About this report 

The land titles registry is a collection of registers established under the Real Property Act 1900 and related legislation. It is the source of truth for land and property ownership in NSW and underpins significant economic activity.

The registry is owned by the NSW Government. From 1 July 2017, a private operator has operated and maintained the registry under a 35-year concession granted by the NSW Government.

The Office of the Registrar General is the regulator of the private operator’s activity under the concession. It is a business unit in the Department of Customer Service.

This audit examined the effectiveness of the regulator in overseeing and monitoring the operation and maintenance of the registry to ensure its integrity and security.

Conclusion

The Office of the Registrar General has implemented an effective system and supporting processes to oversee and monitor the integrity and security of the land titles registry.

However, the audit found opportunities for the Office of the Registrar General to improve how it conducts its regulatory functions.

Recommendations

The audit recommended that the Office of the Registrar General should:

1. develop and publish its approach to exercising its regulatory functions and powers
2. publish a regulatory charter to ensure greater regulatory transparency
3. review the skills and capabilities required to regulate the land titles registry
4. ensure greater clarity on the rights to use data, and the application of privacy legislation
5. ensure compliance with the NSW Cyber Security Policy, including the requirements relating to third parties
6. perform an audit of the subscriber compliance process.

The land titles registry is a collection of registers that record property-related information

The registers collectively referred to in this report as the ‘land titles registry’ include the:

• Torrens Title Register – the primary register for land held in NSW under the Real Property Act 1900
• Register of Plans – comprises plans, that is a representation of a property’s boundary, submitted for registration by registered surveyors
• General Register of Deeds – established under the Registration of Deeds Act 1825, this was the first land register in NSW recording deeds in the system used prior to the introduction of the Torrens Title System, and includes the register of Causes Writs and Orders, Bills of Sale, Register of Resumptions, Powers of Attorney and other miscellaneous deeds
• Central Register of Restrictions – where participating organisations maintain up to date information about possible, or actual, interests they hold against NSW properties (for example for heritage or infrastructure reasons).

The 35-year concession for a private company to operate and maintain the land titles registry

In April 2017, the NSW Government granted a 35-year concession² to a private operator to operate and maintain the titling and registry services business area of NSW Land and Property Information (LPI). The private operator paid the State $2.6 billion for the concession, as well as committed to pay $8 million (indexed) annually in consideration for the ORG to perform the regulatory and enabling functions contemplated by the concession deed.

The private operator has the right to generate revenue by selling land information products and services, including through search and subscription fees, as well as by charging administrative fees, such as for registering land titles and other transactions. Each year, the operator facilitates over four million searches on titles and images, records 900,000 updates to land title records and creates 50,000 new titles.

NSW Treasury managed the bidding process for the concession and prepared the enabling legislation, the Land and Property Information NSW (Authorised Transaction) Act 2016. The concession deed was executed between the Minister for Finance, the Registrar General and the successful bidder.

The successful bidder was Australian Registry Investments (ARI), which in turn established NSW Land Registry Services (NSW LRS or ‘the private operator’) as a private, single purpose company to operate and maintain the land titles registry. ARI is a consortium of institutional investors and superannuation funds, which at the time of this audit included Aware Super, Macquarie Infrastructure Fund and UTA Registry Investments Trust.

The NSW Government retains ownership of the land titles registry, including the information it contains.

The land titles registry is a critical information asset for NSW as it is the basis of private ownership of property, which in turn supports property-related economic activity. In 2016, it was estimated that the land titles system underpinned over $130 billion dollars of economic activity in NSW each year. As of 2023, the total value of land in NSW was approximately $2.8 trillion.

The land titles registry is a ‘crown jewel’ IT asset under the NSW Government Cyber Security Policy. The land and titling information maintained by the private operator is provided to other government departments and agencies, such as Revenue NSW, Spatial Services and the Valuer General.

A key assurance provided by the NSW Government when granting the concession was that the ORG would be responsible for the regulation of the performance of the private operator under the concession deed. The ORG is a business unit in the Fair Trading and Regulatory Services division of the Department of Customer Service (‘the department’). The Registrar General is a statutory position and has a range of responsibilities, including under the Real Property Act 1900. The establishment of an ‘office’ to support the Registrar General accompanied the granting of the concession in 2017.

The ORG is not a separate auditable entity under the Government Sector Audit Act 1983. As such, the auditee for this performance audit is formally the Department of Customer Service.

NSW Treasury is also an auditee as it managed the scoping study, bidding process, legislation development process and the development of the concession arrangements. NSW Treasury does not have an ongoing role in the routine oversight and monitoring of the land titles registry. The audit has made no recommendations for NSW Treasury and the agency has elected not to provide a formal response to the audit.

Objectives of the concession

The concession deed includes a statement of the Government’s objectives for the concession. These objectives include achieving the following:

a) maintaining the security, integrity, performance and availability of the registers, core assets and core services

b) ensuring the registers are accurate and up-to-date, including that they accurately reflect all registered documents, plans and other matters that are required to be recorded in them

c) maintaining the confidence of the affected parties and the NSW public in the registers and the core services

d) promoting improvements, innovation and increased efficiency, and utilising greater expertise and investment in technology, in the delivery of the core services

e) minimising Torrens Assurance Fund Payments and

f) protecting current competition and the opportunities for future competition in the supply of downstream services by ensuring fair, transparent, predictable and non-discriminatory dealing by the operator with customers and prospective customers.

The deed also includes the private operator’s acknowledgment and agreement that its achievement of these objectives is of critical importance to NSW.

Regulation of the land titles system, including under the concession deed

The ORG has described its role as ‘... a regulator, advisor and litigator, working to ensure the integrity of NSW’s land title system’. While the ORG directly regulates the private operator of the land titles registry under the concession deed (as well as in accordance with any applicable legislation and delegations made by the Registrar General), the system of land titles is a complex one, with many different participants. These participants include:

• ELNOs – which provide the means for transacting parties to collaborate electronically on the preparation of registry instruments; there are currently two ELNOs operating in NSW, although PEXA is by far the dominant market participant compared to its competitor, Sympli
• subscribers – a person or business authorised to complete electronic conveyancing transactions using an ELNO, such as financial institutions, solicitors and licensed conveyancers
• government agencies – selected NSW government agencies and local governments are authorised to obtain information from the system, including Revenue NSW, Valuation NSW, the Surveyor General and local councils
• registered surveyors – who are responsible for conducting survey plans of property boundaries and lodging those plans for registration with the private operator
• information brokers – there are 12 wholesale information brokers with which the private operator has entered into agreements under the concession deed to provide access to NSW titling information held by the private operator
• users of the Central Register of Restrictions – including selected NSW government agencies and non-government entities, such as utility companies providing electricity, water and gas and the Commonwealth Department of Defence.

The data flows within the system are complex and interdependent. Many of the participants are critical to maintaining the integrity and security of the land titles registry. Each class of participant has different governance arrangements and controls for their participation. As shown in Figure 1, the ORG regulates and oversees, to varying degrees, this system of multi-layered rules, relationships and arrangements, with the concession deed between the NSW Government and private operator being at the core of the system.

In granting the concession, the government committed to a ‘robust regulatory regime’ and a ‘tight regulatory framework’ overseen by a ‘strong regulator’

In granting the 35-year concession to the private operator, the NSW Government committed to ensuring that the monopoly functions of providing titling and registry services would be ‘appropriately regulated’.

In commencing the process of granting the concession, the NSW Government set out what it described as a ‘robust regulatory regime’ that would apply to the concession. Of particular relevance to this audit, the government also established that:

• the Registrar General would monitor and enforce the operator’s compliance with regulatory requirements, including the terms of the concession deed
• the Registrar General would have a general power to direct the private operator to perform tasks ‘… in the public interest’.

In the September 2016 second reading speech accompanying the passage of the enabling legislation for the concession through NSW Parliament, the then Treasurer further highlighted that:

• the service standards defined in the concession would include ‘… a penalty regime should the private operator fail to comply’
• the Registrar General would have regulatory oversight of ensuring that the private operator adopted ‘appropriate data security and fraud detection practices’.

The second reading speech also highlighted the role of the Registrar General in overseeing how other participants in the land titling and registry system should perform. This included approving the standard terms on which the concession holder is to deal with its wholesale customers and intermediaries (including ‘subscribers’ to the operator’s services, such as banks, conveyancers and solicitors).

In January 2017, the then Registrar General explained his view that the arrangements for the concession would ensure that the ORG would be able to provide an ‘… independent, credible, stable and well mandated regulatory framework [that] will give confidence to customers and the business itself’. He further explained that:

On 6 April 2017, the then Registrar General further said that his office would follow a ‘modern regulatory approach’, which would include a ‘… focus on material things – where an operator’s actions are not in the spirit of the deed’s objectives’. The audit did not find evidence of how the ORG assesses deviation from the ‘spirit of the deed’s objectives’.

On 12 April 2017, the Premier and the Treasurer jointly announced the successful bidder for the concession. In doing so, their media release drew attention to the:

• ‘tight regulatory framework’
• ‘rigorous legislative and contractual safeguards around the concession to ensure the continued security of property rights and data’
• establishment of a ‘… new external regulator – the Registrar General – to enforce [the operator’s] performance during the concession, with power to monitor and audit performance, and even resume control of the LPI business if required’.

The Registrar General was not a newly established statutory position, although the role was provided with new regulatory functions and powers under the concession deed.

The task of overseeing and monitoring a private company operating and maintaining a monopoly service that uses government-owned systems (and where title is government-guaranteed) poses new and complex challenges for a regulator like the ORG, which previously performed stable and mature administrative and regulatory functions.

The ORG has made only limited use of the compliance and enforcement tools available to it under the concession deed

Seven years into the concession, the ORG is still in the relatively formative stages of settling its approach to the use of its regulatory powers under the concession deed.

The ORG has an experienced and highly qualified workforce, with substantial capability in areas such as property law, as well as a directorate focused on cadastral integrity. It has substantial capacity to administer its longstanding and relatively wide-ranging pre-concession responsibilities. This includes actioning matters under the Torrens Assurance Fund, conducting compliance audits of property plans prepared by registered surveyors and providing advice to government on relevant policy and reform.

In comparison to these longstanding, well-organised and well-understood responsibilities outlined above, the ORG is still forming its approach to exercising the full spectrum of its compliance and enforcement powers under the regulator–operator model. In some instances, this has limited its effectiveness in resolving regulatory issues raised later in this report.

The ORG has eight regulatory compliance and enforcement options available to it under the concession deed and the enabling legislation. The options are listed below, ranked according to their seriousness and frequency, with step-in and termination powers being both the most serious and least likely option to be applied:

• raise issues at governance forums
• informal letters escalating to formal letters
• approvals with conditions attached
• audit and review powers
• financial penalties for breach of service levels
• reserve power directions
• corrective action plans
• step-in and termination powers.

These options can be specific to circumstances and not all are available for all matters. For example, the ORG does have not a broad-based power to issue financial penalties for performance gaps except where specified in the concession deed.

Since the commencement of the concession, most issues with the private operator’s performance have been addressed without escalation beyond the exchange of formal letters. However, this approach has not always led to adequate or timely resolution.

A number of longstanding issues have been raised by the ORG regarding plan examination and subscriber compliance audits, as set out in section 5 of this report. Despite their significant importance to the integrity of the land titles registry and the potential for errors with financial and personal impacts on customers, these matters have not generally been escalated beyond discussions or letters.

The ORG does not have a formalised approach to how it will routinely and effectively exercise its compliance and enforcement functions and powers

The audit assessed whether the ORG has a clear statement of its regulatory posture or its approach to regulation on which to base its regulatory decision making. In its ‘Regulation insights’ report (March 2024), the Audit Office of NSW highlighted that regulators need clear escalation thresholds and enforcement policies to promote credible and proportionate regulatory actions. The concession deed sets out that the materiality of service level breaches is determined based on the operator’s culpability, the impact on the customer and whether the breach has occurred previously.

The ORG lacks a clear approach to how it would effectively exercise the regulatory tools available to it under the concession, such as:

• requiring ad hoc reports that are prepared in a timely manner and to an adequate standard
• issuing penalties for non-compliance
• conducting its own audits
• conducting a major review of the concession (the prospect of which was raised by the ORG with the private operator in 2022 but has not proceeded).

This is despite assurances (as described earlier) from the NSW Government at the commencement of the concession that these tools would be available and used by the regulator.

In September 2023, the ORG developed an initial approach to the use of concession deed levers to provide a ‘practical and proportionate approach’ to exercising its monitoring and oversight functions for the concession. However, neither these principles, nor any alternative, have been drawn upon to inform a codified regulatory or enforcement policy. The ORG advised that it is developing an approach to escalating matters through the hierarchy of available regulatory and enforcement tools.

The ORG is spending less on its regulatory functions than the fee paid by the private operator to support those functions

Under the concession, the private operator provides an annual indexed fee to fund the services delivered by the regulator. The concession deed says that this fee is paid ‘… in consideration for the [Registrar General] performing the regulatory and enabling functions contemplated by this Deed’.

In 2017–18, $8 million was allocated in the NSW Budget ‘… to be spent on regulating the operator of the NSW land title and registry system, ensuring its security and stability while enhancing service levels’.

