What the report is about

The report examined whether NSW Treasury, Service NSW and the Department of Customer Service effectively administered grants programs funded under the $750 million Small Business Support Fund, including:

• $10,000 Small Business Support Grant
• $3,000 Small Business Recovery Grant.

What we found

The agencies effectively implemented the grants within required timeframes, reflecting the NSW Government’s decision to deliver urgent financial support to small businesses impacted by the COVID-19 pandemic.

NSW Treasury met urgent timeframes to design the grants and Service NSW made timely payments in line with the grants' objectives and eligibility criteria.

Service NSW and the Department of Customer Service strengthened processes to detect and minimise fraud in response to identified external fraud risks, and to investigate suspected fraudulent applications.

Fraud security checks and investigations are ongoing, and the agencies will not know the full extent of fraud across the grants until these processes have been completed.

The agencies regularly monitored and reported on the timeliness of payments to small business applicants but have not yet measured all benefits of the grants programs.

The $10,000 Support Grant and the $3,000 Recovery Grant have provided around $630 million in one off grant payments to eligible small businesses.

What we recommended

NSW Treasury should finalise and implement an evaluation of both grants programs, including obtaining feedback from businesses.

Service NSW should develop a framework that documents expected controls for how it administers grants, including business processes, fraud control and governance and probity requirements.

Service NSW should publish information on all grants programs, including grants distribution and uptake.

The Department of Customer Service should ensure its processes for managing conflicts of interest meets its policy requirements.

Upcoming performance audit

The Audit Office is conducting a further performance audit into grants administration for disaster relief focussing on bushfire grants. This is planned to complete in 2021-22.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

The NSW Government responded to the partial shutdown of the NSW economy caused by the COVID-19 pandemic in 2020 by, among other measures, announcing on 3 April 2020 that it would place $750 million into the Small Business Support Fund (the Fund).

Under the Fund, the NSW Government would pay one-off grants of up to $10,000 to small business impacted by the shutdown. The objectives of the $10,000 Small Business Support Grant ($10,000 Support Grant) were to:

• ease the pressure on small businesses that have been affected by the COVID-19 pandemic
• support the ongoing operations of small businesses highly impacted by the COVID-19 restrictions
• deliver cash-flow into small businesses as soon as possible so that small businesses could meet pressing financial needs.

Grant applications were assessed against eligibility criteria that were determined by the NSW Government. The eligibility criteria for the $10,000 Support Grant required an employing small business to demonstrate it was significantly impacted by the COVID-19 pandemic by self-declaring or demonstrating a significant decline of 75 per cent or more in turnover compared to 2019. Documentation requirements were relaxed for small businesses within highly impacted industries.

In June 2020, the NSW Government announced a second round of one-off grants of up to $3,000 to small businesses that were highly impacted by the COVID-19 pandemic ($3,000 Recovery Grant). The objective of the $3,000 Recovery Grant was to help small businesses in 'highly impacted industries' — those directly impacted by the restrictions and closures put in place under the Public Health Orders — to meet the costs of safely reopening or scaling up operations.

The eligibility criteria for the $3,000 Recovery Grant required that a small business be in a highly impacted industry, demonstrate that it was significantly impacted by the COVID-19 pandemic by declaring a significant decline in turnover, and had costs associated with reopening under the 'COVID-Safe' requirements.

NSW Treasury and Service NSW implemented both grants on behalf of the NSW Government. The process of applying for a grant was intended to be quick and easy, with Service NSW using automated assessments and simple online application forms to process applications. Applicants applied for the $10,000 Support Grant through the Service NSW website between 14 April 2020 to 30 June 2020 and applied for the $3,000 Small Business Recovery Grant between 1 July 2020 and 31 August 2020.

At May 2021, around $520 million has been paid to over 52,500 grant applicants under the $10,000 Support Grant and around $109 million had been paid to around 36,700 grant applicants under the $3,000 Recovery Grant.

The Audit Office plans to undertake a performance audit into grants administration for disaster relief focussing on bushfire grants in 2021–22.

This audit assessed whether the grants funded under the $750 million Small Business Support Fund were effectively administered and implemented to provide disaster relief. It addressed the following questions:

• Were funded grants programs planned, designed and targeted effectively?
• Were funded grants programs implemented in line with the objectives and criteria and delivery requirements?
• Have agencies established measures to monitor intended benefits and outcomes?

This audit did not seek to assess the effectiveness of any other grant programs or stimulus measures. It also did not seek to assess the impact of the funding on applicants, or the future prospects of small businesses that received support.

1. Key findings

Around $630 million in timely one-off grant payments have been made to small businesses

Service NSW and NSW Treasury have paid around $630 million in one-off grant payments to small businesses via two grants administered under the $750 million Small Business Support Fund. At May 2021:

• around $520 million has been paid to over 52,500 grant applications received for the $10,000 Small Business Support Grant ($10,000 Support Grant)
• around $109 million has been paid to 36,700 grant applications received for the $3,000 Small Business Recovery Grant ($3,000 Recovery Grant).

Across both grants, over 65,000 small businesses received a payment across either grant, and over 23,000 businesses received payments under both grants.

NSW Treasury advise that, while no data was collected on the time to pay applicants for the $10,000 Support Grant, from its monitoring of the grants' outputs it was satisfied that payment timeframes met its expectations. Service NSW met its targeted time to pay applicants with payments made within ten days for the $3,000 Recovery Grant.

Funds for both grants were not fully spent due to limitations in data and uncertainty of the COVID-19 pandemic's impact. At May 2021, the final demand for the $10,000 Support Grant was around 30 per cent less than initially anticipated and the final demand for the $3,000 Recovery Grant was around 40 per cent less than initially anticipated.

NSW Treasury developed proposals establishing high level design and delivery expectations within rapid timeframes

NSW Treasury put forward proposals to the NSW Government for the two grants administered under the $750 million Small Business Support Fund. It met rapid timeframes for producing this advice: within one day for the $10,000 Support Grant and within four days for the $3,000 Recovery Grant. NSW Treasury's advice to the NSW Government on how to best target the total funding, eligibility criteria and the feasibility of delivering the grants through Service NSW was based on comparable grants programs – including the $10,000 Small Business Bushfire Support Grant – which at that time were ongoing.

The proposals established, at a high-level, the rationale for the grants, expected financial costs, risks and analysis on budget impacts, and confirmation that Service NSW could deliver the grants applications platform. NSW Treasury's demand projections were uncertain due to limited data in the early stages of the pandemic regarding potential economic impact.

Given the tight timeframes, the proposals did not fully consider all planning and design aspects for both grants. For example, there was minimal identification of the costs and benefits of the programs, and a lack of detailed design and delivery requirements. The proposals outlined that arrangements to finalise the risk management, controls, and auditing plan would be agreed by Service NSW and NSW Treasury before implementation.

In future circumstances where urgent advice on program design is required, NSW Treasury could set clearer expectations for the delivery agency, including fully considering costs, benefits and delivery requirements that could be carried through to project governance and implementation.

Service NSW implemented both grants in line with delivery expectations

Service NSW met urgent timeframes to stand-up both grants: 11 days for the $10,000 Support Grant and 26 days for the $3,000 Recovery Grant. Delivery expectations for each grant were established under a grant project agreement (grant agreement). Service NSW delivered the online application platform, assessment of applications, payments and reporting of the grants' uptake as per the grant agreements.

The urgent timeframes to deliver the grants contributed to gaps in Service NSW's project and risk management processes throughout the lifecycle of both grants. For example, the requirement to meet pressing timeframes for the $10,000 Support Grant launch meant agencies had reduced time to achieve sign-off on key documentation. As a result, important documents and processes – including the grant agreement, risk documentation and key business process and quality assurance processes – were not finalised ahead of launch.

Quality assurance and compliance processes for detecting fraud were not settled until after the conclusion of the applications for the $10,000 Support Grant, and were not completed until late 2020. Some project documents, including risk registers, communication plans and project briefs are still not finalised.

The longer timeframe to develop the $3,000 Recovery Grant meant that agencies were able to build on their understanding of the implementation requirements from the $10,000 Support Grant, and better document these expectations and understanding while ensuring that key documents and sign-offs were in place prior to launch.

Service NSW tightened its risk management and controls in response to evidence of fraudulent applications

In May 2020, Service NSW and the Department of Customer Service (DCS) were alerted to suspected fraudulent activity within grants administered by Service NSW. Initially, Service NSW anticipated that up to $8.8 million of the $10,000 Support Grant was at risk of exposure to fraudulent applications. However, Service NSW reported that, at April 2021, $1.9 million for the $10,000 Support Grant and $254,000 for the $3,000 Recovery Grant from paid applications were at risk of fraud exposure.

Following an internal review of the potential exposure to fraudulent or ineligible applications, Service NSW implemented additional automated security checks on applications, increased manual assessments of grant applications, established a dedicated taskforce for grants administration and engaged a unit within DCS to manage high-risk investigations.

Service NSW and DCS's increased governance and oversight has resulted in an established case management function, increased referrals to law enforcement, prioritised investigations of suspicious applications and the development of a 'Fraud Control Framework' aimed at addressing external fraud risks. Given Service NSW had limited experience in these processes in context of administering grant payments, such actions were an appropriate response.

Security checks and investigations of suspicious applications are ongoing. Service NSW will not know the full extent of fraud across the grants until these processes have been fully completed.

Service NSW and Department of Customer Service can improve how conflicts of interest are managed for future programs

Compliance with agency policies and processes to manage conflicts of interest and financial subdelegations demonstrates that investment decisions are being made by appropriately skilled and experienced staff, allowing agencies to operate efficiently, and reducing the risk of internal fraud.

DCS was unable to produce employee conflicts of interest declarations for the $10,000 Support Grant. Therefore, it is not known how many employees had completed conflicts of interest declarations for this round.

DCS provided information on conflicts of interest declarations for the $3,000 Recovery Grant. Twenty-nine per cent of declarations provided for employees undertaking grant assessments for the $3,000 Recovery Grant were incomplete at March 2021, and a further nine per cent were not finalised even though they indicated a real, potential or perceived conflict.

