. A key element was the creation of an Asset and Liability Committee (ALCO) to provide advice on ways to improve balance sheet management.

Since the creation of the ALCO, reforms include:

• Establishment of the New South Wales Infrastructure Future Fund (NIFF). The net proceeds from the State’s asset recycling program are invested into the NIFF, which is managed by TCorp, with a balance of $14.6 billion by 30 June 2017. Funds raised are invested through the NIFF until the Government requires them for critical infrastructure projects that are part of the Restart NSW and Rebuilding NSW program of works. ALCO and TCorp provide advice on the NIFF’s performance and management

• Establishment of the Social and Affordable Housing Fund ($1.1 billion at 30 June 2017). ALCO oversees the Fund to ensure an appropriate investment approach that will maintain funding certainty for new social and affordable housing stock

• Cash and liquidity management reforms to centralise cash previously held by agencies in the Treasury Banking System. This reform is designed to ensure agencies have adequate levels of liquidity but with surplus funds invested centrally for better returns.

The State’s liabilities decreased by $13.1 billion during 2016-17 to $182 billion.

Valuing the State’s liabilities relies on an actuarial assessment.

Nearly half of the State’s liabilities relate to its employees. This includes unfunded superannuation, and employee benefits, such as long service and recreation leave.

Valuation of these obligations is subject to complex estimation techniques and significant judgements. Small changes in assumptions can materially impact the financial statements.

We address the risk associated with auditing these balances:

• using actuarial specialists

• testing controls around underlying employee data used in data models, and testing the accuracy of the calculations

• evaluating assumptions applied in calculating employee entitlements such as the discount rate and the probability of long service leave vesting conditions being met.

The State’s superannuation obligations reduced by $12.6 billion in 2016-17.

The State’s $58.6 billion superannuation liability represents obligations for past and present employees, less the value of assets set aside to meet those obligations. The superannuation liability decreased from $71.2 billion to $58.6 billion, largely due to an increase in the discount rate from 1.99 per cent to 2.62 per cent. This alone reduced the liability by $9.2 billion

The State’s borrowings totalled $70.6 billion at 30 June 2017.

The State’s borrowings totalled $70.6 billion at 30 June 2017, $9.5 billion less than the previous year. This was largely due to the repayment of borrowings when the assets of Ausgrid and Endeavour Energy were leased to the private sector.

TCorp issues bonds to raise funds for NSW Government agencies. The bonds are actively traded in financial markets providing price transparency and liquidity to public sector borrowers and institutional investors. All TCorp bonds are guaranteed by the NSW Government.

The Government manages its debt liabilities through its balance sheet management strategy. The strategy extends to TCorp, which applies an active risk management strategy to the Government’s debt portfolio.

General Government Sector debt is being restructured by replacing shorter-term debt with longer-term debt. This lengthens the portfolio to better match liabilities with the funding requirements of infrastructure assets and reduces refinancing risks. It also allows the Government to take advantage of the low interest rate environment.

The State recorded revenue of $83.5 billion in  2016-17, an increase of $5.3 billion from 2015-16.

The State’s results are underpinned by revenue growth in taxation, fees and fines.

Taxation, fees, fines and other revenue comprises $30.5 billion of taxation ($28.7 billion in 2015-16) and $5.3 billion of fees, fines and other revenue ($4.6 billion).

Tax revenue for the Total State Sector increased by $1.8 billion, or 6.4 per cent compared to 2015-16, primarily due to:

• one-off business asset sales and lease transactions, including $718 million in transfer duty from the Ausgrid and Endeavour Energy lease transactions

• $385 million increase in payroll tax from growth in NSW employment and average employee compensation

• a $426 million increase in land taxes.

Growth in stamp duty is expected to slow over the next 4 years.

General Government Sector stamp duties have increased from $6.2 billion in 2012-13 to $11.5 billion in 2016-17, an annual average growth rate of 16.5 per cent. The Government’s budget forecasts the growth in stamp duties to decline, to an average annual growth rate of 2.6 per cent between 2016-17 and 2020-21.

The State received Commonwealth grants and subsidies of $30.8 billion in 2016-17.