In 2023–24, the department requested from NSW Treasury a budget of $8.26 million for the ORG, ($260,000 more than the 2017–18 allocation). This was also around 25% less than the mandatory fee paid by the private operator under the concession deed, which was $10.49 million. The balance of the fee paid by the private operator is retained by the NSW Government in the Consolidated Fund for general purposes.

The ORG undertakes a range of policy and reform projects that it tracks separately from its ‘business as usual’ activities. Not all these projects were envisaged when the concession was granted. For example, the interoperability project to support the introduction of national competition in the electronic lodgment network (ELN) is a substantial and complex national reform that has been led by the ORG on behalf of NSW.

NSW’s contribution to this project-based work is undertaken effectively within the same budget parameters and staffing as established when the concession was granted. At the time of the audit, the ORG’s project workplan includes 32 distinct projects, with one additional recent project being reclassified as ‘business as usual’ and two previous projects put on hold. The project plan includes activities relating to significant government reforms such as interoperability and digital survey plans reform, as well as matters that are regulatory in nature or which support regulatory priorities.

The audit heard from some stakeholders that the ORG’s focus on project-based work, including government reform initiatives, risks reducing resources available for its functions to monitor and oversee participants in the land titles registry system to the degree anticipated by government when the concession was granted.

As discussed in sections 6 and 9 of this report, this audit found that the ORG has capability and capacity gaps in specialist skills, particularly in strategic IT and regulatory policy and implementation. It is beyond the scope of this audit to consider whether these gaps could be addressed within the existing funding or whether the ORG required a revised budget that more closely aligns with the fee paid by the private operator.

The complexity of the land titles system limits the extent to which the ORG can oversee potential integrity and security risks on a whole of system basis

The ORG has varying approaches, powers and functions to regulate different participants in the land titles system, the complexity of which is increased by various third-party users and reseller arrangements that apply to land titles data. As discussed later, this complexity limits the ORG’s direct monitoring and oversight of potential risks or non-performance by system participants other than the private operator.

Table 1 provides further information on the regulatory arrangements for stakeholders accessing and informing the land titles registry.

Source: Audit Office analysis.

The ORG does not have a longer-term strategic plan for proactive compliance activities

Since December 2018, the ORG has issued the private operator an annual letter setting out ‘joint priorities’ for the forward year. While each letter is signed and issued by the Registrar General, the private operator has the opportunity to comment on proposed ‘joint’ priorities.

The annual priority letters are not issued under the terms of the concession deed and are statements of the regulator’s expectations, rather than binding obligations on the operator. The priorities are derived primarily from internal staff consultation, but also consider external stakeholders, existing or emerging reform topics, and progress achieved in meeting previous priorities. While the letters set out annual priorities, they are also intended to ‘… track progress on long-term objectives’.

These annual priority letters are effective in demonstrating a considered approach to articulating the regulator’s expectations of the private operator for that period. The ORG sets out specific ‘success measures’ (usually in the form of milestone progress or completion dates) for how priorities will be assessed.

The priorities set out in the annual letters are subsequently discussed and tracked at various governance meetings, as required under the concession deed. However, there have been few consequences if the private operator does not meet its priorities. Over the course of the concession, a number of reoccurring priorities point to intractable issues, about which the ORG has been dissatisfied. This has included matters that go directly to the integrity of the registers, such as the examination of submitted plans and subscriber compliance (particularly as assessed by the subscriber compliance examination process).

Until recently, the ORG did not include its own annual priorities in these letters. Rather, yearly priority letters to the private operator referenced government or joint priorities. In comparison, the most recent priority letter for 2025 provided a clearer articulation of the rationale between the annual priorities and the intended outcomes of the concession deed. The audit did not source evidence that the ORG set longer-term or strategic priorities for how it will proactively exercise its regulatory functions, such as a forward program of compliance activity, ad hoc reviews or audits.

The ORG ensures that the private operator meets its obligations to provide service level performance reporting

The concession deed provides for extensive performance reporting by the private operator against defined service levels or KPIs. While government statements at the commencement of the concession suggested there were 55 KPIs, this is inaccurate as it includes numerous sub-measures. Currently, 14 service level KPIs are reported quarterly on the ORG’s website. The publishing of service level performance has been explained by the ORG as bringing ‘… a new level of transparency to the NSW’s land titles registry’ to better hold to account the private operator and be a feature of the new regulator–operator model.

The private operator exceeded all published services for each of 24 consecutive quarters from the start of the concession until January–March 2024. This may suggest that the existing published service levels are not sufficiently challenging to support continuous improvement in the future. In addition, as discussed below, not all service level KPIs are published.

The ORG has proposed a review of service levels to identify those no longer relevant. This considers the substantial reforms to the land titles registry system have occurred since the concession commenced, including the move to 100% electronic conveyancing. Stakeholders also expressed a view to the audit that the existing published service levels are too focused on time measures, and do not sufficiently address quality and client satisfaction. It was also understood between the regulator and private operator early in the concession that ‘… as we move forward, customer behaviour will change, along with what is important to customers’.

The ORG has granted penalty relief for service level breaches, although there has been no public transparency about these decisions

There have been instances where the ORG has elected not to issue financial penalties where the private operator breached required service levels. While this discretion is a matter for the regulator to exercise, public transparency is lacking as to the underlying breach or the penalty decision. Service levels not achieved are not included among those published on the ORG’s website.

For example, from October 2020 to September 2023, the ORG granted penalty relief for 33 breaches of the private operator’s obligation to ensure specific data feeds to NSW Government agencies and local councils occurred within specified timeframes.³ A series of data feed failures in a legacy IT system was the catalyst for the private operator’s failure to meet the service level. The audit notes that the private operator’s interpretation of the relevant service level varied from the ORG’s interpretation, and suggested a smaller number of breaches than the 33 assessed by the regulator.

This penalty relief was initially granted in October 2020, then extended in May 2022 until September 2023. The ORG granted the penalty relief:

• in recognition of the private operator’s commitment to upgrade the legacy IT system causing the data feed failures
• because the ORG considered the impact on affected customers to be negligible.

As early as December 2019, the ORG had identified to the private operator that upgrading the legacy IT system was a priority. In August 2020, the ORG described the upgrade as ‘… critical to ensure accurate and complete data is provided to customers’ and asked the private operator to ensure that it is completed ‘… without further delay’.

The ORG did not extend its penalty relief beyond 30 September 2023. No breaches were reported to have occurred after this time. The upgrade to the legacy IT system is expected to be completed no earlier than January 2025.

The service level that was not met on up to 33 occasions is not included among the 14 service levels reported publicly on the ORG’s website. There was no public transparency about the operator’s non-compliance, or the ORG’s decision to provide penalty relief to the operator. The ORG did not publish a notice that it had afforded penalty relief to the operator, nor was this mentioned in the department’s annual report. The ORG’s view is that publication of these service level breaches was not required as they only affected government agencies.

This audit has not assessed the merits of the ORG’s evaluation of the service level breaches or its decision to extend penalty relief for non-compliance. The concession deed allows the ORG to make these types of decisions. However, when the concession commenced, the NSW Government stated that a consumer benefit of the concession would be ‘increased transparency’ due to the regulator being able to:

Prior to the concession, it was already the Registrar General’s practice to publish statistics about claims and payments under the Torrens Assurance Fund in the department’s annual reports. Since the concession, the only opportunity for increased transparency is through reporting on service levels and breaches, including about how the ORG responds to breaches, such as by extending penalty relief over extended periods of time.

When the concession commenced, the NSW Government also highlighted that, as the regulator, the ORG would have a range of regulatory options including ‘… a penalty regime should the private operator fail to comply’. The community and stakeholders were not told that the ORG could choose to waive penalties in response to breaches. Nor were the community and stakeholders told the circumstances in which such relief might be extended. This underscores the importance of the ORG being publicly transparent when it makes these decisions, including to explain their justification, so as to ensure that community trust and confidence in the regulator is maintained.

The ORG’s monitoring and oversight of how the private operator manages legacy IT systems is discussed further in section 6.

The detailed terms of the concession are not publicly available and there is a statutory presumption against their disclosure under the Government Information (Public Access) Act 2009

Much of the substantive detail about the regulatory requirements for granting the concession is contained in the concession deed document that was executed between the NSW Government and the private operator. This document is not public. Moreover, the enabling legislation for the concession included an amendment to the Government Information (Public Access) Act 2009. This amendment established that it is to be conclusively presumed that there is an overriding public interest against disclosure of information contained in any document ‒ including the concession deed ‒ prepared for the purposes of, or in connection with, the authorised transaction unless approved by the NSW Treasurer. NSW Treasury was not able to provide an explicit reason why this provision was included in the enabling legislation, other than to note that a similar provision was included in the 2015 electricity network transaction enabling legislation.

Key elements of the concession deed were modelled on the arrangements for the franchising of the Sydney ferries service, including:

• the model for service levels and penalties
• the transfer of administrative powers and functions to the operator
• the approach of adopting minimalist legislation supported by a detailed contract.

This framework is also similar to that adopted for the Greater Sydney Bus Contract. Both contracts (ferries and buses) are publicly available on Transport for NSW’s website (with redactions where necessary to maintain commercial confidentiality).

During consultation on the enabling legislation for the concession, external stakeholders noted that the delegation of key provisions to a confidential document detracts from promoting transparency and community confidence in the regulatory arrangements for the concession.

The ORG has not published a ‘regulatory charter’ as provided for under the concession deed

Clause 29.1(b) of the concession deed provides that the ORG may publish a ‘regulatory charter’ that contains:

• the division of responsibilities between the ORG and the private operator
• ring fencing and non-discrimination requirements
• dispute resolution processes
• the ORG’s rights in relation to reserve power directions
• the ‘customer terms’
• obligations in respect of ELNOs
• complaint handling arrangements.

The ORG has not published a regulatory charter, although some of the content envisaged by clause 29.1(b) is available across the ORG’s website. For example, the ORG’s website provides information about how individuals may apply to have a decision of the private operator reviewed by the ORG.

The ORG reviews an annual customer satisfaction survey conducted by the private operator, which has reported increased rates of satisfaction over the term of the concession

Regarding other measures of performance, the concession deed requires the private operator to conduct an annual customer satisfaction survey. The private operator has reported to the ORG improved levels of customer satisfaction with its services. While the audit has not assessed the survey data, the private operator has reported in its most recent survey that 71% of respondents were satisfied, up from around 50% at the start of the concession. Over the duration of the concession to date, these surveys have been run both internally by the private operator, and more recently by an external survey provider commissioned by the operator.

The private operator is also required to submit at regular intervals (annually or up to 18 months) updates to its technology roadmap and business plan. These documents are assessed by relevant subject matter experts within the ORG or the wider department and feedback is provided to the private operator on their adequacy. For example, a range of annual reporting requirements for FY23 relating to fraud and crime prevention, error reports, business continuity and incident management, and the technology roadmap were provided to Department of Customer Service IT for review.

The ORG has implemented an effective governance structure to support its regulation of the land titles registry system

The ORG has implemented a series of forums with the private operator to discuss strategic and operational matters. As required by the concession deed, these are:

• a Joint Consultation Committee (JCC)
• an Operations and Performance Committee (OPC)
• an Information Technology sub-committee (ITC).

The concession deed specifies that this governance framework is intended to:

• guide and monitor the performance of the concession
• oversee compliance with specified service levels
• resolve issues as required
• establish a framework to maintain an effective relationship between key personnel of the ORG and the operator.

These committees have clear terms of reference, which have been subject to review. The ORG has demonstrated, through meeting papers and minutes, that these committees meet regularly, consider substantive matters as envisaged by the concession deed, and are effectively administered and recorded.

The ORG has also established a stakeholder forum that includes senior representatives of key stakeholder groups. This forum is intended to foster multilateral communication between the regulator, operator and stakeholders. Some stakeholders expressed the view to the audit that the focus of this forum has evolved to facilitate feedback and updates from the regulator and operator, rather than provide opportunities for industry stakeholders to ask questions or raise issues. Notwithstanding, the ORG did provide evidence that issues raised by stakeholders at this forum were subsequently escalated to JCC or OPC meetings.

The ORG also has a series of bilateral regular engagements with key stakeholders, as well as specialist or project based working groups with the private operator and other system participants.

The ORG appropriately manages potential conflicts of interest

The ORG has recognised that the separation of the former Land and Property Information unit of the Department of Customer Service into separate regulator and operator entities meant that staff working in each entity may have close pre-existing professional and personal relationships. This heightens the need to identify and manage potential conflicts of interest to ensure credible and transparent regulation.

The ORG manages conflicts of interest by following applicable department policies. The audit reviewed conflict of interest declarations made by all ORG managers at NSW public service clerk levels 11/12 and above for the past three years. The audit found that declarations had been submitted and any conflicts addressed.
 

³ The breaches were of the ‘Core Data for Government Agencies Service Level’, which measures the number and availability of Core Data supplied to certain Government agencies that the operator successfully provides within required timeframes and hours of availability.

The land titles registry system is multi-party, with different powers and tools available to the ORG for each party. In summary, the ORG can address non-performance to varying degrees over:

• the private operator, through the multi-tiered framework described under section one of this report
• the ELNOs, which may be subject to suspension or termination (neither of which are practical options if the system is to function), as well as compliance examinations, remedial directions and application to the NSW Supreme Court for financial penalties
• authorised subscribers, who may have their access to the ELN suspended or cancelled (this regime is currently under review to broaden the Registrar General’s enforcement options)
• registered surveyors, who may be referred to the Board of Surveying and Spatial Information (BOSSI) for professional disciplinary action.