For future grants programs, ensuring compliance with conflicts of interest policies would help DCS and Service NSW to have greater confidence that conflicts of interest are appropriately identified and managed.

NSW Treasury has not yet measured all benefits or outcomes of the grants

In April 2021, NSW Treasury updated its evaluation plan for the $10,000 Support Grant and $3,000 Recovery Grant in support of an economic evaluation to commence from mid-2021. The updated evaluation plan outlines inputs, activities, and outputs as well as immediate, short term and medium term outcomes for both grants.

The evaluation will consider the extent to which both grants achieved their intended outcomes, and whether the economic benefits exceeded the costs to help inform decisions about the nature and design of any future small business support programs. This will complement, and feed into a broader review of all NSW Government COVID-19 stimulus measures.

Service NSW rapidly developed an approach to administer the grants

Over recent disasters, such as the 2019–20 bushfires and the COVID-19 pandemic, Service NSW has been responsible for administering grant programs on behalf of other government agencies.

Service NSW implemented both grants under its Project Management Framework and under each grant agreement with NSW Treasury as it does not have its own grants administration framework. To address the risks that emerged during delivery, Service NSW developed an approach to standardise and monitor the administration of the grants while they were being implemented.

Service NSW now has an opportunity to establish a grants administration framework, based on the processes, lessons and outcomes captured under the grants administration taskforce and in developing its fraud control framework. Embedding these processes into business as usual for grants administration will enable Service NSW to have a consistent set of expectations for controls, business processes and governance and probity requirements for future grants it implements.

2. Recommendations

By December 2021, NSW Treasury should:

1. finalise and implement an evaluation of the $10,000 Support Grant and $3,000 Recovery Grant, including obtaining direct feedback from businesses on how grant funds achieved the grant objectives.

By December 2021, Service NSW should:

2. develop a grants administration framework, which documents expected controls – including fraud controls – business processes and governance and probity requirements

3. publish information on all grants programs, including grants distribution and uptake.

By December 2021, the Department of Customer Service should:

4. ensure its process for managing conflicts of interest meets policy requirements by:

• ensuring employees promptly declare any real, potential or perceived conflicts of interest
• annually producing a list of conflicts of interest for records retention purposes
• requiring a separate register of conflicts of interest declarations where a grant program is deemed as high risk.

3. Lessons for grants administered within urgent timeframes

The two grants this audit examined were administered within a context of urgent timeframes, and increased complexity and uncertainty about the impact of the COVID-19 pandemic. The following lessons are shared to assist sponsor and delivery agencies in administering future grants where rapid implementation is required.

Sponsor agencies should consider the following lessons:

1. develop an approach to define and measure benefits for rapidly developed programs and projects where a full business case and cost-benefit analysis is not feasible

2. establish common processes and expectations for co-administered grants:

• periodically assure agencies' capability to deliver grants programs
• agree and establish risk appetite statements with administering agencies
• clearly establish expected performance levels and targets under any agreement

3. review the processes and outcomes of rapidly developed programs, capture lessons learned, and apply these in planning and delivering future programs.

Delivery agencies should consider the following lessons:

1. risk management and risk appetite:

• perform robust assessment procedures to ensure risks associated with delivery of the project are identified
• ensure the controls implemented adequately address identified risks
• agree and document the acceptable risk appetite at the outset
• review risk management processes after the grants are issued when unable to finalise risk management processes ahead of launch

2. grant agreements between NSW public sector agencies:

• ensure agreements are finalised in a timely manner
• ensure agreements clearly outline:
  • roles and responsibilities of both parties,
  • changes in scope of services provided
  • fees and charges applicable

3. frameworks for grants administration:

• ensure that there is a common set of expectations in place to guide grants administration including standard controls and processes for managing risk, capturing lessons learned and reporting on outcomes.

Appendix one – Response from agencies

Appendix two – Summary of other COVID‑19 Stimulus and Support for small businesses in NSW in April 2020

Appendix three – Public Health Orders

Appendix four – Highly impacted industries

Appendix five – About the audit

Appendix six – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #352 - released (24 June 2021).

What the report is about

Results of the financial statement audits of the public universities in NSW for the year ended 31 December 2020.

What we found

Unqualified audit opinions were issued for all ten universities.

Two universities reported retrospective corrections of prior period errors.

Universities were impacted by the COVID-19 pandemic with student enrolments decreasing in 2020 compared to 2019 by 10,032 (3.3 per cent). Of this decrease 8,310 students were from overseas.

In response to the pandemic, each university provided welfare support, created student hardship funds, provided accommodation and flexibility on payment of course fees. State and Commonwealth governments provided additional support to the sector.

Six universities recorded negative net operating results in 2020 (two in 2019). The combined revenues of the ten universities from fees and charges decreased by $361 million (5.8 per cent).

Despite the impact of the COVID-19 pandemic, which will continue to impact the financial results of universities in 2021, enrolments of overseas students in semester one of 2021 increased at two universities. This growth meant that total overseas student enrolments increased by 7,944 or 5.8 per cent across the sector as a whole. However, eight universities experienced decreases in overseas student enrolments compared to semester one of 2020. All universities have experienced growth in domestic student enrolments.

What the key issues were

There were 110 findings reported to universities in audit management letters.

Three high risk findings were identified. One related to the continued work by the University of New South Wales to assess its liability for underpayment of casual staff entitlements. The other two deficiencies were at Charles Sturt University, relating to financial reporting implications of major contracts, and resolving issues identified by an internal review of its employment contracts to reliably quantify the university’s liability to its employees.

What we recommended

Universities should prioritise actions to address repeat findings. Forty-five findings were repeated from 2019, of which 23 related to information technology.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

This report analyses the results of our audits of the financial statements of the ten universities in NSW for the year ended 31 December 2020. The table below summarises our key observations.

1. Financial reporting

2. Internal controls and governance

3. Teaching and research

This report provides Parliament with the results of our financial audits of universities in NSW and their controlled entities in 2020, including our analysis, observations and recommendations in the following areas:

• financial reporting
• internal controls and governance
• teaching and research.

Financial reporting is an important element of governance. Confidence and transparency in university sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations on the financial reporting of universities in NSW for 2020.

Financial results

The graph below shows the net results of individual universities for 2020.

Appropriate and robust internal controls help reduce risks associated with managing finances, compliance and administration of universities.

This chapter outlines the internal controls related observations and insights across universities in NSW for 2020, including overall trends in findings, level of risk and implications.

Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These along with the less significant matters are reported to universities for management to address.

Universities' primary objectives are teaching and research. They invest most of their resources to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.

This chapter outlines teaching and research outcomes for universities in NSW for 2020.

Appendix one – Status of 2019 recommendations

Appendix two – Universities' controlled entities

What the report is about

The report examined whether Transport for NSW (TfNSW) and Infrastructure NSW (INSW) effectively assessed and justified major scope changes to the WestConnex project since 2014.

What we found

NSW Government decisions to fund WestConnex-related projects outside WestConnex's $16.812 billion budget have reduced transparency and understate the full cost of WestConnex.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency over the cost of the road component of Sydney Gateway. $1.76 billion of the cost to complete Sydney Gateway is funded outside the WestConnex budget.

Network integration costs, currently estimated at $2.3 billion, are also funded outside the WestConnex budget. Many of these costs are directly attributable to WestConnex and ought to be included in the reported budget.

The Parramatta Road Urban Amenity Improvement Program, costing $198 million, should also be included as part of the WestConnex reported budget.

Decisions to exclude or remove these elements from WestConnex without justification have seen $4.26 billion of projects funded outside the $16.8 billion budget.

Positively, robust analysis was used to develop and incorporate design improvements into the 2015 WestConnex Updated Strategic Business Case.

The separate components of WestConnex underwent all required assurance reviews. However, the NSW Government's assurance framework does not require ongoing ‘whole-of-program’ assurance for large and complex projects like WestConnex. The absence of a holistic review of WestConnex allows for some costs and benefits to avoid scrutiny.

What we recommended

TfNSW should:

• review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects
• ensure that estimated costs and benefits of works which are reasonably required to meet consent conditions are included in business cases for complex large infrastructure projects
• establish centralised and project specific record keeping for major infrastructure projects.

Infrastructure NSW should provide transparent whole of program assurance on total costs and benefits when complex projects are split into sub-projects.

Government should consider enhancing public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole-of-program level.

WestConnex

WestConnex is a 33 km motorway network that will link the western and south‑western suburbs with the Sydney CBD and the Airport and Port Botany precinct. It will also connect with proposed future motorway links to the north shore, northern beaches, and southern Sydney. The project is being delivered in three stages, with completion scheduled for 2023.

When first conceived by Infrastructure NSW (INSW) in 2012, WestConnex was described as a single integrated concept. In August 2013, government approved a business case for an integrated concept of WestConnex, with an estimated cost of $14.881 billion (in nominal outturn costs). Transport for NSW (TfNSW) is the government agency (sponsor agency) accountable for the delivery of WestConnex in accordance with the business case. In August 2014, the NSW Government established the Sydney Motorway Corporation to fund, deliver and operate WestConnex.

In November 2015, the NSW Government publicly released an updated WestConnex business case with greater detail and design enhancements, which increased the estimated cost to $16.812 billion.

Subsequent to this update, further changes were made to the design, including realignment of the M4 to M5 Link connection to the Western Harbour Tunnel project, an expanded interchange at Rozelle, the deletion of the Camperdown Intersection, and the addition of the Iron Cove Link. The reported budget for WestConnex was not changed as a result of these design updates.

To fund WestConnex, Sydney Motorway Corporation consolidated a concessional loan of $2 billion from the Australian Government, private sector debt and equity funding from the State. The Australian Government also provided a $1.5 billion contribution to the State to partially fund construction of WestConnex.

In August 2018, the NSW Government sold 51 per cent of its stake in Sydney Motorway Corporation for $9.26 billion. At the time of writing, the NSW Government is in the process of selling its remaining 49 per cent stake of Sydney Motorway Corporation.