The State received $30.8 billion from the Commonwealth Government in 2016-17, $1.6 billion more than in 2015-16. This was primarily due to transaction based asset recycling grants of $1.0 billion and a $720 million increase in national land transport grants. This increase was offset by a $435 million decrease in General Purpose Grants, which mainly comprises New South Wales’ share of the Goods and Services Tax (GST). 

The State spent $79.4 billion in 2016-17 to deliver services to the community, an increase of $3.9 billion from 2015-16.

Overall expenses increased 5.2 per cent from last year. Most of the increase was due to higher employee costs and operating costs.

Total salaries and wages increased by 4.2 per cent from 2015-16.

Total salaries and wages increased to $30 billion from $28.8 billion in 2015-16. The Government wages policy aims to limit the growth in remuneration and other employee costs to no more than 2.5 per cent per annum.

Operating expenses increased by 12.4 per cent from 2015-16.

Within operating expenses, payments for supplies, services and other expenses increased, in part, due to the State:

• reacquiring mining licenses worth $482 million and additional land remediation costs of $101 million

• spending more on health including additional drug supplies relating to Hepatitis C.

State spend on transport and communications increased by 68.1 per cent since 2012-13.

While spending on health and education remain the largest functional areas provided by Government, expenditure on transport and communication increased, on average, by 13.9 per cent annually between 2012-13 and 2016-17. This increase reflects the Government’s investment in transport infrastructure such as the Sydney Metro and Westconnex. Over the same period, spending on health increased by $3.9 billion.

Expenditure on fuel and energy has decreased by an average of 44.7 per cent since 2012-13, reflecting the State’s leases of electricity network assets.

In 2011, the Government established Restart NSW to fund high priority infrastructure projects.

Restart NSW projects are primarily funded from the proceeds from the asset recycling program enabling Government to deliver new infrastructure investment.

Restart NSW provides funding for the delivery of Rebuilding NSW, which is the Government’s 10-year plan to invest $20 billion in new infrastructure.

The State finalised long-term leases of Ausgrid and Endeavour Energy assets.

In June 2017, the Government finalised its long-term lease of 50.4 per cent of Endeavour Energy. This transaction follows on from the long-term leases of TransGrid in December 2015 and 50.4 per cent of Ausgrid in December 2016. Net proceeds of $15.0 billion were paid into Restart NSW relating to these transactions.

The Government also finalised an arrangement for the private sector to provide land titling and registry services to the public for 35 years. The State, through Restart NSW, received an upfront payment of $2.6 billion from the new operator.

Restart NSW is funding $29.8 billion of new infrastructure.

The Government has detailed its plan to invest $20 billion into the Rebuilding NSW plan from Restart NSW.

At 30 June 2017, around $2.9 billion has already been spent on Rebuilding NSW projects from Restart NSW, with a further $9 billion included in the budget aggregates. The Government has also earmarked a further $8.1 billion in Restart NSW for future projects.

The most significant project is the Sydney Metro. The Government has committed $7.0 billion from Restart NSW to build a 30-kilometre metro line, linking Sydney Metro Northwest at Chatswood, through new stations in the lower North Shore, the Sydney CBD and southwest to Bankstown. At 30 June 2017, $2.4 billion has been spent on this project from Restart NSW.

Other significant projects funded by Restart NSW include a $1.8 billion contribution to WestConnex and reserved funding of $1 billion towards the State’s Major Stadia Network program.

The Treasury initiated the Financial Management Transformation (FMT) program with the aim of changing and improving financial governance, budgeting and reporting arrangements of the New South Wales public sector.

FMT aims to deliver better outcomes for the people of New South Wales and focuses on transparency and accountability for expenditure, and better value for money.

New Financial Management System

PRIME is the Information Technology (IT) solution component of the FMT program, replacing several historical systems. PRIME will provide both financial and performance information within one IT platform for all agencies in the NSW public sector.

It is expected to give Government more timely information to plan and deliver its policy priorities and the budget.

Independent assurance over the budget process would improve confidence in the reliability of the State’s financial information.

Appendix one - Prescribed entities

Appendix two - Legal opinions

This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.

All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.  

Significant matters reported to the portfolio Minister, Treasurer and Agency Head

In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:

 Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.  

In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.