The number of claims and the total annual payments under the Torrens Assurance Fund have declined since 2014–15

The Torrens Assurance Fund (TAF) is a statutory compensation scheme designed to compensate people who, through no fault of their own, suffer loss or damage as a result of the operation of the Real Property Act 1900. This loss or damage can be a result of an error, misdescription or omission in the register. When granting the concession to the private operator, the government gave the assurance that the TAF would continue to operate and be administered by the ORG. The ORG has a longstanding function to receive and determine claims made under the TAF.

Relative to the number and value of matters addressed by the land titles system, the number of claims and total payments paid under the TAF is relatively small. As shown in Figure 2, between 2014–15 and 2022–23, the number of claims varied between seven and 40, while the payments paid under the TAF varied between $93,032.21 and $3,168,143.

This audit has focused on two primary processes when considering how the ORG obtains reasonable assurance about the quality of information held on the registers maintained by the private operator. These are:

• the examination and registration of plans by the private operator
• the registration of dealings by the private operator.

The concession deed requires that the private operator, in undertaking these functions, must, among other things, act in good faith, as well as act reasonably and on reasonable grounds. In each case, plans and documents must be entered promptly and accurately onto the relevant register.

These two processes and their role in supporting the integrity of the land titles registry are discussed in turn below.

The land titles registry is one of the department’s IT ‘crown jewels’

As the principal department for the ORG, the Department of Customer Service has identified the IT system supporting the land titles registry as a ‘crown jewel’ under the NSW Government Cyber Security Policy. Classification as a crown jewel provides the land titles registry with priority within the department when investment, fixes, patching and resource allocation are considered.

The ORG receives dedicated cyber security support from the department’s Office of the Chief Information Security Officer in the form of an identified business support officer. During the audit there did not appear to be a similar dedicated resource from the department’s general ICT division. The ORG has stated that the lack of dedicated support in this area risks that ‘institutional technology expertise is not built up or retained within Government to effectively monitor the [operator’s] management of this asset’.

However, from October 2024, DCS ICT has provided the ORG with a dedicated business partner who attends monthly meetings to discuss ICT matters and attends ICT Committee meetings on an as-needed basis.

While the IT system supporting the land titles registry is a critical IT asset, it is unclear how roles and responsibility are assigned for ensuring compliance with the NSW Government Cyber Security Policy

The NSW Cyber Security Policy provides guidance and mandatory requirements for agencies relating to cyber security. The ORG could not clarify whether it, or the department more widely, is responsible for ensuring compliance with the NSW Cyber Security Policy, as well as the role expected by the private operator. This creates a potential risk that protections contained in the policy will not be extended to the land titles registry and that there may be gaps in accountability.

The 2023–24 version of the policy contains three requirements relating specifically to crown jewels:

• agencies to identify and document external upstream and downstream dependencies of enterprise ICT (including cloud), operational technology and Internet of Things assets (specific requirement 1.6.4)
• agencies must assess and identify crown jewels and classify systems (mandatory requirement 1.7)
• agencies must conduct periodic reconciliation of data assets against data retention requirements (specific requirement 1.8.2).

The department appears to have complied with mandatory requirement 1.7, in that it has identified the land titles registry as a crown jewel. However, it explained that it did not have visibility or control over the upstream and downstream systems used by the private operator. Accordingly, to the extent that it may be responsible, the department acknowledged that it does not comply with specific requirement 1.6.4. While it was not specifically examined, the audit did not receive any evidence that the department complied with specific requirement 1.8.2.

While the department is not fully compliant with the requirements of the NSW Cyber Security Policy, its view is that:

• the concession deed requires the private operator to maintain technical and organisational measures that are no less rigorous than those that applied prior to the concession
• the cyber security measures taken surpass those that would apply under Department of Customer Service policies
• the regulator retains oversight of the private operator’s compliance with its requirements under the concession.

Notwithstanding these assurances, neither the department, nor the ORG itself, provided any evidence demonstrating that the protections provided by the private operator have been reconciled against all the requirements of the NSW Cyber Security Policy, including the specific clauses that apply to crown jewels. As discussed below, neither the department nor the ORG have considered the implications of the private operator being deemed a ‘third-party service provider’ under the NSW Cyber Security Policy.

The NSW Cyber Security Policy allows that not all its requirements must be uniformly implemented across the agency. However, where an agency seeks an exception to the policy, it should ensure that the exception is ‘… documented and approved by an appropriate authority through a formal process’. The ORG did not provide evidence that any exception to the requirements of the Cyber Security Policy (such as non-compliance with specific requirement 1.6.4) had been documented and approved.

The ORG has determined that the private operator is a third-party service provider under the NSW Cyber Security Policy, although the implications of this have not been fully examined by the ORG or the department

During this audit, in November 2024, the ORG obtained advice from Cyber Security NSW that the private operator is a ‘third-party service provider’ under the NSW Cyber Security Policy. The policy has a number of specific requirements relating to third-parties.

Mandatory requirement 1.10 of the NSW Cyber Security Policy requires agencies to ‘identify and manage third-party service provider risks, including shared ICT services supplied by other NSW Government agencies’.

Section 6.12 of the Cyber Security Policy provides agencies with guidance on their responsibilities for managing the cyber security requirements and risks posed by third-party providers to assist agencies implement mandatory requirement 1.10. This section includes responsibilities such as:

• ensuring third-party risks are considered in enterprise risk management processes
• conducting regular management of third-party risks through ongoing risk-based reviews to verify compliance with contractual agreements and security measures.

The designation of the operator as a third-party service provider to the ORG is a recent classification and the implications of this have not been fully considered by the ORG or the department.

The ORG has ensured that cyber security obligations are included in the private operator’s arrangements with its own contractors

The audit also considered what assurance the department or the ORG has obtained regarding the adequacy of cyber security provided by contractors to the private operator. Clause 39 of the concession deed establishes that:

• the private operator must ensure that its third-party service providers and subcontractors comply with all terms of the deed relevant to the operator’s obligations, including to maintain adequate cyber security
• the private operator is liable for all acts and omissions of its subcontractors.

The ORG and the private operator have agreed to a process whereby the latter notifies the regulator when new subcontractors are engaged and provides assurance that subcontractors comply with the requirements of clause 39.

The ORG has also approved a table of clauses that must be included in any subcontracting agreements that the private operator makes with its own third parties. These clauses include obligations for adequate cyber security.

The ORG has ensured security testing is conducted on the core systems and services of the land titles registry

The concession deed imposes requirements on the private operator relating to the security of the land titles registry, including that the private operator must:

• ‘… establish, maintain, enforce and continuously improve reasonable technical and organisational measures’ across a range of specific areas aimed at protecting data and preventing unauthorised access and use
• maintain technical and organisational measures that are no less rigorous than those the land registry was subject to prior to the concession
• engage in third-party audits in relation to its compliance with the applicable information security standard (ISO 27001), and provide these reports to the ORG.

The ORG has relied on subject matter expert advice from within the wider department to determine that the private operator is satisfying these requirements, including by providing third-party certification of its compliance with ISO 27001. The ORG provided evidence of this certification.

Clause 25.1 of the concession deed requires that the private operator must, to the extent reasonably requested by the ORG, test and evaluate the performance of core systems and services, which may include security testing such as ‘… vulnerability testing, penetration testing, manual configuration tests and reviews, self-assurance testing and other vulnerability and threat assessment testing’. This testing and evaluation has included assessment of the operator’s controls relevant to the System and Organisation Control 2 (SOC 2) Security and Availability Trust Services Criteria.

The ORG has ensured that the private operator has completed ISO2001 certification and has conducted SOC 2 assessments. Relevant materials are reviewed by subject matter experts from both the ORG and broader department and discussed at ITC meetings. This audit reviewed a sample of SOC 2 documents and found no significant weaknesses.

Consistent with clause 25.1 of the concession deed, the ORG has also required the private operator to conduct a program of penetration tests on its systems. Penetration testing is a useful mechanism for assessing the potential vulnerabilities of an IT system. However, penetration testing does not offer assurance of the security of a system. Reasonable assurance can only be derived by the effectiveness of security controls, including those implemented to address any vulnerabilities identified by penetration testing.

The ORG assesses and monitors how the private operator responds to vulnerabilities identified by its penetration testing program. The ORG reviewed test reports and discussed these with the private operator during ITC meetings. However, the effectiveness of this monitoring has been hampered by the ORG’s lack of a central registry of issues or vulnerabilities. This limits the ability of the regulator to easily monitor trends and risks or review historic issues.

The concession deed does not specify minimum acceptable standards for the conduct of penetration testing or other forms of system test. Moreover, it is the private operator that is responsible for conducting the testing. When the ORG reviews the results of the operator’s security testing, it also has the opportunity to assess the adequacy of the design and conduct of the tests (including to ensure that the scope and timing of each test provides adequate assurance that vulnerabilities have been identified).

However, as security testing is a requirement of the concession deed, the ORG – as the regulator and consistent with regulatory good practice – should be clear about its expectations for what constitutes appropriately rigorous test methods. These expectations should be effectively and proactively communicated to the private operator, and not left to be raised in retrospective review comments.

The ORG has become increasingly focused on potential risks posed by aging legacy IT systems and how any risks should be mitigated

When granting the concession, the NSW Government’s stated expectation was that the private sector would ‘… have strong incentives to invest in new technology, resulting in significant improvements to the system, and benefits for consumers’. There was an expectation at the outset of the transaction that the successful bidder would, at some time, ‘refresh’ the existing legacy IT systems on which the land titles system operates. While unspecific at the time, a system refresh could include either upgrade or replacement.

However, it was not clear in the bidding documents exactly when and how a successful bidder would be required to address the risks from legacy IT systems. The Information Memorandum provided by NSW Treasury to potential bidders noted that the expected response of the successful bidder:

Commitments to replace legacy systems were included in the private operator’s business plan and technology roadmap submitted as part of its bid, with the business plan committing to the ‘decommissioning of legacy systems by the end of 2019’.

The private operator has ‘de-risked’ some parts of the legacy environment, including the Historical Land Records Viewer and its website, and is currently working (albeit to a delayed schedule) to upgrade a key system, the Integrated Property Warehouse (IPW). However, the replacement of legacy systems ITS (Integrated Titling System) and DIIMS (Document and Integrated Imaging Management System) was removed from the operator’s 2023–24 technology roadmap. An external strategic technology review commissioned by the ORG in 2023 recommended to the regulator that the operator should be asked to re-include this work in future roadmaps. This was so that a ‘complete risk assessment and project complexity, cost and delivery schedule’ could be understood.

While the matter had been raised previously, it appears that since 2023, the ORG has become increasingly concerned about the private operator’s management of legacy IT systems. The ORG has noted that the private operator has not conducted discovery work or risk assessments on these systems. In 2023, the ORG assessed the removal of ITS discovery work from the 2023–24 technology roadmap as ‘highly concerning’ and noted that it would, in response, ‘… consider the full range of levers under the Concession Deed’.

In July 2024, after considering an ‘escalated regulatory response’ to the operator’s perceived reluctance to conduct its own risk assessment, the ORG determined to initiate its own risk-based review of the longevity of the legacy core systems in conjunction with Department of Customer Service ICT personnel.

This performance audit has not assessed the risks posed by legacy IT systems and notes that such questions can raise complex technical issues. It is not necessarily the case that a legacy system is inherently insecure and there is evidence that the private operator has conducted work to insulate the core legacy systems from potential risks. Accordingly, the audit has made no finding about any level of risk posed by the legacy systems underpinning the land titles registry.

The approach taken by the ORG from July 2024 seems consistent with guidance published by the Australian Signals Directorate and the Australian Cyber Security Centre. This guidance highlights the need for agencies to implement a sound strategy to manage legacy IT, starting with developing an understanding of the business and security risks posed by such systems.

The ORG has recognised the importance of privacy to retaining confidence in the land titles system and actively addresses privacy issues with the private operator

The registers operated and maintained under the concession deed are public registers. That is, they can be accessed by anyone (in some circumstances, after the payment of a fee). While there are public interest reasons for this information to be publicly available, public registers can create a tension with individual privacy, where the information held in a register is personal identifiable information about an individual.

This tension can be exacerbated when it is compulsory to record information in a public register, thereby reducing the individual’s choice and control over their personal information. In some circumstances, it has been found that community concerns are exacerbated where public registers are operated and maintained by the private sector, for example, when the UK Government considered privatising its land titles registry.

In its privacy policy, the private operator of the NSW land titles system explains that the personal information that it may collect can include:

• name, address, age or date of birth, contact details
• information collected in connection with maintaining the various registers, including information about an individual’s property dealings, such as transfer and leasehold documents
• information related to the operator’s products or services, such as credit card or bank account details
• verification of identity information, such as passport information, rates notices, Medicare card details and drivers licence details.

In recognition of the privacy risks inherent to public registers, and the potential volume of personal information collected, privacy issues are recognised and discussed between the ORG and the private operator, including at JCC meetings between the Registrar General and the chief executive officer of the private operator.