About this audit

In the course of delivering a complex major infrastructure project, it is reasonable to expect changes to the original design and scope. Changes may occur as the design moves from a high‑level concept to a detailed design for project delivery, as new risks or issues are identified, as demands change, or as other interdependent projects are approved. Changes can also occur in response to potential cost or delivery overruns which arise as a result of planning deficiencies. Where design and scope changes significantly change the project costs and/or expected benefits, the justification for these changes should be robust and transparent.

Following our 2014 performance audit, 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF) to improve accountability and transparency over major projects that are developed, procured, or delivered by government agencies. Under the framework, TfNSW, as project sponsor, is responsible for ensuring the WestConnex project meets all IIAF requirements. These include ensuring the project remains strategically aligned and viable, and benefits are on track. INSW is responsible for coordinating the assurance review process and reporting directly to NSW Cabinet on project delivery against time, budget and risks to project delivery.

The objective of this performance audit is to assess whether TfNSW and INSW effectively assessed and justified major scope changes to the WestConnex project since 2014.

1. Key findings

Government decisions to fund WestConnex related projects outside of WestConnex's $16.812 billion reported budget have reduced transparency over costs and understate the full cost of WestConnex

In 2015, the work required to integrate WestConnex with existing roads ('network integration') was funded as a separate project with an estimated cost of $1.534 billion outside the 2015 WestConnex budget of $16.812 billion. TfNSW then created the Network Integration Program to respond to the conditions of planning approval for WestConnex. The current estimated cost to deliver all network integration works is $2.3 billion.

Since the 2015 WestConnex Business Case, the NSW Government has removed several elements from the scope of WestConnex and funded them as separate projects, while keeping the published WestConnex budget at an estimated $16.812 billion. Projects removed include:

• Sydney Gateway, currently costed at $2.56 billion (with an $800 million contribution from WestConnex)
• Parramatta Road Urban Amenity Improvement Program, costed at $198 million in late 2018 and funded though new funding to the Greater Sydney Commission.

Together, these projects represent costs of $4.26 billion that are not included in the WestConnex budget, but are required for WestConnex to achieve the objectives of the 2013 and 2015 WestConnex Business Cases. The costs of these elements in supporting the objectives of WestConnex is not tracked centrally, and there is no single point of oversight over them. Exhibit 1 compares total WestConnex forecast costs (including related projects) between November 2015 and April 2021.

Many network integration costs are directly attributable to WestConnex and ought to be included in the reported budget for WestConnex

Prior to 2015, the scope of WestConnex included enabling works needed before or during construction, as well as funding for future works to address any adverse traffic outcomes created by WestConnex which become apparent after its opening. These works are also known as network integration works.

When government approved the 2015 WestConnex Business Case, it noted that the project would require $1.534 billion for network integration works to address the impacts of WestConnex on the road network. However, the WestConnex project budget of $16.812 billion did not include funding for network integration works. Instead, Roads and Maritime Services (RMS, now TfNSW) was to fund network integration through its normal budget allocation.

It is important to recognise these costs as part of the total WestConnex project cost because:

• TfNSW created the Network Integration Program to respond to network traffic and transport elements of the planning conditions of approval for WestConnex granted by the then NSW Department of Planning and Environment under the Environment, Planning and Assessment Act 1979.
• NSW Treasury guidelines for business cases note that accurate cost estimates include assessment of the financial impact of meeting the conditions of planning approval.
• Travel time and vehicle operating cost benefits attributed to the WestConnex project in the 2015 WestConnex Business Case assume that some network integration works, then costed at $373 million, were in place.

Refer to Appendix two for more detail on network integration works.

Some of the projects in the WestConnex Network Integration Program provide community and place benefits, such as parklands and cycleways. These benefits have not been attributed to WestConnex. Additionally, some network integration works are likely to deliver additional traffic related benefits to WestConnex. As the Network Integration Program’s primary purpose is to meet the conditions of planning approval for WestConnex, TfNSW should attribute all the costs and benefits of the program to WestConnex.

To September 2021, the total funded cost of the Network Integration Program is approximately $2.077 billion. TfNSW estimates that it will need a further $222 million to complete all expected network integration works.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency and accountability for TfNSW's underestimation of the cost of the road component of Sydney Gateway

Sydney Gateway is a high‑capacity connection between the new St Peters Interchange and the Sydney Airport and Port Botany precinct. It includes a road and rail components. The road component was included in the scope of WestConnex in the 2015 WestConnex Business Case. The November 2015 design, which TfNSW costed at $800 million, involved separate roadways from the St Peters Interchange to the International terminal, and to the domestic terminals and Mascot airport precinct.

By October 2016, TfNSW was aware that the $800 million budget for Sydney Gateway was insufficient and revised the forecast cost for the road component to $1.8 billion. The original cost estimate did not sufficiently consider the cost of:

• constructing a complex design adjacent to the airport precinct
• obtaining access to land required for the project
• managing environmental contamination.

On 9 August 2017, the then Minister for WestConnex announced that the Sydney Gateway project was not part of WestConnex.

The 2015 WestConnex Business Case notes that material changes to the WestConnex budget, funding, scope, or timeframe are subject to Cabinet approval processes. It states that, when seeking approval for material changes, the portfolio Minister will make a submission to the relevant Cabinet Committee. Changes in project scope required the approval of the then Cabinet Committee on Infrastructure and should have been endorsed by the WestConnex Interdepartmental Steering Committee.

TfNSW and the NSW Department of Premier and Cabinet (DPC) assert that there is no documentation to support the government’s decision to separate Sydney Gateway from the WestConnex Program, or the WestConnex Interdepartmental Steering Committee's endorsement of a submission to Cabinet seeking approval for the separation.

The established governance processes for major scope changes were not followed in this instance. The lack of transparency regarding government's decision to separate Sydney Gateway from WestConnex also reduces visibility of TfNSW's underestimation of the cost of delivering the road component of Sydney Gateway.

The November 2018 Final Business Case for Sydney Gateway, which was approved by the government, included an estimate of $2.45 billion (nominal outturn cost) for the road component. This estimate included an $800 million contribution from WestConnex. A more recent estimate (late 2020) for this project is $2.56 billion (nominal outturn cost).

The Parramatta Road Urban Amenity Improvement Program should be included as part of the WestConnex budget

A specific objective of the 2015 WestConnex Business Case was the creation of opportunities for urban renewal along and around Parramatta Road. The business case included an allocation of $198 million in the $16.812 billion WestConnex budget for the Parramatta Road Urban Amenity Improvement program, designed to implement aspects of the objective. In November 2018, the NSW Government removed the Parramatta Road Urban Amenity Improvement Program from the WestConnex program of works and reallocated the $198 million (inside the $16.812 billion WestConnex budget) for urban renewal works around the Rozelle Interchange. As part of this decision, government approved new funding of $198 million to the Greater Sydney Commission for the urban amenity program, outside the $16.812 billion WestConnex budget. This understates the cost of WestConnex meeting its objectives by $198 million.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

In August 2015, INSW conducted its first Gateway Review of WestConnex as a program consisting of composite projects. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or mega‑project. This is not inconsistent with the IIAF and all WestConnex related projects, including Sydney Gateway and the Network Integration Program, have undergone independent assurance reviews as individual projects under the IIAF.

Once a program like WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to provide independent assurance on the program as a whole until it is completed. This is then done as part of the Gateway review for benefits realisation, which examines whether project benefits are being measured and meet expectations. These individual projects are, in themselves, significant in scale and complexity. While addressing them as discrete components for the purposes of the assurance review process can be justified, the absence of strategic, holistic reviews of WestConnex allows for total costs and benefits to become opaque and avoid scrutiny. Programs of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

There is a lack of public transparency on the total costs and benefits of the WestConnex project

Prior to 2018, the Audit Office provided assurance on costs borne and levied by Sydney Motorway Corporation and its controlled entities. Since the NSW Government sold 51 per cent of its stake in WestConnex in August 2018, the Auditor‑General no longer has the mandate to provide this assurance. The Audit Office is also unable to provide any assurance regarding the performance of tolling concessions.

This means that the total costs of WestConnex, including those levied on road users through tolling, are not reported alongside the full cost of delivering the project. This information, and independent assurance over that information, would provide transparency and context to the outcome of government's sale of its interest in WestConnex.

To enhance the transparency of existing infrastructure assurance processes, government could consider requiring large and complex infrastructure programs to undergo periodic review at a whole‑of‑program level. This could take the form of annual reports to Parliament on the total costs and benefits of selected large and complex projects by the responsible agency. The reports could include an assessment of the cost to government and cost to the community of funding and financing. Independent assurance of the agency report would provide Parliament with greater confidence that infrastructure is delivered economically and providing value for money for the people of NSW.

The Australian National Audit Office provides similar assurance on selected Department of Defence acquisition projects as part of its annual Major Projects Report.

Design enhancements included in the 2015 WestConnex Updated Strategic Business Case were supported by robust analysis

The 2015 WestConnex Business Case contained more detail than the 2013 WestConnex business case. Design enhancements were made as a result of modelling analysis conducted over the two years since the 2013 business case. Enhancements included a full underground link between Kingsgrove and St Peters as part of the New M5 and re‑alignment of the M4‑M5 link tunnel (Stage 3) to include the Rozelle Interchange. The Rozelle Interchange will provide a direct connection to the Anzac Bridge and Victoria Road, and will enable a connection to the proposed Western Harbour Tunnel and Beaches Link. A map and description of these elements can be found at Exhibits 2 and 3 of this report.

In 2016, TfNSW revised the design of the M4‑M5 Link and Rozelle to address traffic and integration issues

As part of preparing the 2015 WestConnex Business Case, TfNSW prepared a Project Definition and Delivery Report (PDDR) for the M4‑M5 Link. This report describes the scope of the project, including a high‑level concept design. TfNSW identified limitations with the proposed design of the M4‑M5 in the PDDR, which it would need to address as the project moved to a detailed design stage. In particular, these limitations included:

• poor integration with the Bays Precinct masterplan
• traffic capacity constraints on Victoria Road and Anzac Bridge
• construction complexity.