For example, the ORG recognised a potential privacy risk in how the private operator was collecting information for its subscriber compliance audit process. This resulted in the ORG requiring the private operator to put in place a more secure method for collecting this information. Similarly, the private operator itself identified a potential privacy issue regarding the length of time it retained personal information for the same process.

As discussed below, privacy is also considered by the ORG in regard to new non-core service proposals from the private operator.

New services proposed by the private operator are subject to approval by the Registrar General and have been subject to privacy impact assessments

Privacy risks inherent to public registers can become greater where there are pressures to use that information for purposes unrelated to the original purpose of the public register (‘function creep’).

It was explicit in the NSW Government’s announcement regarding the granting of the concession that it was expected, not just permitted, that the private operator would identify, develop and deliver additional services using information collected for the purposes of the registry, while ensuring appropriate recognition of potential privacy concerns.

The concession deed has a mechanism requiring ORG approval of proposed new ‘non-core services’ by the operator. Since the concession was made, there have been four additional non-core services approved. These have each been accompanied by a privacy impact assessment prepared by the private operator and at the instigation of the operator. The ORG does not have standards for an acceptable privacy impact assessment other than the assessment should be prepared by a ‘reputable organisation’. Guidance published by the NSW Privacy Commissioner is that, where possible, privacy impact assessments should be published, which has not been the case for those assessed by the ORG (although commercial and competition issues around potential new information products could offer a justification for not publishing).

The audit assessed a sample of privacy impact assessments submitted to the ORG by the private operator. Consistent with the NSW Privacy Commissioner’s guidance, the assessments were found to be fit for purpose, in that their size and scope appeared consistent with the inherent assessed risk. The same guidance highlights that privacy impact assessments should be more than just compliance checks. This good practice advice is similar to that published by the Australian Office of the Information Commissioner.

The ORG has developed a template for assessing new non-core services. The template requires ORG staff to consider a range of issues, including privacy, when new non-core services are proposed by the private operator.

The ORG has limited visibility of how effectively other system participants ensure privacy of personal information

The ORG maintains a regulatory role over the operator. However, there are numerous other system participants who could adversely impact the integrity and security of the registry, including by impacting the privacy of personal information (whether deliberately or incidentally). The extent of the ORG’s regulatory oversight and powers varies according to the type of system participant.

For example, the ORG has powers under the concession deed to regulate the private operator directly, although it relies on the private operator to conduct compliance activities for subscribers. Its range of regulatory enforcement options also vary between system participants. Similarly, the concession deed provides for the ORG to issue penalties against the private operator, although not against subscribers or surveyors for non-compliance with their respective obligations.

In December 2018, the then Registrar General nominated a ‘joint comprehensive review of all potential privacy risks to LRS’ as a priority for the coming year to be completed by December 2019. By July 2019, minutes of the JCC record this priority as ‘deferred’. Subsequently, a comprehensive review of privacy risks has not been conducted. Such a review may assist in better understanding any potential system-wide privacy risks to the land titles system.

The ORG and NSW Treasury offered strong public assurance at the start of the concession that statutory privacy protections would apply to the land titles registry

The handling of personal information by NSW Government agencies is regulated by the Privacy and Personal Information Protection Act 1988 (PPIP Act). As well as setting out privacy principles with which NSW government agencies are required to comply, the PPIP Act also provides a statutory right for individuals to take complaints about the handling of their personal information to the NSW Privacy Commissioner, who may make binding decisions on agencies. The PPIP Act does not generally extend to private sector companies.

While NSW government agencies are covered by the PPIP Act, most private sector companies in Australia (as well as most Commonwealth government agencies) are covered by the Commonwealth Privacy Act 1988 (Privacy Act). The Privacy Act contains similar protections to the PPIP Act, although the regulator and dispute handler is the Australian Privacy Commissioner. Unlike the NSW Privacy Commissioner, the Australian Privacy Commissioner may make an enforceable determination requiring that a complainant be paid compensation for financial or non-financial loss. Section 39 of the enabling legislation for the transaction that underpinned the concession established that:

This was made clear in the second reading speech to the bill for the enabling legislation, which stated that the PPIP Act ‘… applies to the private operator as if it were a public sector agency in the same way that it currently applies to LPI titling and registry Services’.

In April 2017, NSW Treasury published a fact sheet offering ‘consumer assurance’ that:

Similarly, in March and April 2017, the then Registrar General made public presentations highlighting that the private operator was subject to statutory privacy obligations:

Accordingly, there appears to have been clear intention to offer assurance to the community that statutory privacy protections would apply to the land titles registry once the concession was made.

The ORG has not obtained assurance whether the private operator is covered by the Commonwealth Privacy Act

Despite the strong public assurances outlined above, there was uncertainty when the concession was granted about whether and how the Commonwealth Privacy Act applied to the operator.

As outlined above, the Commonwealth Privacy Act does not cover NSW government agencies. While it does generally cover private sector businesses (such as the private operator), there is an exemption for private sector contract service providers to NSW Government agencies for the purpose of providing services under their contract. Specifically, s. 7B(5) provides that the ‘acts or practices’ of private sector organisation are exempt where:

• the organisation is a contracted service provider for a state contract
• the act is done, or the practice is engaged in for the purposes of meeting (directly or indirectly) an obligation under the contract.

This was recognised in an information memorandum provided to bidders during the bid process for the concession. The information memorandum explained that the successful bidder may be subject to the Commonwealth Privacy Act, including to the exemption available ‘… as a provider of services to State Government’. The information memorandum concluded that ‘Compliance with the Commonwealth Privacy Act will be a matter for the private operator to assess’.

Accordingly, notwithstanding the confidence inherent in government public statements around the time that the concession was made, it appears unclear whether (and to what extent) Commonwealth privacy legislation applies to the land titles registry operator.

The ORG has not clarified whether an individual would complain about a privacy breach to the NSW or Australian Privacy Commissioner

Part 6 of the PPIP Act provides specific provisions for ‘public registers’ operated and maintained by NSW government agencies (noting that the private operator is deemed to be a NSW government agency by s. 39 of the enabling legislation for the transaction).

Part 6 of the PPIP Act sets out two specific protections for public registers held by NSW government agencies, these being:

• an agency keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept
• an individual may request that their personal information be suppressed from a public register if they can establish that its open inclusion would affect their safety or well-being.

However, clause 7 of the Privacy and Personal Information Protection Regulation 2019 exempts public sector agencies responsible for keeping certain prescribed public registers from the requirements set out in Part 6 of the PPIP Act. The registers operated and maintained under the land titles registry are included in the list of the public registers that are exempt from Part 6.

Accordingly, the two statutory protections specifically focused on public registers in the PPIP Act do not apply to the land titles registry.

While there are equivalent contractual restrictions in the concession deed, these measures are not accompanied by a statutory right for individuals to complain to the NSW Privacy Commissioner if their personal information is handled in a manner that would otherwise breach Part 6. In these same circumstances, for the reasons discussed above, it is also unclear whether an individual could complain to the Australian Privacy Commissioner if the potential breach relates to the private operator performing functions as a contract service provider to the NSW Government.

This jurisdictional complexity is further complicated by the private operator collecting different types of personal information, namely:

• personal information that must be collected onto registers to meet titling and registry legal requirements, such as the name of the title owner or mortgage information
• personal information that is collected by the private operator to support the operation and maintenance of the register and other products offered by the operator, such as payment and identity verification information.

The private operator publishes a detailed privacy policy on its website. This policy states that the private operator is required to comply with both the PIPP Act and Privacy Act, and to the extent of any inconsistency, it would comply with the latter. While this demonstrates a clear intention to ensure compliance with legislative privacy obligations, further clarity is required as to how this intention can be reconciled with the issues outlined above.

As the lead agency in managing the transaction and overseeing the preparation of its enabling legislation and concession arrangements, NSW Treasury could not provide evidence that the NSW Privacy Commissioner had been consulted during the drafting of either the enabling legislation for the concession transaction or the concession deed document.

The ORG has detailed policy and procedures for ordering the suppression of personal information on the land titles registry, although third-party information reseller arrangements mean that the ORG cannot ensure that personal information will be fully suppressed

The ORG may direct the private operator, as well as other parties, such as specific government agencies that use land registry information, to suppress personal information held on the land titles registry. Information about this option is provided on the ORG website. A suppression may be ordered in response to a request from a member of the public advising that their well-being or safety is at risk because the register may disclose their whereabouts.

In the 12 months to July 2024:

• 107 applications to suppress personal information were assessed
• 60 were accepted
• 47 were declined.

Due to the critical nature of name suppressions and the potential danger to the individual, it is a requirement that a suppression application be actioned on the day it is received by the private operator (when received during business hours).

The ORG has detailed policy and process documents for the suppression of personal information. These documents detail the information that is required to be provided by an applicant, as well as describing the decision-making process and how an accepted application will be actioned. The Suppression Policy requires the private operator and a specific government agency that uses and distributes land registry information to complete the suppression request within one business day.

Analysis performed by the ORG in September and October 2019 found that action in response to at least six suppression applications had been delayed by periods between three and six days. The ORG’s policy on the suppression of personal information now specifies that its privacy contact officer will actively monitor the action time of a suppression direction to ensure that the private operator actions any suppression order within one working day. For a sample period of January to June (inclusive) 2024, the ORG reported that the performance measure was met for each month. However, the complex flows of land titles information, and the multiple parties who may handle it, mean that it could reasonably be expected to take up to two weeks for suppression orders to be given full effect.

The audit reviewed a small sample of successful and unsuccessful suppression applications that had been received and determined during 2023–24. These are discussed below.

A sample of five successful applications highlighted the difficulties that the complexity of the land titles system poses in managing data. From the sample, it was found that the private operator actioned suppression orders in a timely manner. However, the time taken to action suppression orders was longer in the case of the government user.

When the government user receives a suppression notice from the ORG, it informs its seven data customers that they (and in turn their own unknown number of customers or resellers) have seven days to ‘remove all elements of personal information including the property sales information from any record held’. As the ORG is not a party to this data sharing arrangement and has no visibility of the agreements between the various parties, it has no mechanism to offer assurance about the effectiveness of the suppression process.

The ORG was able to demonstrate that the sample of unsuccessful suppression applications had been handled in accordance with its policy, including by explaining the process to the unsuccessful applicant and affording them the opportunity to provide further information.

The ORG is preparing a policy to explain the rights of the private operator, government agencies and other third parties to use land titles registry data for new services and products

The concession deed sets out a number of clearly defined ‘core services’ that the private operator is required to provide. In addition, the private operator may apply to the ORG for permission to use land titles registry data for other ‘non-core’ services. These non-core services can generate revenue for the private operator.

The NSW Government made clear when granting the concession that a policy objective was to promote innovation and improved customer service, including by permitting the private operator to develop new services, while also ensuring that the principles of the NSW Government Open Data policy were maintained. An objective of the Open Data policy is to promote the release of government data ‘… for use by the community, research, business and industry’ and to ‘inform the design of policy, programs and procurement’. The Open Data Policy is not a ‘free data’ policy but is based on the principle of ‘free, where appropriate’.

Under the concession deed, the private operator is entitled to claim compensation for prescribed ‘compensation events’. In broad terms, compensation events include where the private operator loses its exclusive right to maintain and operate the NSW land titles registry, including to facilitate authoritative searches of titles.

On 28 September 2021, the private operator submitted a claim for compensation under the concession deed. This claim concerned the use of data by the Spatial Services business unit of the department to create the NSW Spatial Digital Twin (‘Spatial Digital Twin’).

The Spatial Digital Twin is described by the department as ‘… a cross-sector, collaborative digital workbench for whole-of-government use, that will visualise location information, in a 4D model of the real world (3D plus time)’. It brings together many data elements from multiple sources across government, including information from strata plans registered in the land titles registry.

On 23 October 2021, the NSW Government rejected the private operator’s compensation claim. However, while rejected, the claim has not been withdrawn. The department has assessed the claim as being unfounded and, consistent with financial audit standards, it is not recorded as a liability in the department’s financial accounts. However, the department does include the claim in its ‘emerging issues return’ that agencies are required to provide to NSW Treasury.

It was beyond the scope of this audit to assess the merits of this specific claim. However, at a general level, the matter highlights that there may be different interpretations of the concession deed in regard to the permitted uses of land titles registry data and the related compensation provisions. This includes NSW Government agencies that had existing pre-concession rights to obtain data for specific purposes, as well as other system participants that obtain land titles data, such as ELNOs. If a common understanding is not established, then there are dual risks that:

• the potential for compensation claims may mute innovation in how NSW government agencies, and potentially others, use land titles registry data
• current or further claims for compensation by the private operator for uses of data by third parties may create financial liabilities for the State.

The concession deed includes provisions that permit certain government agencies to obtain land registry data. Those agencies may also enter into individual memoranda of understanding (MOU) with the ORG. These MOUs set out details about how and for what purposes each agency may obtain data. Consistent with the deed, the MOUs also permit agencies to use land titles registry data for ‘similar governmental purposes’ to those purposes specified in the concession deed. There is no guidance on the interpretation of ‘similar governmental purposes’.

The ORG first formally proposed an approach to resolve this matter in August 2021. However, it remains a live issue. The ORG’s annual priorities letter to the private operator for 2023–24 identified the need to achieve ‘clarity around the use of land registry data’, explaining that:

Achieving greater clarity in this matter remains one of the ORG’s annual priorities for both itself and the private operator for 2024–25. The ORG is developing a data use policy intended to assist in addressing risks around data use by clearly communicating to stakeholders the ORG's position on the use of data from the various registers operated under the concession. This policy was still in draft form during this audit.

The ORG has ensured that business continuity and recovery planning has been prepared for the land titles registry

The private operator is required by the concession deed to develop, submit and test a business continuity plan. During the concession, the private operator has met this requirement by providing the ORG with required and related documents, including its Business Continuity Plan, Business Continuity Management System and Disaster Recovery Strategy, as well as a third-party assessment of the adequacy of the planning.

The private operator is required to annually test its continuity planning. The audit team sighted evidence of third-party testing of the business continuity plan, as well as ORG feedback on the adequacy of business continuity plans and engagement with tests.

The audit team assessed a sample of business continuity plans provided by the private operator to the ORG against the applicable international standard (ISO 22332). In addition, a sample of incident management and recovery plans were assessed against both ISO 22332: 2022 and ISO 27035.1:2017.

The audit team found that while the plans did not expressly claim to be prepared in accordance with any formal standard, they were broadly consistent with the requirements of the standards. For example:

• there was evidence that sampled plans had been reviewed annually or as required as a result of organisational changes or post incident review
• assumptions for the operation of the plan, and intersections with other key documents were clear
• specific roles and team members, including alternates where available, were identified with defined roles and responsibilities
• where scenarios were detailed, there were specific steps and tasks clearly outlined
• plans contained rating frameworks that defined the criticality of events, and the subsequent recovery objectives.

The private operator also has a business continuity management framework that sits across business continuity plans for specific functions, as well as a disaster recovery strategy. These higher-level documents also provide detail on the operator’s requirements for more specific plans and processes to be tested. The business continuity management framework, for example, requires annual business continuity exercises to take place.

The ORG has a local business unit continuity plan, although this has not been tested

As part of Department of Customer Service business continuity planning, the ORG has a local business continuity plan for its own business unit. This plan addresses three specific critical business functions:

• managing the concession
• administering the TAF
• regulating ELNOs.

Each of these critical business functions has a maximum acceptable outage time of one day, with a recovery time objective of three days. The ORG has not tested these recovery time objectives, or the operation of continuity plans for critical business functions.

The alignment of regulator and operator response and recovery plans is a recent improvement that has been identified through joint scenario testing

A joint exercise was conducted in November 2023. An external cyber security consultant was commissioned to design and deliver a cyber incident response exercise between the department, the ORG and the private operator.

The consultant produced a report that identified strengths across the engaged stakeholders, including the collaborative culture with clear decision-making protocols, awareness of the current threat landscape, and active involvement and identification of areas of improvement.

The report broadly identified the need for interconnected communication plans, harmonised incident response plans and pre-defined authority to act as key opportunities for improvement. This was due to uncertainty regarding who should initiate contact with different parties, the need for enhanced coordination and uncertainty during the exercise about who had the authority to engage with the threat actor.

This seems to be the only joint exercise that has been conducted between the regulator and operator to date. No further joint exercises are currently planned.

The ORG has not tested whether it could use back-up data to operationally manage the land titles registry

The concession deed requires the private operator to provide the ORG with a daily back-up of the ‘core data’ contained in the land titles registry (except for core imaging repository data, which is subject to weekly back-up). This is consistent with pre-concession disaster recovery arrangements where core databases and transaction logs were replicated to an off-site disaster recovery centre daily.

The ORG has taken steps to ensure that the back-up data provided by the operator is reliable. The content of the back-ups provided by the private operator was validated by Department of Customer Service ICT in August 2024, with a regular automated testing protocol now in place. This was not always the case, as ORG audits of back-up data had identified deficiencies earlier in the concession.

While the ORG has access to accurate back-up data, the value of the back-ups and whether the ORG can effectively restore the state back-up (for example, if it is ever required to exercise its step-in powers) has not been determined. The audit was told ‘there is no guarantee’ that existing back-ups could be used to restore the system.

The appropriate use, utility and purpose of the state back-up is a current issue for the ORG. This issue was also identified in the 2023 strategic technology review, which noted the potential for developing a real time replica of the land titles registry data. As a result of this review, the ORG is reviewing best practice for the use of the state back-up, including analysing its purpose, situational need and methods to audit and assess back-ups in the future. These findings are due in mid-2025. Any changes to state back-up arrangements will likely require changes to the concession deed.

If future circumstances require the ORG to rely on the state back-up of the registry data, the ability of the ORG to use the state back-up would be critical, including if there was a technical or operational failure with the private operator. The ORG has commenced initial analysis on the required documentation, procedures and scenarios required to exercise its step-in powers. However, the ORG has not tested how effectively it could restore the state back-up, or how it would use the back-up data in practice, if it was needed.

There is evidence that the ORG has taken steps to identify regulatory weaknesses and areas for improvement

The ORG has several internal processes to identify and review issues around its own performance. These include weekly and fortnightly team meetings at various levels, quarterly executive meetings, and an annual team development day. The ORG also notes that a weekly email identifies good regulatory practice, however there is no formalised approach in terms of a framework that benchmarks the ORG’s performance in comparison to similar regulators or guides its continuous improvement processes.

The ORG has identified several internal improvement areas. These include workforce capability or capacity gaps and managing the risk of regulatory capture.

• Workforce capability: while the ORG has a small IT team, it does not have senior or strategic IT expertise. Workforce capability in this area is a key risk to the long-term regulation of the land titles registry. It was raised by several stakeholders in interviews with the audit team and identified as a risk in both the Strategic Technology Review, and the ORG’s 2023 annual team development day.
• Regulatory capture: ORG staff should refrain from becoming involved in discussions with the private operator and surveyors about plan issues, due to its role as the decision-making authority in administrative reviews.

The ORG is addressing a gap in strategic technology and regulatory practice capability to ensure it can effectively regulate the land titles registry in the long term

The land titles registry is an increasingly technology-focused system, having transitioned since the early 1980s from a paper-based system, where documents were submitted or searched for in-person, to a digital system with remote online access. This means that the ORG is increasingly regulating technology solutions and operations.

While the ORG has identified strategic technology expertise as a gap, it does not yet have a long-term capability development and retention plan. It has also not mapped its existing skills base to ongoing requirements of overseeing the concession deed and regulating the land titles registry. Its existing workforce plans respond to workforce survey findings and focus on developing and retaining its current workforce.

To address this capability gap in the immediate term, the ORG has engaged an external consultant to address strategic technology skills, reallocated its spending on consultancies to fund ongoing roles and requested support from Department of Customer Service ICT.

In 2024, as part of Fair Trading and Regulatory Services, the ORG was provided with a dedicated business information support officer from the department’s cyber security area who supports it with advice related to cyber security. Prior to this the ORG was also able to receive advice from the department’s Chief Information Security Officer. Advice has included risk assessments, responses to ad hoc requests and formal advice on reporting required from the operator. There is a potential risk in relation to this key role being outside the ORG’s structure and therefore not able to be fully managed by the ORG.

Broader Department of Customer Service ICT support has been more limited outside of cyber security. Leadership meetings have occurred inconsistently, for example, limiting ORG’s ability to influence the department’s ICT support.

The NSW Public Service Commission (now located within the Premier’s Department) has published a Strategic Workforce Planning Framework that provides guidance for agencies to understand and prepare for their future workforce needs. This framework identifies three levels of workforce planning.

• Strategic workforce planning: identifies actions and addresses challenges, risks and opportunities, entailing longer term planning covering a 3–5 year period. The framework notes that strategic planning is not ‘resource management to fill immediate operational needs’.
• Tactical workforce planning: specifies how work should be done in a specific area to efficiently achieve goals outlined in the strategic workforce plan.
• Operational workforce planning: Ensures daily work is done effectively.

ORG activity to address this capability gap is mainly tactical and operational. Quarterly executive meetings review resourcing needs with an 18-month time horizon, while the Strategic Workforce Planning Framework recommends a longer time horizon. Executive review assesses anticipated workload and, in addition to specific technological capability, has identified the need for additional capacity across the ORG in the areas of policy, regulation and cadastral integrity.

The ORG advises that it is currently reviewing the most effective approach to engaging strategic technology expertise and relies on expertise from within the Department of Customer Service for guidance on workforce planning.

The ORG’s wider regulatory context also creates capability needs in regulatory policy and practice. The ORG performs regulatory functions over a complex and multi-participant system. Its primary regulated entity, the private operator, has unique characteristics, being a monopoly exercising important titling functions using an asset that remains the property of the NSW Government.

At the same time, there are a range of other system participants, such as lawyers, conveyancers, surveyors and banks, who are primarily regulated by other bodies. The other main group of participants, the ELNOs, are themselves subject to new and dynamic market pressures as the industry evolves from a monopoly to a competitive market. The Australian Registrars' National Electronic Conveyancing Council has described a future-state in which multiple ELNOs inter-operate, resulting in a ‘growing compliance burden for government’ within ten years.

The concession deed contains mechanisms to support continuous improvement in the operation of the concession, including an optional five-year major review clause that has not yet been exercised

The concession deed provides for the ORG to conduct:

• ‘annual reviews’ of the operator’s performance, including its achievement of service levels and a review of its latest business plan, as well as a broad range of other matters
• ‘ad hoc and other reviews’, whereby the ORG may review or ‘spot check’ the operator’s performance of any core service provided under the concession
• a ‘major review’ of the operator’s performance under the deed no more than once every five years, including the extent to which the operator is acting consistently with the objectives of the concession and a broad range of other matters – a major review may also consider whether any changes are required under the concession deed.

The ORG conducts annual reviews of the private operator’s performance, including by reviewing and providing feedback on iterations of the private operator’s business plan. As discussed earlier, the ORG has also required the private operator to provide ad hoc reports on two occasions relating to the quality of the private operator’s plan examinations. While the annual priority letters described earlier in this report (see section 3) also encompass an element of performance review, that process is not a function of the concession deed.

To date, the ORG has not exercised its option to conduct a major review of the concession. The ORG did consider conducting a major review in 2022, but it was determined at the time that progressively evolving the concession using iterative contract variations agreed with the private operator was an adequate course of action.

The range of matters anticipated by the major review mechanism is substantial and would prompt consideration of matters that may not emerge iteratively or ad hoc, including matters that are more than simply routine or operational. For example, the major review mechanism provides for the review of significant and strategic matters, including those ‘… that were not anticipated as at the execution date, but which ought to be addressed having regard to the objectives’. Notwithstanding the long duration of the concession, and the complex and evolving environment in which it operates, the ORG has not commenced preparatory work to scope when, or in what circumstances, a major review would be appropriate.

Appendix 1 – Response from Department of Customer Service

Appendix 2 – Glossary

Appendix 3 – About the audit

Appendix 4 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #403 released 12 February 2025.

What this report is about

This report focuses on the 2023–24 Consolidated State Financial Statements of the New South Wales General Government Sector (GGS) and Total State Sector (TSS), which comprise the Total State Sector Accounts.

It comments on the key matters and highlights significant factors that have contributed to the State’s financial outcomes for the year ended 30 June 2024.

Observations

The audit opinion on the Total State Sector Accounts for the year ended 30 June 2024 was unqualified.

The GGS’s net operating balance for the 2023–24 financial year was a deficit of $10.7 billion. This was $2.9 billion more than the original budgeted deficit of $7.8 billion, and $1.1 billion more than the revised budget deficit of $9.6 billion estimated during the 2023–24 half yearly review.

Revenue growth exceeded expense growth in 2022–23 and 2023–24, after several years when expenses increased in excess of revenue as the government responded to COVID-19 and natural disasters.

The State recorded $769 million in write offs of infrastructure and other assets in 2023–24, largely from transport projects including the Great Western Highway upgrade, the Beaches Link project and the Fast Rail program.

The State also wrote off $334 million of inventories including expired rapid antigen test kits and personal protective equipment.

The GGS’s net debt to gross state product increased from -0.3% in 2019 to 11.4% in 2024. It is predicted to reach 14.2% of gross state product by 2028.

The State maintained its triple-A and AA+ credit ratings.

Recommendations

Seven of nine 2023 report recommendations have been addressed.

NSW Treasury is working to address the two open recommendations relating to reviewing the financial reporting exemption framework.

The Audit Office’s annual work program

The Annual Work Program 2024–27 was published in August 2024

Each year, the Audit Office’s Annual Work Program reflects an ongoing strategic assessment of the risks and challenges facing government. It outlines subsequent focus areas for financial audits, as well as planned performance audit topics published as a three-year rolling program. We aim to inform NSW Parliament, the public sector and the community about key risks we identify, as well as our priorities and expected timeframes for delivering our work. This helps to give our stakeholders the best opportunity to prepare for, and engage with, our audits.

Our financial audit program this year included a consolidated report on the audit results of NSW Government agencies’ financial statements. The State agencies 2024 report highlighted the issues that had the most significant impact across the whole sector.

There are five key focus areas in our performance audit program:

• effective advice and decision making
• First Nations people in NSW
• environment and sustainability
• efficient and responsible use of public resources
• cyber security.