Following a comprehensive review in mid‑2016, TfNSW changed the design of the M4‑M5 Link and Rozelle Interchange to address these limitations. These changes included:

• deletion of the Camperdown intersection to improve traffic conditions on Parramatta Road
• a fully underground and larger Rozelle Interchange with 10‑hectare dedicated parklands
• a toll‑free tunnel link from Iron Cove Bridge to Anzac Bridge
• increasing the lanes in the dual tunnels from three to four each way.

TfNSW documented, but did not publish, the rationale for the design changes, including how the changes addressed the limitations of the previous design while providing increased community benefit through the creation of open space. TfNSW undertook cost comparison studies which estimated that these changes would have a neutral impact on the estimated project cost while achieving the same or improved benefits.

TfNSW's record‑keeping systems for large infrastructure investments negatively impact accountability and transparency

In response to our formal requests for relevant information, made during the conduct of this audit, TfNSW advised that complete and valid records of key decision‑making processes, analysis and advice were unavailable. Additionally, TfNSW often provided information that was incomplete or unverifiable (for instance, unsigned briefing notes). This is not consistent with accepted governance practices and does not comply with the requirements of the State Records Act 1998.

We also requested that TfNSW provide a list of relevant documents held by the Sydney Motorway Corporation (SMC). While TfNSW acknowledged that SMC may hold material relevant to the audit, TfNSW did not have a list or description of these documents. As SMC is now a majority privately held entity, both the Audit Office and TfNSW have limited power to require SMC to provide documentation.

The delivery timeframe for large and complex infrastructure projects such as WestConnex frequently exceeds five years, and some projects can take over a decade to deliver. These projects represent a significant investment of public resources and government agencies should expect independent review and assurance activities such as performance audits. The establishment of dedicated record keeping facilities for major infrastructure projects, such as data rooms, would improve transparency and accountability. This would ensure that the use of public resources is fully auditable in line with public expectations and the requirements of the Government Sector Finance Act 2018, the State Records Act 1998 and the Public Finance and Audit Act 1983.

2. Recommendations

By December 2021, TfNSW should:

1. review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects

2. when preparing business cases for complex large infrastructure projects, ensure that the estimated costs and benefits of works which are reasonably expected to meet consent conditions are included in the overall project cost and its benefits (as per Treasury guidelines)

3. establish and maintain centralised and project‑specific record keeping, including through dedicated project data rooms, to ensure major infrastructure projects can readily be subject to external oversight and assurance.

By June 2022, INSW should:

4. provide transparent whole‑of‑program assurance on total costs and benefits throughout the project life‑cycle when complex projects are split into sub‑projects.

By June 2022, NSW Government should:

5. consider enhancing the public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole‑of‑program level. This could take the form of reports to Parliament on the total costs and benefits on selected large and complex projects by the responsible agency, including cost to government and cost to community of funding and financing, as well as an accompanying independent assessment of the agency report.

Following our 2014 performance audit report 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF). INSW is responsible for the development, implementation and administration of the IIAF. The assurance framework involves gateway reviews, health checks, deep dive reviews, and project monitoring and reporting at various stages in the lifecycle of a project. The main aims of the IIAF are to help ensure major infrastructure projects are delivered on time and on budget, and to ensure that reports are regularly monitored by the Cabinet of the NSW Government. The IIAF gateway review process is compulsory for all significant investments and expenditure under the NSW Treasury Gateway Policy.

In accordance with the IIAF, INSW is responsible for the following:

• providing a dedicated Assurance Team including Gateway Review Managers to coordinate Reviews
• determining appropriate expert reviewers, and manages scheduling, commissioning and administration of Assurance Review reports. Infrastructure NSW is independent of the Expert Review Team
• monitoring Tier 1 – High Profile/High Risk projects, Tier 2 and Tier 3 (if required) project performance through independent Assurance Reviews
• providing independent analysis and advice on key risks and any corrective actions recommended for Tier 1 – High Profile/High Risk, Tier 2 and Tier 3 projects
• escalating projects to Infrastructure Investor Assurance Committee (IIAC) and Cabinet where projects present ‘red flag issues’ and where corrective action is needed
• working with delivery agencies to register all capital projects with an estimated cost greater than $10.0 million and ensures they are risk profiled and assigned a risk‑based project tier with an endorsed IIAF Project Registration report
• preparing forward looking annual Cluster Assurance Plans
• maintaining and continuously improves the IIAF process
• reporting to the IIAC, Cabinet and Infrastructure NSW Board
• regularly report to NSW Treasury on the performance of the IIAF.

In relation to WestConnex, TfNSW is the sponsor agency responsible for meeting relevant IIAF requirements, including:

• registering and risk profiling projects
• IIAF gateway, health check, and deep dive assurance reviews
• regular reporting.

Under the IIAF, it is mandatory for all capital projects valued over $10.0 million to be registered with INSW. Capital projects can be registered either as a program (comprising of a group of related projects or activities) or as a project (which may or may not be part of a program).

According to the IIAF, programs tend to have a lifespan of several years and aim to deliver outcomes and benefits related to an organisation's strategic objectives. Projects tend to have a shorter lifespan, and deal with outputs. Projects can, however, be grouped under a single program if they are similar in nature or if they are aimed at collectively achieving a strategic objective. Complex projects can be delivered in multiple stages, under different contracts, and across different time periods.

The last assurance review of the entire WestConnex program of works as a whole was in 2015

INSW conducted the first IIAF gateway review of WestConnex in August 2015. TfNSW developed a draft WestConnex Updated Strategic Business Case to consolidate the latest analysis on WestConnex, and to confirm that the project remained fit for purpose, economically viable, and financially deliverable. The review followed a recommendation in our 2014 performance audit report that business cases be thoroughly revisited.

During September 2015, INSW conducted additional informal reviews to identify strategic risks associated with public release of the WestConnex business case. Subsequently, INSW gave the Premier of NSW its views on the draft business case, including the following points:

• The $398 million budget for Sydney Gateway was insufficient to meet the benefits claimed in the business case for a ‘functional’ connection to Sydney Airport and Port Botany. INSW studies indicate a future‑proof solution would require a minimum spend of $755 million.
• Enabling works for WestConnex estimated at $1.534 billion were excluded from the cost of WestConnex. Significant work remained for RMS to identify mitigation measures to address planning approvals and network performance issues.
• Enabling works (a Southern Connector), an access ramp and surface road improvements within St Peters were excluded from the draft 2015 business case despite their inclusion in the WestConnex scope in the 2014–15 State Budget.
• The overall cost of works not funded within the WestConnex budget ranged from $2.011 billion to $2.196 billion. This included the enabling works, access ramp and surface road improvements and the shortfall for Sydney Gateway.

All WestConnex related projects, including Sydney Gateway have undergone independent assurance reviews under the IIAF

Since INSW submitted the first WestConnex progress update report to Cabinet in June 2015, INSW has been reporting monthly on the different stages of the WestConnex Program, including Sydney Gateway, as the projects were registered with INSW as High‑Profile, High‑Risk projects. Separate reporting enabled INSW to report and review each stage with more detailed scrutiny, compared to the reporting and reviewing at a program level.

WestConnex Stage 2 (New M5) underwent both mandatory and non‑mandatory reviews at key points in the project lifecycle. Three mandatory gateway reviews – at Gate 2 (Final business case), Gate 3 (Readiness for market), and Gate 4 (Tender evaluation) – were conducted by TfNSW before the introduction of IIAF. Four non‑mandatory health check reviews and one non‑mandatory deep dive review were conducted after the introduction of the IIAF managed by INSW.

Similarly, WestConnex Stage 3 projects – M4‑M5 link, M4‑M5 Tunnels, and Rozelle Interchange – also underwent mandatory and non‑mandatory reviews at key points in their lifecycle under IIAF.

The M4‑M5 Link had two mandatory gateway reviews and one non‑mandatory health check review under IIAF. These reviews were conducted before Stage 3 was split into two stages, due to major design changes to the Rozelle Interchange and the M4‑M5 tunnels.

The M4‑M5 tunnels had two mandatory gateway reviews (at Gates 3 and 4), one non‑mandatory health check review, and one non‑mandatory deep dive review under IIAF.

Rozelle Interchange also underwent three mandatory gateway reviews at Gate 3 (part 1), Gate 3 (part 2), and Gate 4, two non‑mandatory health check reviews, and one non‑mandatory deep dive review under IIAF.

Since mid‑2017, the Sydney Gateway project has undergone required independent assurance reviews, as well as a number of optional assurance reviews

In November 2016, INSW conducted a mandatory Gate 1 gateway review on a strategic business case for the Sydney Gateway Project. TfNSW did not proceed with this business case. Following the separation of Sydney Gateway from WestConnex in mid‑2017, TfNSW developed a new business case for Sydney Gateway. It has undergone the required Gate 1, Gate 2, and Gate 3 gateway reviews, as well as two non‑mandatory health check reviews, and three non‑mandatory deep dive reviews under IIAF.

Network integration works have undergone all IIAF required assurance reviews

TfNSW completed a strategic business case for the Network Integration Program in August 2020, and INSW completed a gateway review in November 2020. This is despite network integration projects starting as early as 2015, with $645 million having been spent by June 2020. The strategic business case included a prioritisation process for completing remaining works in the program. Prior to November 2020, TfNSW registered individual network integration projects with INSW, and these projects have undergone gateway reviews where required.

The Network Integration Program strategic business case does not include Rozelle interchange network integration works ($353 million) and additional network integration works to settle a contractor claim adjacent to St Peters Interchange ($190 million). These were excluded from the business case on the basis they had already been approved by government, and as such were not subject to the prioritisation elements of the business case. TfNSW has not developed separate business cases for these works, although the scope of the St Peters Interchange works was developed through a negotiated process.

TfNSW did not prepare business cases for some network integration works which have commenced, including the $323 million Campbell Road/Euston Road works

Prior to its development of the August 2020 strategic business case, TfNSW did not prepare business cases for many network integration works that have commenced, and in some instances were completed, before 2019. Significantly, TfNSW did not prepare a business case for the Campbell Road/Euston Road works, which cost $323 million and have been completed.

In 2016, TfNSW’s Business Case Policy requires the creation of business cases for capital projects costing over $1.0 million. At the time of writing this report, TfNSW’s draft policy requires full business cases for capital projects costing $10.0 million or more.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

INSW conducted its first gateway review of WestConnex (as a program, which consisted of composite projects) in August 2015. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or complex project. The IIAF allows this to occur.

Separate registration enabled INSW to report and review each stage with more scrutiny compared to whole‑of‑program level review.

Such an approach has merit, considering the individual stages (and components of these stages) are multi‑million dollar works in their own right. Each project has its own timing for gateway reviews at stages such as 'Readiness for Market' and 'Tender Evaluation'.

Once a program such as WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to conduct independent assurance on the program of works as a whole until the whole program is completed as part of the Benefits Realisation (Gate 6) gateway review. The absence of strategic, holistic reviews of projects of the scale and complexity such as WestConnex during their delivery allows for total costs and benefits to become opaque and avoid scrutiny. Projects of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

INSW has advised us that it has prepared a proposal to expand its assurance function to include whole‑of‑program review of inter‑related infrastructure projects.

Appendix one – Responses from agencies

Appendix two – Network integration works

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #351 - released (17 June 2021).

What the report is about

Results of the local government sector council financial statement audits for the year ended 30 June 2020.

What we found

Unqualified audit opinions were issued for 127 councils, 9 county councils and 13 joint organisation audits in 2019–20. A qualified audit opinion was issued for Central Coast Council.

Councils were impacted by recent emergency events, including bushfires and the COVID-19 pandemic. The financial implications from these events varied across councils. Councils adapted systems, processes and controls to enable staff to work flexibly.

What the key issues were

There were 1,435 findings reported to councils in audit management letters.

One extreme risk finding was identified related to Central Coast Council’s use of restricted funds for general purposes.

Fifty-three high risk matters were identified across the sector:

• 21 high risk matters relating to asset management
• 14 high risk matters relating to information technology
• 7 high risk matters relating to financial reporting
• 4 high risk matters to council governance procedures
• 3 high risk matters relating to financial accounting
• 3 high risk matters relating to purchasing and payables
• 1 high risk matter relating to cash and banking.

More can be done to reduce the number of errors identified in financial reports. 61 councils required material adjustments to correct errors in previous audited financial statements.

Rural fire fighting equipment

Sixty-eight councils did not record rural fire fighting equipment worth $119 million in their financial statements.

The NSW Government has confirmed these assets are not controlled by the NSW Rural Fire Service and are not recognised in the financial records of the NSW Government.

What we recommended

The Office of Local Government should communicate the State's view that rural firefighting equipment is controlled by councils in the local government sector, and therefore this equipment should be properly recorded in their financial statements.

Central Coast Council

A qualified opinion was issued for Central Coast Council (the Council) relating to two matters.

Council did not conduct the required revaluation to support the valuation of roads.

Council also disclosed a prior period error relating to restrictions of monies collected for their water, sewer, and drainage operations, which, based on the NSW Crown Solicitor’s advice, should be considered a change in accounting policy.

What we recommended

The Office of Local Government should clarify the legal framework relating to restrictions of water, sewerage and drainage funds (restricted reserves) by either seeking an amendment to the relevant legislation or by issuing a policy instrument to remove ambiguity from the current framework.

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.

Financial reporting is an important element of good governance. Confidence in and transparency of public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines audit observations related to the financial reporting of councils and joint organisations.

Recent emergency events, including drought, bushfires, floods and the COVID-19 pandemic have impacted councils.

This chapter will provide insights into how these events have impacted councils, including:

• financial implications of the emergency events
• changes to councils' operating models, processes and controls
• accessibility to technology and the maturity of councils' systems and controls to prevent unauthorised and fraudulent access to data
• receipt and delivery of stimulus packages or programs at short notice.

Recent emergency events significantly impacted councils

Recent emergencies, including drought, bushfires, floods and the COVID-19 pandemic have brought particular challenges for councils and their communities.

A strong system of internal controls enables councils to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations and support ethical government.

This chapter outlines the overall trends in governance and internal control findings across councils, county councils and joint organisations in 2019–20. It also includes the findings reported in the 2018–19 audits of Hilltops, MidCoast and Murrumbidgee councils as these audits were finalised after the Report on Local Government 2019 was published.

Financial audits focus on key governance matters and internal controls supporting the preparation of councils' financial statements. Audit findings are reported to management and those charged with governance through audit management letters.

Total number of findings reported in audit management letters decreased

In 2019–20, 1,435 findings were reported in audit management letters (2018–19: 1,985 findings). An extreme risk finding was also identified this year related to Central Coast Council's use of restricted funds. The total number of high-risk findings decreased to 53 (2018–19: 82 high-risk findings).

Findings are classified as new, repeat or ongoing findings, based on:

• new findings were first reported in 2019–20 audits
• repeat findings were first reported in prior year audits, but remain unresolved in 2019–20
• ongoing findings were first reported in prior year audits, but the action due dates to address the findings are after 2019–20.

Findings are categorised as governance, financial reporting, financial accounting, asset management, purchases and payables, payroll, cash and banking, revenue and receivables, or information technology. The high-risk and common findings across these areas are explored further in this chapter.

Audit Office’s work plan for 2020–21 onwards

Focus on local council's response and recovery from recent emergencies

Local councils and their communities will continue to experience the effects of recent emergency events, including the bushfires, floods and the COVID 19 pandemic for some time. The full extent of some of these events remain unclear and will continue to have an impact into the future. The recovery is likely to take many years.

The Office of Local Government (OLG) within the Department of Planning, Industry and Environment is working with other state agencies to assist local councils and their communities to recover from these unprecedented events.

These events have created additional risks and challenges, and changed the way that councils deliver their services.

We will take a phased approach to ensure our financial and performance audits address the following elements of the emergencies and the Local Government's responses:

• local councils' preparedness for emergencies
• its initial responses to support people and communities impacted by the 2019–20 bushfires and floods, and COVID-19
• the governance and oversight risks that arise from the need for quick decision making and responsiveness to emergencies
• the effectiveness and robustness of processes to direct resources toward recovery efforts and ensure good governance and transparency in doing so
• the mid to long-term impact of government responses to the natural disasters and COVID-19
• whether government investment has achieved desired outcomes.

Planned financial audit focus areas in Local Government

During 2020–21, the financial audits will focus on the following key areas:

• cybersecurity, including:
  • cybersecurity framework, policies and procedures
  • assessing the controls management has to address the risk of cybersecurity incidents
  • whether cybersecurity risks represent a risk of material misstatement to council's financial statements
• budget management
• financial sustainability
• quality and timeliness of financial reporting
• infrastructure, property, plant and equipment
• information technology general controls.

Audit, risk and improvement committees

All councils are required to have an audit, risk and improvement committee by March 2022

The requirement for all councils to establish an audit, risk and improvement committee was deferred by 12 months to March 2022 due to the COVID 19 pandemic.

Audit, risk and improvement committees are an important contributor to good governance. They help councils to understand strategic risks and how they can mitigate them. An effective committee helps councils to build community confidence, meet legislative and other requirements and meet standards of probity, accountability and transparency.

Local Government elections

Local Government elections were postponed for one year due to the COVID 19 pandemic

The Local Government elections were deferred for one year due to the COVID 19 pandemic and will now be held on 4 September 2021. As the statutory deadline for the 2020–21 financial statements is 30 October 2021, some of the newly elected councillors will be required to endorse them.

Implementation of AASB 1059

Accounting standards implementation continue next year

AASB 1059 is effective for councils for the 2020–21 financial year.

A service concession arrangement typically involves a private sector operator that is involved with designing, constructing or upgrading assets used to provide public services. They then operate and maintain those assets for a specified period of time and is compensated by the public sector entity in return. Examples of potential service concession arrangements impacting councils include roads, community housing, childcare services and nursing homes.

AASB 1059 may result in councils recognising more service concession assets and liabilities in their financial statements.

Appendix one – Response from the Department of Planning, Industry and Environment

Appendix two – NSW Crown Solicitor’s advice

Appendix three – Status of 2019 recommendations

Appendix four – Status of audits

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, has today released a report on Transport for NSW’s (TfNSW) acquisition of 4–6 Grand Avenue in Camellia.

This audit, which was requested on 17 November 2020 by the Hon. Andrew Constance MP, the Minister for Transport and Roads, examined:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

The audit found that TfNSW conducted an ineffective process when it purchased 4–6 Grand Avenue, Camellia. The audit also found that TfNSW’s internal policies and procedures to guide the transaction were, and continue to be, insufficient.

The Auditor-General has made seven recommendations to address the issues identified in the report.

On 17 November 2020, the Hon. Andrew Constance MP, the Minister for Transport and Roads, requested this audit under section 27B(3)(c) of the Public Finance and Audit Act 1983.

On 15 June 2016, Transport for New South Wales (TfNSW) acquired 6.3 hectares of land at 4–6 Grand Avenue, Camellia, by agreement from Grand 4 Investments Pty Ltd. Grand 4 Investments was a business entity established by the owners of Billbergia Pty Ltd, a property development and investment company.

TfNSW paid Grand 4 Investments $53.5 million and assumed liability for addressing environmental issues and contamination associated with the site. This took place seven months after the vendor acquired the land as part of a competitive Expression of Interest process, in which TfNSW also participated, for $38.15 million.

TfNSW is the NSW Government agency responsible for most major transport infrastructure projects in New South Wales. TfNSW acquired the Camellia site for use as a stabling and maintenance depot to support the Parramatta Light Rail (PLR) project.

Consistent with the minister’s request, this audit assessed:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

In considering the effectiveness of the processes for this purchase, the audit considered:

• the requirements of the Land Acquisition (Just Terms Compensation) Act 1991 (the Act)
• the application of sound processes to manage risk to the NSW Government and to achieve value for money
• the application of disciplines associated with complex procurement, such as probity, in a NSW Government context.

In 2015, TfNSW identified that it would require a stabling and maintenance depot in the Camellia area for the Parramatta Light Rail

In 2014, TfNSW commissioned an external engineering consultancy to undertake a feasibility design study for the Parramatta Light Rail - the Parramatta Transport Corridor Strategy Feasibility Design study (herein referred to as ‘the feasibility study’). In early 2015, TfNSW received the feasibility study, which was one of several key sources that informed the development of business cases for the PLR.