A sharper focus on information technology risks and data

The NSW public sector is increasingly reliant on information technology to improve service delivery. The Systems Assurance, Cyber and Data Branch within the Audit Office seeks to respond to the pervasive risks and opportunities associated with information technology, and the growing availability of large amounts of data. The creation of this branch reflects the prominence of data and cyber issues within our Corporate Strategy and Annual Work Program, and the importance of our information systems assurance work. The work of the branch supports our financial and performance audits, with insights reflected in our financial and performance audit reports.

The outcome we seek is a sharper focus on information technology risks within the public sector, particularly cyber security risks, to be highlighted in our performance and financial audits. Our increasing use of data for more effective audits aims to further enhance our audit reports.

The Systems Assurance, Cyber and Data Branch also plays a role in thought leadership about artificial intelligence and its impacts on the way we work and the work of the agencies we audit. This plan includes commencing our first audit focused on artificial intelligence.

Digital audit transformation

The Audit Office is embarking on a digital audit transformation which is looking at how we can better use data and technology to enhance our audits.

This transformation looks to re-imagine how we plan for, complete and report on our financial and performance audits incorporating data analytic solutions, automation and predictive analytics, leading to more efficient, effective and timely audits.

An initial key focus is on standardising and automating data requests from agencies, which will streamline processes, save time, automate some audit procedures and improve audit risk assessment and benchmarking.

We understand that there are some key enablers required to achieve this outcome and acknowledge that there are some key risks that we need to manage. Ensuring that we have a workforce that is digitally capable, and technological solutions that are fit-for-purpose, while continuing to maintain high levels of security and privacy over information is essential.

While this transformation will be staged, the support of the sector will be crucial to ensure speedy and consistent implementation across the entire sector.

Audits will target the efficient and responsible use of public resources

The Government Sector Employment Act 2013 establishes the core values of the public sector in NSW. One of these core values is that public servants should be fiscally responsible and focus on the efficient, effective and prudent use of resources.

The Government Sector Audit Act 1983 provides that the Auditor-General may have regard to the wastage of public resources and may deal with reports about the serious and substantial waste of public money. Serious and substantial waste involves the uneconomical, inefficient or ineffective use of resources, whether authorised or unauthorised, and which could result in a loss of public funds or resources.

Waste can result in an opportunity cost for government where money could have been used for a better purpose, or better spent on achieving the same purpose. Waste can also lead to higher costs being incurred to address earlier failings in program design, budgeting and management.

The Audit Office’s work program for 2024–27 includes audits that focus on identifying whether the planning and management of key programs and services has been efficient and financially responsible, and whether opportunities to avoid and reduce waste have been identified early.

Climate-related financial reporting in NSW

The NSW Government has announced the introduction of mandatory climate-related financial disclosures as part of agencies’ annual reporting.

The release of climate-related financial disclosures by government entities is intended to provide transparency on the NSW Government’s exposure to the impacts of climate change and enhance accountability over strategies to respond to risks and capitalise on opportunities.

NSW Treasury recently issued its framework for first year climate-related financial disclosures

In October 2024, NSW Treasury issued TPG24-33 ‘Reporting Framework for First Year Climate-related Financial Disclosures’ (the Framework). The Framework sets out mandatory reporting requirements, including key guiding principles and disclosure content.

The Framework is closely informed by the Australian Accounting Standards Board’s (AASBs) Australian sustainability reporting standard, AASB S2 ‘Climate-related Disclosures’. It has been tailored by NSW Treasury to reflect NSW Government circumstances and reporting entity capability and capacity.

Entity level climate-related financial disclosures will commence in stages from 1 July 2024

The disclosure obligations will commence in 2024–25 for the largest entities or those entities likely to be most exposed to material climate-related risks. Based on NSW Treasury’s assessment, 29 ‘phase 1 entities’ will apply the Framework for their 2024–25 climate disclosures.

Other entities will apply the Framework when they make their first climate-related financial disclosures in subsequent phases.

The assurance regime over climate-related financial disclosures is being developed

The Audit Office has been engaging with NSW Treasury to determine the nature and scope of independent public sector assurance over future climate-related disclosures at both a whole-of-government and agency level. Assurance requirements are expected to be staged, with NSW Treasury recently seeking expressions of interest for some phase 1 entities to have their 2024–25 climate disclosures assured by the Audit Office. Mandatory assurance for all phase 1 entities will commence in 2025–26.

Appendix 1 – Key audit matters

Appendix 2 – Prescribed entities

Appendix 3 – Controlled entities of the State

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

About this report

Local councils in NSW manage a large proportion of roads across the state. Roads often represent a significant proportion of total council
expenditure.

How councils manage roads is impacted by their revenue, local conditions, and the needs of residents, businesses and other road users.

This audit was undertaken within the wider context of natural disasters and weather events that have significantly impacted the road network in NSW in recent years.

It assessed whether three councils had effectively managed their road assets to meet the needs of their communities, makes detailed findings and recommendations to each audited council, and identifies key lessons for the wider local government sector.

Key findings

All councils can improve how they link community consultation with planned service levels. Formalising these processes could help better demonstrate how current service levels meet community needs.

Clarence Valley Council

• has established a strategic priority for road asset management but not formal governance arrangements or a long-term capital works program
• is delivering and reporting on its work to respond to natural disasters but does not report against targets for road asset quality and service
• has set benchmarks for road asset maintenance, replacement and renewal but needs clear service levels.

Gwydir Shire Council

• did not have aligned, up-to-date asset plans during the audit period
• did not have a long-term capital works program but adopted a prioritisation program for capital works in August 2024
• did not effectively implement formal governance, or coordinate management oversight, to manage its road assets.

Wollondilly Shire Council

• has a strategic framework for road asset management and has used long-term plans to guide its asset capital and maintenance works
• has reported asset management outcomes against a planned capital works program but could improve how it uses KPIs to demonstrate performance.

This is the first performance audit of the local government sector that I am tabling in Parliament as Auditor-General for New South Wales.

Our performance audits are designed to provide valuable information to parliamentarians, sector stakeholders and the public. Ultimately, our aim is to ensure transparency, a principle that underpins effective and efficient use of public resources.

The management of roads and associated assets is a critical issue for local councils across the state. In recent years, many councils have had to contend with the immediate and ongoing effects of natural disasters.

These natural disasters, along with increased community expectations, population changes and complex regulatory obligations all contribute to financial sustainability risks for councils. Some councils have used short-term funding allocations (including emergency relief grants) to cover the costs of managing long-term assets. These councils do not have the capacity to generate sufficient income from their own sources, and therefore depend on assistance from other levels of government. Councils’ ability to plan and budget for the long term has also been disrupted by the need for new or restored infrastructure outside asset life cycles.

Several reports and inquiries in recent years have highlighted these significant financial sustainability risks. The parliamentary inquiry into the ‘Ability of local governments to fund infrastructure and services’,¹ due to be tabled soon, will be a critical input to a long-term solution.

The three councils audited in this report – Clarence Valley, Gwydir Shire and Wollondilly Shire –each experienced significant natural disasters, including fires, storms and floods during the audit period. Despite this, each audited council was able to deliver a large volume of road asset management works.

This report provides valuable lessons from these audited councils that can help all councils manage their roads more effectively in the face of evolving risks and competing resource demands.

I acknowledge this has been a difficult time for some councils across NSW. This report supports councils with practical steps to manage their roads as effectively as possible, improve their resilience to climate challenges and meet legislative requirements.

¹ The inquiry into the ‘Ability of local governments to fund infrastructure and services’ by the NSW Legislative Council Standing Committee on State Development commenced on 14 March 2024 to inquire into, and report on, the ability of local governments to fund infrastructure and services.

Background

Local councils in New South Wales (NSW) manage over 180,000 km of local and regional roads combined. These roads are crucial to travel within local government areas and across the state, improving community accessibility. Reliable roads ensure commercial and public transport can run on time, increase safety and keep the environment clean.

As roads age and deteriorate, they become more expensive to repair. Road surfaces and formations are vulnerable to both extreme heat and water exposure. These kinds of exposure have varying effects on the ways roads degrade, depending on the amount of traffic and the kinds of vehicles that use them.

Local conditions, business and road-user needs, and the impacts of natural disasters vary between councils and influence the way each council manages its roads. Regularly maintaining roads can keep roads functional and safe and prevent costly, unbudgeted repairs and replacements.

In the 2022–23 financial year (FY2022–23), the estimated total replacement cost of council road assets across NSW was around $102 billion. In the same year, local councils reported collective road asset maintenance expenditure of around $1 billion.

Since 2017, financial audits of local councils have identified asset management-related issues, including gaps in asset management processes, governance and systems. The Audit Office’s ‘Local Government 2023’ report outlined 266 asset management-related findings across the local government sector, including gaps in revaluation processes, maintenance of information in asset management systems and accounting practices.

Councils also provide a wide range of other services and infrastructure, including water and sewer infrastructure and services, waste management, environmental protection, housing, and community transport. Through integrated planning and reporting, councils determine how they will allocate resources to their services and infrastructure. Understanding community expectations for assets and services, alongside technical requirements, supports effective planning for function, cost and quality.

Audit objective

This audit assessed how effectively three councils – Clarence Valley Council, Gwydir Shire Council and Wollondilly Shire Council – are managing their road assets to meet the needs of their communities.

The audit assessed whether the selected councils:

• have a strategic framework in place for managing their road assets
• have effective governance, data and systems for road asset management
• are managing their road assets in line with planned service levels and quality outcomes.

Overview of findings

This audit assessed how effectively Clarence Valley Council, Gwydir Shire Council and Wollondilly Shire Council managed their road assets to meet the needs of their communities.

In assessing each Council’s performance, this audit concluded:

Clarence Valley Council has effectively established a strategic priority for road asset management, but delivery of this priority was not supported by formal governance arrangements or a long-term capital works program. While the Council is delivering and reporting on a large volume of road asset works in response to natural disasters, it does not report on consolidated targets for road asset quality and service. The Council has set benchmarks for maintenance, replacement and renewal of roads. It now needs to enhance this with clear service levels to ensure community needs and expectations are met.

Detailed conclusions and recommendations for the Council are outlined in sections 2.2 and 2.3. Recommendations include that Clarence Valley Council:

• updates and implements its asset management plan and associated improvement actions
• reviews and implements key performance indicators (KPIs)
• captures lessons learned from its natural disaster responses
• implements a long-term capital works program.

Gwydir Shire Council did not have aligned, up-to-date long-term asset management plans to support a strategic framework for road asset management across the audit period. The Council did not effectively implement formal governance and coordinated management oversight for its road assets. The Council implemented updates to its asset management plans in June 2024 and governance arrangements in July 2024.

The Council has reported on the large volume of works it is delivering, including in response to natural disasters, but is not reporting in the context of information about targets and quality benchmarks. The Council does not have a long-term capital works program, but adopted a prioritised rolling program of works in August 2024 to guide its priorities and efforts over time.

Detailed conclusions and recommendations for the Council are outlined in sections 3.2 and 3.3. Recommendations include that Gwydir Shire Council:

• implements its asset management plans and associated improvement actions
• formalises and documents community priorities and service level expectations for roads
• captures lessons learned from its natural disaster responses.

Wollondilly Shire Council has effectively applied a coordinated and strategic framework to deliver road asset management. The Council has long-term plans to guide its efforts and uses data to inform its approach. The Council has delivered a large volume of works in response to natural disasters during the audit period. The Council is reporting its road asset management outcomes and can demonstrate progress against a clearly defined capital works program, but its use of performance indicators could be improved.

Detailed conclusions and recommendations for the Council are outlined in sections 4.2 and 4.3. Recommendations include that Wollondilly Shire Council:

• finalises and implements its transport asset management plan
• reviews performance indicators for road assets
• formalises and documents community priorities within its integrated planning and reporting (IP&R) and asset management frameworks.

Key observations of good practice

While each council was separately audited, this report also identifies practices that contribute to effective road asset management across all local councils.

These include:

1. a good understanding and articulation of the community’s vision, priorities and purpose for local roads
2. asset management documents that are current and aligned with broader strategies and financial plans
3. long-term capital works planning that considers associated ongoing costs, and is supported by systematic prioritisation of works
4. clear and documented decision making processes
5. transparent performance reporting on progress and outcomes
6. reliable, accurate and assured data and systems
7. continuous improvement through both formal reviews and capturing lessons learned
8. resilience and responsiveness to natural disasters with a planned approach to disaster recovery.

Further lessons for local government can be found in Appendix 3.

Appendix 1 – Response from entity

Appendix 2 – Council expenditure profile

Appendix 3 – Lessons for local government road asset management

Appendix 4 – About the audit

Appendix 5 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #401 - released 21 November 2024.

About this report

Internal controls are key to the accuracy and reliability of agencies’ financial reporting processes. This report analyses the internal controls and governance of 26 of the NSW public sector’s largest agencies for the 2023–24 financial year.

Findings

There are gaps in key business processes, which expose agencies to risks. These gaps are identified in 121 findings across the 26 agencies—including 4 high risk, 73 moderate risk and 44 low risk findings. All four high-risk issues related to IT controls and 19% of control deficiencies were repeat issues. Thirty-five per cent of agencies had deficiencies in control over privileged access.