The feasibility study recommended that TfNSW should consolidate the maintenance and cleaning operations with overnight stabling facilities on one site. The study noted that the optimal location for any such site would be in close proximity to the proposed network, and noted that the site must have access to road connections to accommodate access for cars and trucks.

The study found that a centrally located stabling and maintenance facility would be required for all routes serving the Parramatta CBD, and that the Camellia industrial area was a preferred location for such a facility. The study noted that the Camellia area was contaminated.

The feasibility study notes that its conclusions were based on assumptions about the light rail system adopted and decisions made by the future operator of the system, who had not yet been selected or appointed.

TfNSW's decision to progress a potential acquisition in 2015 considered the risk that the site may not be required

TfNSW's FIC was responsible for making decisions on funding allocations at a whole of program level within TfNSW. FIC was also responsible for approving ‘high-risk/high-value’ variations to program budgets. Members of the FIC included:

• Secretary of Transport for NSW
• Deputy Secretary, Infrastructure and Services
• Deputy Secretary, Freight, Strategy and Planning
• Deputy Secretary, Customer Services
• Deputy Secretary Finance and Investment
• Deputy Secretary People and Corporate Services.

An April 2015 submission, from the then Deputy Director-General to the agency’s FIC, sought authorisation and funding approval to participate in an Expression of Interest sale process. It noted the risk that the project may not go ahead. The submission advised that:

By acquiring a strategic site now, it reduces the risk of having to pay an improved value or a value that may be subject to rapidly improving land values due to changes in land use and rezoning.

The property can be acquired for the project, held strategically and income generated by leasing the site as hardstand ¹ space until the project requires the land for the Parramatta Light Rail project.

If the project does not proceed in the medium to longer term, the property can be sold at a premium to what has been paid today as property fundamentals improve.

This submission acknowledged the risks associated with environmental contamination and proposed that these risks would be managed by negotiating a contract where the remediation and associated expenses would be at the landowner’s cost. 

TfNSW assessed the 4–6 Grand Avenue site as one of several sites in Camellia that was a feasible location for a stabling and maintenance facility

The Departmental feasibility study assessed six potential sites for a stabling and maintenance facility, including 4–6 Grand Avenue, noting strengths and weaknesses of each site. A different site on Grand Avenue was assessed as the ‘base case’ option (1 Grand Avenue). The study’s comments on the 4–6 Grand Avenue site included the following:

With an area of approximately 63,000m², this site has sufficient space for a depot with the required stabling yard and maintenance facilities. The location allows for good road access and LRT [light rail transit] access would be from Grand Avenue, which may require a road crossing or signalised intersection. The site has been used for general industrial uses; however the land has been cleared and is currently undergoing remediation ². The site is not affected by flooding based on one in 100-year flood data.

In early 2015, once the opportunity to acquire 4–6 Grand Avenue emerged, TfNSW commissioned a specific feasibility study of the 4–6 Grand Avenue site. The feasibility studies clearly documented the existence of environmental contamination. In April 2015, the report concluded:

Given the limitations of this report and within the parameters that have been set it is concluded that from a spatial and geographic perspective the site at 6 Grand Avenue would be suitable as a stabling and maintenance depot for the Parramatta light rail project. There are few engineering and environmental constraints that would affect the feasibility level analysis of this site and all issues identified, within this desk study, are considered to be resolvable. However this being said there is a significant amount of work necessary to reach the final layout and definition of the stabling and maintenance depot. There are numerous items which require further consideration and conformation; planning approvals could impose restrictions on building heights, noise mitigation measures, light and visual impact requirements all of which can have significant impacts on the spatial requirements of any stabling and maintenance depot. 

The acquisition of 4–6 Grand Avenue was not informed by a Property Acquisition Strategy

For major projects, TfNSW typically requires the project team to complete a Property Acquisition Strategy, which is intended to guide both process as well as specific acquisition issues expected to be faced during the project. The Property Acquisition Strategy is not a mandated document but is a recommended tool to support property acquisition as part of major projects.

TfNSW did not have a Property Acquisition Strategy in place to guide the 2015 Expression of Interest process. On 6 November 2015, the then Project Director for the PLR project emailed the property team, noting a need to develop a Property Acquisition Strategy to close off the scoping design and preliminary business case.

In January 2016, TfNSW developed a draft Property Acquisition Strategy for the Parramatta Light Rail Project, although it was silent on the potential sites for the stabling and maintenance facility.

TfNSW focussed on 4–6 Grand Avenue because it was available and aligned to TfNSW's strategic interests

In early 2015, officials commenced monitoring the market for industrial real estate in the Camellia area and surrounds for possible sites for a stabling and maintenance facility.

In March 2015, then owner of the site, Akzo Nobel Pty Limited released the 4–6 Grand Avenue site through an Expression of Interest process managed by CBRE.

TfNSW’s then Deputy Director-General, Planning, sought approval from FIC to lodge an Expression of Interest up to $30.0 million. Approval was sought on the basis that it would ‘provide certainty for the Parramatta Light Rail project by allowing for a depot site in a suitable location and potentially avoid higher costs or longer timeframes associated with compulsory acquisition following completion of the project’s business case’. FIC approved the request at its meeting on 9 April 2015.

At this time, TfNSW had not conducted any analysis of financial or operational benefits and costs of the potential sites identified in earlier feasibility studies. TfNSW staff advised us that the decision to participate in the Expression of Interest process for 4–6 Grand Avenue was because it was available. There is no documentation substantiating this statement, which TfNSW staff provided verbally as part of this audit.

In November 2015, TfNSW was advised that it was unsuccessful in the Expression of Interest process and that Grand 4 Investments (a related entity of Billbergia) had purchased 4–6 Grand Avenue. TfNSW did not conduct any further analysis of alternative potential sites in Camellia between this date and commencing discussions with Grand 4 Investments in April 2016. In that time there had been some movement on other properties that were included in the feasibility study, including 37–39a Grand Avenue being under offer in September 2015.

In March 2016, TfNSW approached CBRE to organise a meeting with Grand 4 Investments. On 1 April 2016, TfNSW met with Grand 4 Investments.

TfNSW advises that a perceived benefit of the 4–6 Grand Avenue site was that it was not subject to other uses or leaseholds that would increase the cost of compulsory acquisition. Officers involved in the acquisition advised that other nominated sites in the feasibility study were subject to other uses or leaseholds. 

Appendix one – Response from agency 

Appendix two – About the audit 

Appendix three – Performance auditing

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #349 - released (18 May 2021).

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.

Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.

Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines:

• our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
• our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.

Appendix one – Timeliness of financial reporting by agency

Appendix two – List of 2020 recommendations

Appendix three – Status of 2019 recommendations

Appendix four – Agencies most impacted by recent emergency events

Appendix five – Management letter findings by agency

Appendix six – Financial data

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations
• the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statement audits of agencies in the Transport cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of financial statements of entities within the Regional NSW cluster for the year ended 30 June 2020. The table below summarises our key observations and recommendations.

The Regional NSW cluster aims to respond to regional issues, creating and preserving regional jobs, driving regional economy, growing existing and supporting emerging industries. The key areas of focus across the New South Wales (NSW) State is shown below:

MoG changes impact on Department of Regional NSW

The Department was created as result of the MoG changes during 2019–20. The Administrative Arrangements Order 2020, effective on 2 April 2020 created the Department of Regional NSW. These changes had a significant administrative impact on the cluster agencies. The MoG change resulted in a transfer of net assets ($446 million) and budget ($284 million) from DPIE to the newly created Department of Regional NSW on 2 April 2020. A summary of the MoG impacts on the Regional NSW cluster is shown below.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The COVID-19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID-19 pandemic. These amendments:

• allowed the Treasurer to authorise payments from the consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
• revised budgetary and financial and annual reporting time frames – impacting the timeliness of financial reporting
• exempted certain statutory bodies and departments from preparing financial statements.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statement audits of agencies in the Regional NSW cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Appendix one - List of 2020 recommendations

Appendix two - Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining NSW Health’s management of health and safety risks to nurses and junior doctors in high demand hospital wards over the past five years, including during the first six months of the 2020 COVID-19 health emergency.

The Auditor-General found that while NSW Health effectively managed most incidents and risks to the physical health and safety of hospital staff during ‘business as usual’ activities, systems and resources are not fully effective to manage staff psychological and wellbeing risks, particularly for nurses.

The Auditor-General found that NSW Health was effective in managing most COVID-19 health and safety risks to hospital staff. Overall effectiveness could have been improved had pandemic preparedness training been delivered across all Local Health Districts. Additionally, state-wide communication systems could have been improved to provide hospital clinicians with access to a ‘single source of truth’ with the latest advice from NSW Health authorities.

NSW Health’s planning and preparation for the supply of Personal Protective Equipment (PPE) was partially effective. At various times, some PPE items could not be sourced from established suppliers. Face masks, goggles and protective gowns were substituted with products that differed in shape, size and fitting from usual items, and in some hospitals, substituted masks were used without being locally fit tested by hospital staff.

The Auditor-General made seven recommendations aimed at enhancing hospital health and safety risk reporting practices, along with a recommendation that NSW Health conduct a post pandemic 'lessons learned' review and make policy and operational recommendations for future pandemic responses.

Over the past decade, there have been increases in the numbers of health and safety incidents affecting nurses and junior doctors in NSW hospitals. These increases have been associated with higher numbers of patients with acute mental health conditions, age-related cognitive impairments, and patients presenting in emergency departments under the influence of drugs and alcohol.  

This audit commenced in August 2019, with a focus on the health, safety and wellbeing of nurses and junior doctors in high demand hospital wards. Our audit focused on emergency departments, mental health wards and aged care wards during 'business as usual’ periods of hospital operations. 

In the early months of 2020, the novel coronavirus (COVID-19) brought new health and safety risks to hospital staff. These risks included the potential for infection amongst health workers, increased staff workloads, and impacts on staff wellbeing.  