Shared IT services

Six agencies provide IT shared services to 120 other customer agencies. All six had control deficiencies—three of these were high risk. Four agencies provide no independent assurance to their customers about the effectiveness of their own IT controls.

Cyber security

Eighteen agencies assessed cyber risk as being above their risk appetite. Fourteen of these agencies had not set a timeframe to resolve these risks and two agencies have not funded plans to improve cyber security.

Fraud and corruption control

Agencies need to improve fraud and corruption control. Instances of non-compliance with TC18-02 NSW Fraud and Corruption Policy were identified, including gaps such as a lack of comprehensive employment screening policies and not reporting matters to the audit and risk committee.

Gifts and benefits

Management of gifts and benefits requires better governance and transparency. All agencies had policy and guidance but all had gaps in management and implementation—such as not publishing registers nor providing ongoing training.

Information Technology

Nine agencies did not effectively restrict or monitor user access to privileged accounts.

Recommendations

The report makes recommendations to agencies to implement proper controls and improve processes in relation to:

• organisational processes
• information technology
• cyber security
• fraud and corruption, and
• gifts and benefits.

Read the PDF report

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies found across agencies.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security.

This chapter outlines our audit observations, conclusions and recommendations from our review of agencies' fraud and corruption control framework, policies and practices. Our Internal Controls and Governance 2018 found a number of fraud and corruption control gaps in NSW Government.

The NSW Treasury Circular TC18-02 NSW Fraud and Corruption Control Policy (the Circular) requires NSW government agencies to develop, implement and maintain a fraud and corruption control framework. The Circular sets out minimum standards for a NSW Government agency’s fraud and corruption control framework.

Previous Audit Office report on agency fraud and corruption control

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' managing of gifts and benefits.

About this report

Over 1,100 native animals, plants and ecological communities are listed as threatened in New South Wales. The Department of Climate Change, Energy, the Environment and Water (DCCEEW) delivers programs and activities aiming to reduce the risk of extinction for threatened species and ecological communities. 

This audit assessed whether DCCEEW has effectively delivered outcomes to support threatened species and ecological communities across New South Wales including delivery of the statutory Biodiversity Conservation Program (Saving our Species). 

Findings

DCCEEW uses a risk‑based approach to guide and deliver a range of programs aiming to improve the outcomes for threatened species and ecological communities.

However, DCCEEW has not effectively determined departmental priorities, coordinated programs to align efforts, or reported on the overall outcomes it is delivering for threatened species and ecological communities. 

Further, DCCEEW does not capture sufficient data to monitor species that it is not actively managing, creating a risk that it cannot readily identify or respond to further decline.

Under the Saving our Species program, DCCEEW is delivering conservation actions for less than one‑third of all threatened species and ecological communities. This number has reduced over time, in line with reduced program funding. 

Gaps in core program planning and risk management frameworks create program delivery risks. 

Recommendations

The report made several recommendations to DCCEEW, focusing on:

• Strengthening Saving our Species program compliance, governance, planning and risk management frameworks.
• Developing a long‑term framework to coordinate and align efforts across DCCEEW for the delivery of threatened species outcomes.
• Expanding activities to improve coordination with other parts of government delivering activities that impact on outcomes for threatened species.

This chapter assesses the effectiveness of DCCEEW’s ability to report on threatened species outcomes across its various programs and activities, and its strategic planning for the delivery of these outcomes at a departmental level.

Under Part 4, Division 6 of the BC Act, DCCEEW is required to deliver a Biodiversity Conservation Program. The program’s statutory objectives are to:

• maximise the long-term security of threatened species and ecological communities in nature
• minimise the impacts of key threatening processes on biodiversity and ecological integrity.

Under Section 4.36 of the BC Act, the program must have:

• strategies to achieve the objectives of the program in relation to each threatened species and threatened ecological community
• a framework to guide the setting of priorities for implementing the strategies
• a process for monitoring and reporting on the overall outcomes and effectiveness of the program.

Appendix one – Response from agency

Appendix two – Legislative and regulatory provisions relevant to threatened species

Appendix three – Programs and activities relevant to threatened species

Appendix four – Comparison of statutory provisions for the conservation of threatened species

Appendix five – About the audit

Appendix six – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 Parliamentary reference - Report number #399 released 15 August 2024.

About this report

NSW Ambulance delivers emergency and non emergency medical services and transport to patients in New South Wales, and connects patients who do not need an emergency medical response with the most appropriate health provider.

NSW Ambulance operates as part of a network of public health services. 

This audit assessed the efficiency and effectiveness of ambulance services in regional New South Wales.

Findings

NSW Health is maintaining effective ambulance services in regional New South Wales, despite increasing demand. 

NSW Ambulance and the Ministry of Health use effective governance arrangements to monitor regional ambulance performance. NSW Ambulance and Local Health Districts (LHDs) communicate effectively to manage day-to-day operational challenges. However, the audit identified opportunities to improve the Ministry’s oversight of regional performance, and to enhance information sharing between NSW Ambulance and LHDs.

NSW Health is working to identify opportunities to reduce demand on the NSW Ambulance fleet and hospital emergency departments in regional New South Wales.

NSW Ambulance undertakes holistic service planning to efficiently deliver ambulance services in regional New South Wales.

Recommendations

The audit recommends that:

• The Ministry of Health, eHealth and NSW Ambulance implement a new NSW Ambulance Electronic Medical Record system
• The Ministry of Health and NSW Ambulance improve system oversight, monitoring and reporting of ambulance performance at the regional and metropolitan level
• The Ministry of Health finalise its Transport for Health strategy and undertake a review of all non-emergency patient transport operators across the state
• NSW Ambulance and LHDs improve strategic engagement with other NSW Health entities.

NSW Ambulance is a front line health service provider, delivering emergency and non-emergency medical services and transport to patients in New South Wales. It provides medical help to patients experiencing life-threatening injuries (referred to as high acuity patients), illness, and trauma, and connects patients who do not need an emergency medical response (referred to as low acuity patients) with the most appropriate health provider.

NSW Ambulance operates as part of a network of public health services. For NSW Ambulance to efficiently transfer patients to hospitals, hospitals need to have sufficient capacity to accept new patients. In regional contexts, distance is an important factor in the effective delivery of ambulance services.

The objective of this audit is to assess the efficiency and effectiveness of ambulance services in regional New South Wales, by answering the following questions:

1. Does NSW Health work effectively and efficiently to deliver ambulance services in regional and rural New South Wales?
2. Is NSW Health effectively and efficiently planning and allocating ambulance services in regional New South Wales?
3. Is the effectiveness of ambulance services in regional and rural New South Wales increasing over time?

The NSW Health agencies included in this audit are NSW Ambulance, the Ministry of Health, Murrumbidgee and Southern NSW Local Health Districts, eHealth NSW and HealthShare NSW.

The Ministry of Health expects Local Health Districts and state wide health services (such as NSW Ambulance) to engage and collaborate with stakeholders throughout service planning, but it is unclear whether the Ministry ensures that this occurs

The Ministry of Health is responsible for setting policy and strategy direction for the overall NSW Health system and provides guidance to all NSW Health entities (including Local Health Districts and NSW Ambulance) to inform service planning. Local Health Districts are responsible for ensuring that relevant policy objectives are achieved through the planning and funding of the range of health services that best meet the needs of their communities.

Service plans describe how services will achieve measurable health improvements and outcomes. NSW Health entities create service plans within a broader framework of system-wide goals, objectives and priorities. The Guide to Service Plans notes the importance of active and inclusive stakeholder engagement and requires that stakeholders should be engaged throughout the planning process. It also notes that state-wide health and shared services impacted by planning should be engaged to assist with the assessment of service requirements and resource implications.

The audit identified several examples of service plans and key initiatives developed within Southern NSW Local Health District which directly related to ambulance services, but where NSW Ambulance was not identified as a stakeholder. These include:

• A business case for a new MRI service at Goulburn hospital: prior to the establishment of MRI services in Goulburn, there were no MRI services available within Southern NSW Local Health District, with the closest available provider located in Bowral (a private provider) or at the Canberra Hospital. This business case included decreased reliance on patient transport for imaging as a benefit.
• The clinical service plan for Batemans Bay Community Health Centre (which will provide urgent care services in Southern NSW Local Health District).

Southern NSW Local Health District included NSW Ambulance as a stakeholder in cross-border service planning, including NSW Ambulance as a signatory in a cross-border memorandum of understanding for stroke patient transfers between Southern NSW Local Health District, Murrumbidgee Local Health District, Canberra Health Services and NSW Ambulance.

In Murrumbidgee Local Health District, the audit identified one example of the Local Health District including NSW Ambulance as a stakeholder in planning activities. In an updated terms of reference document for the Cootamundra Partnership Reference Committee, which was established to develop a new Health Service Plan for the Cootamundra Health Service, NSW Ambulance has been included as an invitee to this forum.

No health entities undertake whole-of-system service planning for non-emergency patient transport services in rural and regional New South Wales

Non-emergency patient transport services in regional and rural Local Health Districts are provided by HealthShare NSW (in Hunter New England Local Health District and Illawarra Shoalhaven Local Health District), Local Health Districts and NSW Ambulance. Both Southern NSW Local Health District and Murrumbidgee Local Health District engage private providers and community transport providers to supplement their patient transport capacity. When non-emergency patient transport services are at capacity, Local Health Districts rely on NSW Ambulance to assist with facilitating patient transfers.

Despite these challenges, there is no whole-of-system approach to service planning for patient transport. Whole-of-system planning would enable NSW Health to better manage risk and reduce reliance on the use of the NSW Ambulance fleet for patient transport in rural and regional New South Wales.

NSW Ambulance undertakes holistic service planning, but it did not engage Local Health Districts as stakeholders in the development of its recent Clinical Services Plan

As a state-wide health service, NSW Ambulance’s service planning broadly reflects the key deliverables articulated in its Service Agreement with the Secretary of Health. The Ministry of Health, in its responsibility for planning key services and as the ‘purchaser’ of ambulance services, ensures that NSW Ambulance service planning gives regard to the broader strategic policy environment.

In 2023, NSW Ambulance developed a new Clinical Services Plan 2024–2029 which includes a focus on supporting innovative approaches to clinical redesign and the delivery of new clinical programs. This includes strengthening collaboration between NSW Ambulance and Local Health Districts (particularly in care models for smaller rural communities and the involvement of paramedics in care and management of patients with chronic diseases).

NSW Ambulance consulted with the Ministry in the development of the Clinical Services Plan. It advised the audit that as the Clinical Services Plan largely reflects the objectives contained in its Strategic Plan, specific consultation with Local Health Districts was not required.

While NSW Ambulance is currently developing a five-year roadmap for the implementation of its Clinical Services Plan, it is unclear how NSW Ambulance intends to implement and resource these objectives in a timeframe that complements similar work across NSW Health.

The Southern NSW Local Health District Clinical Services Plan does not include specific consideration of the provision of patient transport and it is not clear whether it consulted NSW Ambulance during development

Southern NSW Local Health District’s 2023–28 Clinical Services Plan notes development of the plan was informed by local, state and national strategic directions for the health system, as well as outcomes and recommendations of relevant NSW Health and local reviews and inquiries.

Southern NSW Local Health District identified five focus areas in its 2023–28 Clinical Services Plan:

• Supporting health and wellbeing through primary, secondary, and tertiary prevention
• Providing care closer to home
• Ensuring the sustainability of our existing services
• Planning for growth and ageing in our population
• Ensuring equity of access to care.

The Southern NSW Local Health District conducted community stakeholder consultation during development of its Clinical Services Plan, which resulted in feedback relating to challenges accessing health services. Community consultation feedback provided to Southern NSW Local Health District included the below key points relating to transportation to access health services:

• a lack of public and/or private transport to and from health facilities
• the additional burden on rural residents to access health care, noting that rural communities are often long distances from tertiary facilities
• difficulties with transportation, noting community transport options are limited and it can be difficult to coordinate timing.

Southern NSW Local Health District’s Clinical Services Plan acknowledges the District consulted with internal stakeholders and other service providers to develop the plan, however, it is not clear whether Southern NSW Local Health District included NSW Ambulance in consultation for feedback. Additionally, while actions to address the areas of focus for the Clinical Services Plan relate to more localised access to care and delivery of care, as well as increased capacity and access, the plan does not include any actions specific to the provision of health related transportation.

Southern NSW Local Health District has committed to improve access to clinical services in rural and remote settings through the delivery of virtual care models

In its 2023-28 Clinical Services Plan, Southern NSW Local Health District commits to establishing a single point of entry so that patients can access appropriate care in ‘the right place, at the right time’ through (among other actions), an enhancement and expansion of its Virtually enhanced Community Care program and establishment of the Virtual Rural Generalist Service.

This audit identified some examples of Local Health Districts partnering to improve access to clinical service in rural and remote settings. In Southern NSW Local Health District, the Local Health District has partnered with Western NSW Local Health District to implement the Rural Virtual Generalist Service in smaller facilities across the District.