In May 2020, we expanded the focus of the audit to assess the effectiveness of NSW Health’s management of the health and safety risks to staff during the COVID-19 health emergency. We assessed the impacts on emergency departments and intensive care units, as these were the wards where staff were most likely to come into contact with COVID-19.  

The Audit Office acknowledges the ongoing health and safety challenges that the pandemic has brought to NSW Health staff – in particular to hospital clinicians and the managers who support them.  

This audit assessed the effectiveness of NSW Health’s:

• systems, forums and workplace cultures to support reporting and generate data about risk
• initiatives to support safe workplaces and effectively respond to health and safety incidents
• actions to continuously improve staff health, safety and wellbeing in hospital environments.

The first three chapters of this report describe the effectiveness of NSW Health’s ‘business as usual’ health and safety risk management. The fourth and fifth chapters describe the effectiveness of NSW Health’s health and safety risk management during the COVID-19 pandemic.  

1. Audit recommendations

By December 2021, NSW Health should:

1. Evaluate the effectiveness of the new incident management system to enable full reporting of health and safety incidents and risks in all hospital wards, including those where incidents and risks are common, and monitor for consistency of reporting over time
2. Expand the categories of hospital incident data reported to Ministry executives in the Work Health and Safety Dashboard reports, including by linking injury data to incident types by hospital ward category, and monitor in conjunction with Local Health Districts for emerging trends and improvement over time
3. Ensure that nurses and junior doctors have regular opportunities to report on risks to their psychological health and wellbeing, and that system managers have access to aggregate data to guide responses to mitigate these risks
4. Develop and implement an evidence-based guiding framework and strategy to support hospital staff in the aftermath of traumatic or unexpected workplace incidents, and monitor implementation
5. At regular intervals, publicly report aggregate Root Cause Analysis data detailing the hospital system factors that contribute to clinical incidents
6. Develop and implement a systemwide platform for sharing research and information about hospital health and safety initiatives across the health system
7. Conduct a post-pandemic 'lessons learned' review focusing on the effectiveness of key strategies deployed in the management of the COVID-19 pandemic and make policy and operational recommendations for future pandemic responses. In particular, ensure:
   • regular scenario-based pandemic training for hospital staff
   • updated policies and protocols for hospital infection controls
   • capability to upscale authoritative communication with frontline health workers at the earliest notification of a health emergency and for the duration of the emergency
   • systems and safeguards to ensure the supply and availability of clinically appropriate personal protective equipment (PPE) during all phases of a pandemic.

Local Health Districts were effective in leading health and safety infection control activity

According the NSW Health Influenza Pandemic Plan (Pandemic Plan), the Chief Executives of Local Health Districts have ultimate responsibility for public health unit preparations during health emergencies. If necessary, they can ‘draw on the support of the State Pandemic Management Team and local emergency management resources’.

During the preparations and early response phases to the COVID-19 pandemic, Local Health Districts were at the forefront of most NSW hospital activity. They took the lead role in developing hospital infection control protocols and guidance about the appropriate uses of Personal Protective Equipment (PPE). Each Local Health District established its own responses to the health emergency, based on the best clinical advice available to them. The localised approach meant that there were some minor differences in infection control practices across the NSW health system.

Throughout February and March 2020, there was limited centralised policy or guidance from the Ministry and its Pillar Health agencies about COVID-19 infection control practices. It was not possible to mandate practices at a time when information about the virus was evolving. Clinical responses were changing as more became known about COVID-19, especially about its patterns of transmission and its impacts on people with the disease.

During February and March 2020, Local Health District executives communicated with hospital staff via a range of methods. Some sent daily e-memos with the latest updates. Some scheduled more regular meetings with hospital clinicians. Some Districts set up extensive staff training sessions and information briefings to keep all personnel updated with the latest advice. Physical distancing made it difficult to bring staff together in large groups, so a range of communications measures were implemented.

Clinical staff also utilised their clinical training and expertise to prepare their wards and train frontline staff in infection control procedures. Some sourced information from national and international colleagues to add to localised knowledge of the virus.

When the first evidence of COVID-19 community transmission was identified in the Northern Sydney Local Health District, hospital staff followed infection control protocols that were based on local guidance and information. With the support from the District executive team and infectious diseases experts, hospital clinicians set up their own infection control protocols and PPE protections. Within a week the District had produced a matrix to guide staff in the uses of PPE during COVID-19 procedures, and had circulated the guidance to all hospital clinicians.

At the end of March 2020, a version of the Northern Sydney PPE matrix was published on the Clinical Excellence Commission’s website and it has now become NSW Health’s standard guideline for PPE during COVID-19 procedures. Once this guideline was published centrally, infection control practices were standardised across NSW hospitals.

This form of District-led policy making is not ‘business as usual’ practice for NSW Health. Policy making processes were somewhat reversed during the early response phases to COVID-19. This flexible policy approach supports the governance arrangements described in the Pandemic Plan, which assigns responsibility for ‘supporting and maintaining quality care across health services and implementing infection control measures as appropriate’ to Local Health Districts.

In non-health emergency situations, clinical policy and protocols are usually initiated and developed by the Ministry and the Clinical Excellence Commission and are subsequently shared across the health system after a quality control process. The localised approach adopted in the months from February to March 2020, allowed for rapid and flexible responses to changing information – to protect the health and safety of the hospital workforce and the wider community.

Hospital staff across NSW would have been better prepared for COVID-19 if pandemic training had been delivered across all Local Health Districts in the past decade

Local Health Districts are responsible for training hospital staff in preparation for public health emergencies. NSW’s policy describing Public Health Emergency Response Preparedness Minimum Standards requires that clinical staff participate in at least one annual emergency training exercise if they hold a position where they are likely to be called upon in an emergency. Staff must participate in an actual response exercise or a relevant training session. The training must also include re-familiarisation with PPE.

Available evidence about emergency response training in NSW indicates that at least two Local Health Districts have delivered pandemic focussed training in the past decade. Our interviews with managers of emergency departments and intensive care units indicates that most other Districts have focused their emergency training on mass patient trauma incidents such as plane crashes, train crashes and terrorist attacks. While the potential for these types of mass trauma events is real, and warrants training and preparation, significant global outbreaks of diseases have also had potential to threaten NSW communities. In previous decades, global health communities have been at risk of diseases such as the Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).

In the two Districts where pandemic training was provided in NSW, staff participated in community influenza vaccination exercises. These were focused on upskilling staff to follow emergency command structures, manage high volume patient flows, and organise sanitisation logistics during a hospital-based training exercise.

Our interviews with nurse managers in emergency departments and intensive care units indicate that in the majority of other Local Health Districts, key personnel were unaware of the NSW Pandemic Plan. Interviewed staff also reported insufficient scenario-based training in pandemic responses over the last ten years.

The Ministry, the Clinical Excellence Commission and the Health Education and Training Institute (HETI) are responsible for online training and 'state-wide strategies and resources to maintain high levels of compliance with infection control and patient safety recommendations'. The HETI website contains online training modules in infection control and PPE donning and doffing procedures. Other infection control information and research is available on the websites of the Clinical Excellence Commission and the Agency for Clinical Innovation.

Online training modules are effective for upskilling staff in a range of skills, but are not a substitute for real-time, rapid incident response training. Face-to-face training provides opportunities for first responders to test procedures in hospital environments. Incident response training provides opportunities for staff to assess their levels of compliance with protocols and their competence with equipment in scenario situations. It is the responsibility of Local Health Districts to provide this form of training to the health staff in their District.

Two NSW Health policies that govern clinical arrangements during pandemics are outdated

The Ministry had not updated two policies that had the potential to assist emergency departments and intensive care units in aspects of their ward preparation for the COVID-19 pandemic. Both policies were on the NSW Health website, but neither were shared with hospital staff in the planning phases for the pandemic. Both policies are out of date and have not been revised within required timeframes.

The 2010 Influenza Pandemic - Providing Critical Care policy was due for review in May 2015 and was not updated at the time of the COVID-19 health emergency. Similarly, the 2007 policy Hospital Response to Pandemic Influenza Part 1: Emergency Department Response was due for review in June 2012 and has not been updated.

These policies were designed to assist clinical staff to make necessary ward arrangements for infection control. They set out the steps for rapid identification of contingent workforces, isolation procedures, and management of patient flows to separate those with suspected infection from other patient cohorts. They were a potential addendum to the NSW Pandemic Plan which describes the command and control responsibilities of health agencies in health emergencies.

Our interviews with nurse managers from emergency departments and intensive care units indicate that in the absence of pandemic policy, they sought clinical guidance from external sources and Local Health District experts. Interviewees told us that a lack of policy guidance about ward arrangements and infection control practices in a pandemic increased their workloads and hours of overtime in the early response phases to COVID-19. With the support of Local Health Districts, clinical staff made rapid adjustments in order to respond to changing testing requirements and ward arrangements.

The Ministry was slow to establish a centralised communication channel to communicate with frontline staff

NSW Health’s governance and communication arrangements during a pandemic are set out in the Pandemic Plan. The Plan requires that government agencies ‘commence enhanced arrangements, establish communications measures’ and confirm ‘governance arrangements’ when there is evidence of person to person transmission during an influenza outbreak. NSW Health received the first notifications of the novel coronavirus risks in January 2020.

During the preparation and early response phases to COVID-19, the Ministry and its central agencies were slow in establishing a single, authoritative channel through which to communicate consistent messages to frontline staff. Clinical staff required up-to-date information about COVID-19 testing criteria as requirements were changing rapidly, sometimes daily. While there was no expectation for fixed policy at this time, hospital staff required the latest instructions about treatment requirements, and updates on the numbers of COVID-19 infections in their region.

As information about COVID-19 was evolving, information was communicated across the health system via ‘multiple channels and sources’. While the Ministry and its central agencies communicated extensively with Local Health Districts during March 2020, hospital staff reported to us that they weren’t always sure where they could find the latest advice about testing protocols or infection controls.

Frontline staff told audit office staff that they were checking multiple sources and time-stamping advice to ensure they had the most up to date information on a daily basis. While some Local Health Districts managed clear communication links with frontline staff, nurse managers told us that communication was ‘chaotic’ during the early phases of pandemic preparation. Key personnel were not always available outside business hours and nurse managers advise that they spent hours at the end of shifts, seeking and printing the latest advice for weekend and night shift personnel. By the end of March 2020, the Ministry and the Clinical Excellence Commission websites became better organised to communicate with frontline clinicians.

A recommendation to the Ministry of Health after H1N1 swine flu could be equally applied in the COVID-19 context. The NSW Government’s report: Key Recommendations on Pandemic (H1N1) 2009 Influenza recommended the establishment of ‘clear pathways of communication … so that all employees have confidence in where their information will come from and who they should approach if they need additional information.’

NSW Health acknowledges the challenges and the lessons from the early phases of the COVID-19 pandemic. For example, a strategy released in August 2020, sets out NSW Health’s own recommendation for the future management of PPE including: ‘Aligning a single source of truth for PPE education and evidence-based guidance to ensure clarity of information on appropriate use, supported by an influential network of Infection Prevention and Control (IPC) practitioners at the forefront.

Ministry executives advise that communication with health staff has improved since the early phases of the pandemic. The Ministry now sends weekly COVID-19 updates to over 130,000 health staff via email. In addition, NSW Health now has two COVID-19 tabs on its website with current information, including COVID-19 testing advice. According to Ministry executives, these communication channels could be used or replicated if needed for future health emergencies. The Ministry also provides health information and updates via a phone application called Med App. This App is preferred by doctors and is less likely to be used by nurses. As at October 2020, there are 13,000 users of Med App. Push notifications can be made on Med App through SMS alerts.

Personal protective equipment (PPE) was not always available in required sizes and some hospital masks and gowns were substituted with products that differed from the usual items

Since the emergence of COVID-19 in Australia, all clinicians in NSW hospitals have had access to some form of PPE for their clinical requirements. If staff did not have appropriate equipment for each COVID-19 related procedure, they were guided by the formal advice issued to the NSW Health workforce on 11 March 2020 stating that: ‘The safety of NSW Health staff is a priority at all times, especially during COVID-19. Where safe working practices confirm specific PPE (e.g. face shields/masks or other equipment) are required for the protection of staff due to COVID-19, in all circumstances:

• staff are to wear prescribed PPE as instructed
• staff are not to undertake or be required to undertake tasks requiring PPE if the PPE is not available for use. Any such tasks are not to proceed until required PPE is available
• any staff member who is concerned about their safety must raise their concerns immediately to their manager.’

At periods during March and April 2020, some PPE items were not available in the required sizes or the regular brands to which staff were accustomed. HealthShare NSW was not able to source PPE from usual suppliers. HealthShare NSW sourced PPE including N95 masks from non-traditional suppliers. Some PPE items differed in shape and size from the usual hospital equipment. While senior executives from HealthShare NSW advise that all products were approved by the Therapeutic Goods Administration (TGA), in some hospitals, nurse managers advise that staff were not able to ‘fit test’ substituted masks. Fit testing determines the type and the size of the respirator mask that achieves an adequate seal on an individual’s face.

In March and April 2020, ‘duck bill’ (N95) masks were not available in some hospitals. According to stock managers and clinical managers in Local Health Districts, duck bills are the preferred mask for staff with smaller faces, particularly female staff members. The duck bill mask is a standard PPE product, and as such, is fit tested during mandatory PPE training. During the early response phases to COVID-19, most Local Health Districts were provided with substitute N95 masks. Fit testing of the substituted N95 masks was not able to be conducted in all NSW hospitals during the early phases of COVID-19. During the first wave of COVID-19 in March and April 2020, hospital staff told audit staff that there was no time and a lack of equipment to appropriately fit test substituted N95 masks.

Nurse managers in emergency departments advise that in some instances, staff made adaptations to PPE to improve protections, such as doubling masks, adding elastics or bringing their own equipment. These adaptations were not consistent with guidelines. Nurse managers advise that in some cases, adaptations to PPE or ill-fitting masks created pressure sores and contact dermatitis. Just over half of the stock managers of Local Health Districts advised that PPE stock was procured from outside the HealthShare NSW system. Stock managers in some Districts advise that facial shields and goggles sourced from non-traditional suppliers by HealthShare NSW were of a lesser quality than standard equipment. Stock managers and nurse managers reported that the changes in PPE products caused confusion and stress amongst staff.

Local Health Districts were proactive in assisting hospital staff to mitigate risks of COVID-19 infections. Some Local Health Districts assigned ‘tiger teams’ to assist staff with their PPE practices. Tiger teams provide clinical expertise and advice to staff, answer questions about infection control and provide training on PPE practice in hospital ward environments. They assist and support PPE donning and doffing practices to ensure the appropriate sequencing of applying and removing PPE for effective infection control. They provide mask fit checking guidance to assist staff in correct PPE practices.

Districts ran extensive refresher PPE training sessions for clinical staff. Some hospitals ran regular PPE demonstrations so that staff could observe correct PPE procedures at set times during the day. These activities assisted staff to implement appropriate infection control in the period before the Clinical Excellence Commission’s web-based materials and videos became available in late March and early April 2020. These online resources now provide comprehensive guidance to hospital staff in PPE practices.

HealthShare NSW placed limits or caps on some high-demand PPE items that were too low to meet requirements in some Local Health Districts and had to be adjusted to meet actual demand

The NSW Pandemic Plan describes the responsibilities of the Ministry and its central agencies to manage and maintain the State Medical Stockpile of essential PPE supplies and antiviral medications. During a pandemic, HealthShare NSW has responsibility for warehousing, monitoring and distributing health supplies to the health workforce.

Due to a reported global shortage of PPE and limits to the NSW stockpile, HealthShare NSW placed limits on the provision of approximately 100 high-demand items to NSW hospitals. HealthShare NSW advise that the PPE order capping ceilings were implemented ‘to ensure local stockpiling does not occur’. A centralised ordering process was established with Local Health Districts so that PPE product ordering occurred through single hospital locations (214 across the State), rather than at the ward level. Escalation processes were established to allow Districts to request one-off increases to supply, and a process was set up to permanently increase the order cap limit for any PPE item by facility.

According to HealthShare NSW, ‘as incoming central supply has improved, order caps have subsequently increased in line with strong engagement and governance with the Local Health Districts to ensure the appropriate levels of supply are provided’. The original capped levels were determined by assessing PPE usage in wards during the flu season of 2019. As the flu season case numbers of 2019 were relatively low, some Local Health District managers advised that the levels of PPE during 2019 were not comparable to the level of PPE required for the COVID-19 pandemic.

After advocacy from hospital stock managers and clinicians, HealthShare NSW increased capped PPE levels in many Local Health Districts.

Executive members of the State Health Emergency Operations Centre (SHEOC) advise that its PPE supply strategy needs to be carefully developed as there are vast differences in PPE usage rates during 'business as usual' periods and pandemic periods. If NSW Health kept the level of PPE required in planning for a worst-case scenario, this would equate to an extensive surplus of PPE that could not be utilised during business as usual periods. The SHEOC Executive advise that it is not feasible or economical to store this level of PPE. They advise that given the costs of PPE, and the fact that the products have a shelf life, a diversified supply line is a more reliable method for ensuring PPE during surge and non-surge periods.

Early data modelling showed ICU patient numbers at levels not manageable with levels of ventilators and equipment

Early projections of patient numbers requiring acute care for COVID-19, were at levels that would not have been manageable with the equipment and resources of NSW hospitals. Throughout March through to May 2020, government data modelling indicated significant surges of community infections and surges in intensive care patients.

Early estimates were based on overseas trends, and if actual cases had matched projections, NSW hospitals would not have had sufficient ventilators to meet demand. The knowledge of this shortfall caused high levels of anxiety among nursing and medical staff.

While the data was based on the best available information, it had negative implications for the health and safety of the nurse and junior doctor workforce. Managers of intensive care wards and emergency departments reported stress amongst the workforce. Staff concerns were primarily about being faced with ‘the unmanageable’, along with heightened fears about contracting the virus with the knowledge that there was insufficient equipment to treat acute patients.

As it transpired, overall numbers of COVID-19 infections were lower than projected during the early months of the pandemic. The lower infection rates in the general population have meant fewer instances of patients requiring intensive care in NSW hospitals. In addition, HealthShare NSW has been able to increase the numbers of ventilators in NSW hospitals to prepare for future surges in patients requiring acute respiratory care.

SHEOC Executive advise that NSW Health undertook an accelerated procurement strategy in early 2020 to increase its stock of ventilators, and that ventilator capacity has always far-exceeded actual requirements.

NSW Health has developed a strategy to improve the management of PPE for the NSW health workforce

In August 2020, NSW Health released a strategy that sets out its future management and planning approaches to the provision of PPE for the NSW Health workforce. NSW Health’s Personal Protective Equipment (PPE) Strategy describes the learnings and challenges during the COVID-19 pandemic in sourcing and distributing PPE. It sets out the systems and methods for distributing PPE to staff and patients and focuses on how staff are kept informed on the appropriate use of PPE at all times. A supporting communications strategy has been developed to support its implementation.

The strategy contains enhanced transparency measures to regularly inform staff about PPE stock levels and to provide data about PPE usage rates by item types in wards in NSW hospitals. The NSW Health PPE strategy describes a changed approach to ordering, storing and allocating PPE. This includes diversifying the supply lines for PPE products to increase supply options in circumstances where supply lines become disrupted. It includes a centralised system for coordinating the supply of hospital PPE through Local Heath District coordination points and centralised distribution points in large hospitals.

Our interviews with hospital PPE stock managers and nurse managers indicate that staff find the new ordering system to be an improvement upon the previous stock ordering method.

According to the Personal Protective Equipment (PPE) Strategy, NSW health is upgrading its models for monitoring and benchmarking PPE usage across the health system. Systems are being improved for forecasting demand volumes during business as usual periods and during health emergency surges.

Appendix one – Response from agency

Appendix two – Audit methodology

Appendix three – About the audit 

Appendix four – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #344 - released 9 December 2020