NSW Ambulance’s workforce planning effectively considers demand, workload, coverage, and capability requirements and it uses this evidence to allocate personnel and other resources to efficiently deliver ambulance services in regional New South Wales

NSW Ambulance has a well evolved and evidenced service planning methodology. NSW Ambulance established a service planning capability in 2010, and the current methodology (developed in 2022–23) includes analysis at the station and local network level of demand projections, staffing levels required, the drivers of effective and efficient supply provision, models of care, specialty resources and capital and infrastructure requirements. It includes a substantial focus on station location and the type of resource required.

Service planning informs (and is informed by) benefits realisation for new programs and initiatives (such as SWEP, SWIFT). NSW Ambulance has also developed a model to assess ‘unmet demand’ which it uses when determining sites for potential resource allocation and supplementation. NSW Ambulance continuously monitors its need and priority for additional or enhanced ambulance services and considers the following criteria:

• volume of demand in town and surrounding area
• distance from any ambulance service
• current response times to emergency incidents
• modelled improvement in response times if an ambulance station was commissioned
• assessment of capacity and condition of closest ambulance station
• capacity of NSW Ambulance volunteer service to provide a response.

NSW Ambulance continuously reviews key inputs into the service planning methodology, in particular its demand project methodology.

The main output of NSW Ambulance’s service planning methodology is the creation of a whole-of-state service model which describes the clinical service levels for each ambulance station. A station’s clinical service level determines both the number of clinical staff required and its specific roster pattern, as well as the staff type (graduate paramedic, specialist paramedic, etc.). NSW Ambulance then creates station rosters in alignment with this model.

In addition to the demand- and activity-based evidence sources NSW Ambulance uses to inform its service planning, NSW Ambulance includes evidence-based analysis in its business cases to support NSW Government funding requests, which also contain thorough descriptions of how the proposed funding would be allocated.

Recent investments in the regional paramedic workforce have allowed NSW Ambulance to reduce the use of on-call rostering and improve the working conditions of regional paramedics

NSW Ambulance rostering practices allow for some stations to utilise on-call resources, which can cause fatigue among paramedics rostered on shift following an on-call period.

Announced in the 2018–19 NSW Budget, the NSW Government announced funding for the recruitment of an additional 750 FTE paramedic and call-centre staff over four years commencing in 2018–19. The Statewide Workforce Enhancement Program (SWEP) was designed by NSW Ambulance to enable improvements in efficiency, coverage, quality, safety and performance across New South Wales and achieve response performance targets.

The SWEP business case detailed the extent to which NSW Ambulance relied upon various forms of premium labour in order to maintain service delivery and to meet community expectations in terms of response performance. The SWEP business case identified that $20 million in premium labour savings after the four-year implementation program would be achieved by reducing over-reliance on overtime.

SWEP resulted in an additional 376 FTE positions across ambulance stations in regional NSW, and allowed NSW Ambulance to reduce on-call rostering:

• 22 regional/rural locations were converted to a 24/7 operating model removing overnight on-call
• Removal of on-call at four locations that were previously operating on a 24/7 roster with overnight on-call
• Reduction in on-call at eight locations.

NSW Ambulance measured premium labour savings achieved by monitoring callouts, crib-penalty payments, and dropped-shift overtime. In August 2022, as part of an internal review of the SWEP program, NSW Ambulance noted that the SWEP program achieved the reduction in premium labour expenditure and improved the working conditions of regional paramedics.

NSW Ambulance anticipates that recent changes to funding arrangements will result in a key program not achieving its intended benefits

In June 2022, the NSW Government announced a $1.76b investment in NSW Ambulance over a four-year period to fund 210 ambulance support staff (including the ongoing establishment of NSW Ambulance’s Virtual Clinical Care Centre (VCCC)), 1,878 new paramedics, 52 nurses, eight doctors, and build 30 stations.

Known as the Strategic Workforce InFrastructure Team program (SWIFT), NSW Ambulance designed the program to meet two objectives:

• firstly, to improve patient outcomes, and the probability of survival from immediately life threatening conditions.
• to achieve compliance with WHS obligations through the reduction of overrun shifts, overtime, and increase staff meal breaks.

When it was announced as part of the 2022–23 NSW Government budget, SWIFT was designed as a four-year program. However, recent changes to funding arrangements have changed the SWIFT timeframe and the program will now be delivered over seven years (at the same cost).

One of the key objectives of the SWIFT business case was to improve patient outcomes and the probability of patient survival by achieving response times within 15 minutes for 85% of P1 incidents by 30 June 2026. NSW Ambulance regularly reports and tracks performance on SWIFT indicators, and advises that as at 21 December 2023, the program was on track to meet the target.

NSW Ambulance modelled that the impact of extending the funding window from four years to seven years would add three years of additional demand growth and result in the program failing to achieve the 85% target by June 2026.

Appendix one – Response from agency

Appendix two – NSW Ambulance performance data

Appendix three – NSW Ambulance regional station map

Appendix four – NSW Ambulance key performance indicators

Appendix five – Types of patient transport operational across New South Wales

Appendix six – Scheduled psychiatric interhospital patient transfers

Appendix seven – NSW Ambulance governance bodies

Appendix eight – About the audit

Appendix nine – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 Parliamentary reference - Report number #398 released 27 June 2024.

About this report

The Regional Digital Connectivity program (RDCP) is intended to improve mobile coverage and internet connectivity in regional NSW.

The RDCP includes two funding programs, one for improving mobile coverage and the other for improving internet connectivity. Both programs provide grant funding to commercial telecommunications providers for eligible mobile and internet projects.

This audit assessed whether the Department of Regional NSW (the department) is effectively administering the RDCP to meet program objectives.

Findings

The department's approach to identifying priority areas for RDCP funding was comprehensive and it largely distributed funding in line with these priorities.

The department has not specifically defined the overall objectives of the RDCP. The department has developed business cases that set out each program’s respective objectives, but these do not consistently describe the objectives of the RDCP.

The department also has not developed an overarching investment strategy, which would assist it in addressing potentially conflicting priorities.

Deficiencies in project and risk management have contributed to delays in the department’s implementation of the program.

The department is not monitoring progress against outcomes, which limits its ability to demonstrate that the program is achieving its intended purpose.

The department did not meet its original mobile coverage performance target but met its internet connectivity target.

Recommendations

To improve RDCP administration, the report recommends that by June 2025, the department should:

1. develop an overarching investment strategy for the RDCP
2. outline the expected timelines for RDCP projects and ensure that these timelines are updated regularly
3. develop and report on RDCP outcome indicators
4. update the RDCP evaluation plan
5. update the expected benefits of the program to reflect changes in the RDCP.

The Regional Digital Connectivity program (RDCP) is funded through the Snowy Hydro Legacy Fund (SHLF). Under the Snowy Hydro Legacy Fund Act 2018 (SHLF Act), the purpose of the SHLF is to improve economic development in regional New South Wales and to fund infrastructure projects that primarily benefit regional New South Wales. A priority area for SHLF investment is delivering improved mobile coverage and internet connectivity in underserved and remote communities.

The RDCP has been implemented by the Department of Regional NSW (the department) since 2019. The RDCP is broadly split into two funding programs. The larger funding program is for improving mobile coverage and the other funding program is for improving internet connectivity and is referred to as the Gig State program. Both programs provide grant funding to commercial telecommunications providers for eligible mobile and internet projects.

Over $300 million from the RDCP was allocated to improve mobile phone coverage and increase the number of mobile service providers across regional NSW. The mobile coverage program is being delivered through the following sub-programs:

• Snowy Mountains Highway Safety project – co-funding with Snowy Hydro Limited to build five mobile towers along the Snowy Mountains Highway to improve mobile coverage.
• Active Sharing Partnership (ASP) pilot – co-funding with private providers to deliver active sharing mobile technology in regional areas.
• ASP main program – This is the main round of the mobile coverage program. A business case has been developed, but no funding has been distributed through this sub-program.
• Mobile Black Spot Program Round 5A – co-funding with the Australian Government’s Mobile Black Spot Program to deliver new or upgraded mobile towers in regional and remote locations.
• Mobile Black Spot Program Round 7 (MBSP7) – co-funding with the Australian Government’s Mobile Black Spot Program to deliver new mobile infrastructure.

Over $100 million from the RDCP was allocated to the Gig State program to improve regional internet connectivity through partnering with multiple providers and using a range of technologies suitable for rural and regional locations. The Gig State program was launched in 2019 and underwent significant changes in 2021 following an Infrastructure NSW deep dive review into the project. These changes to the program are referred to as the Gig State addendum. The Gig State program is being delivered through the following sub-programs:

• Cobar corridor connectivity – providing fixed wireless internet access to five locations between Narromine and Cobar.
• nbn regional NSW fixed wireless – co-funding with nbn to deliver new or co-located fixed wireless broadband towers in 56 locations.
• Wamboin, Bywong and Sutton connectivity – improving internet connectivity in these three towns as part of a NSW Government commitment.
• Regional Connectivity Program Round 3 (RCP3) – co-funding with the Australian Government’s Regional Connectivity Program to provide additional internet infrastructure.

The objective of this audit was to assess whether the Department of Regional NSW is effectively administering the Regional Digital Connectivity program to meet program objectives. The audit examined:

• how effectively the department identifies priority areas to target RDCP funding
• how effectively the department distributes RDCP funding in line with program objectives
• how effectively the department measures the performance of the RDCP.

The department has not specifically defined the overall objectives of the RDCP

The RDCP is delivered as part of the SHLF. Under the SHLF Act, the purpose of the SHLF is to improve economic development in regional New South Wales and, for that purpose, to fund infrastructure projects that primarily benefit regional New South Wales. One of the priority areas for SHLF investment is digital connectivity, which is being delivered through the RDCP.

While the purpose of the SHLF is set out in the SHLF Act, the department has not specifically set out the overall purpose and objectives of the RDCP and how it will focus the RDCP on achieving the SHLF’s purpose. Such a document would support future business case development, and support the coordination and prioritisation of objectives across the business cases that have already been developed.

While the overall objectives of the RDCP are yet to be defined, there are objectives set out in the business cases for the separate programs but these are not consistently described. The Gig State business case advises that the RDCP’s goal is to enable transformative long-term benefits for regional areas through investment in digital connectivity. This goal aligns with the purpose of the SHLF Act. However, this objective is not set out in the mobile coverage business case, or any other document, and it is not clear how the RDCP is intended to fulfil this objective.

The Gig State business case sets out three objectives for the RDCP that provide further definition to the SHLF Act’s purpose, though it is unclear how these were determined and whether these are intended to cover the entire RDCP:

• address the digital divide between regional and metro NSW
• resolve market failures in the regional NSW telecommunications market
• leverage Government assets and capabilities wherever possible.

The mobile coverage ASP pilot business case sets out a similar set of objectives, though there are some differences, such as the third objective being to ‘leverage Government assets and capabilities to achieve transformative results.’ It is important for the department to clarify the RDCP’s objectives to ensure a unified approach to investment decisions. At the time of the audit, the department’s website had a different set of objectives for the RDCP. They are:

• build digital infrastructure to increase capacity
• expand mobile coverage and provider choice
• improve internet service, speed and quality
• bridge the digital divide between regions and cities.

The department also provided a 2022–23 ‘division plan’, with goals for the mobile coverage and Gig State programs. These include:

•  extend and improve internet coverage to deserving locations in regional NSW
• investigate emerging digital technologies to improve connectivity
• deliver new and improved mobile coverage to regional NSW communities
• encourage competition in the regional telecommunications market.

While these different sets of objectives broadly align, there is no consistency across these business cases in describing the objectives of the RDCP. This indicates that there is a lack of clarity about the intended objectives of the RDCP. Further, the origin of the list of objectives in the ‘division plan’ is unclear. This reinforces the need to clearly define objectives for the overall RDCP.

Each business case the department has developed for RDCP programs has defined objectives that align with the SHLF’s purpose

The Gig state and mobile coverage business cases also define objectives for each program. These objectives align with the SHLF’s purpose, set out above. The Gig State business case advises that the purpose of the Gig State program is to:

• address the digital divide between metro and regional NSW so that the price, quality, and choice of digital connectivity options in metro areas are made available in regional areas of NSW
• resolve market failures in regional NSW telecommunications
• leverage Government assets or investment where appropriate to achieve transformative long-term benefits for regional areas.

The ASP pilot business case states similar objectives, though it does not mention the ‘price, quality, and choice’ stated in the Gig State business case. The ASP pilot business case also lists another three objectives:

• address mobile black spots where people live and work
• investigate new and emerging technologies to future proof mobile coverage in regional NSW
• promote consumer choice in the delivery of mobile services.

The ASP main program has a different set of objectives to the ASP pilot and include:

• reduce the digital divide and enhance social inclusion by improving mobile coverage in regional locations not covered by existing programs
• encourage competition in the regional telecommunications market to provide consumers greater choice, lower prices and improved services
• address commercial viability and technical constraints to providing mobile coverage in regional areas
• improve community resilience to emergency events through improved regional mobile service.

The RDCP program objectives align with relevant whole-of-government strategic objectives

There are several whole-of-government strategies that seek to guide government investment in digital infrastructure. While there is no document setting out the overarching objectives of the RDCP, the objectives set out for the mobile coverage program and the Gig State program align with these whole-of-government objectives.

The objectives align with the 2018 and 2021 ‘20 Year Economic Vision for Regional NSW’. For example, the 2018 ‘20 Year Economic Vision for Regional NSW’ sets out principles for regional NSW investment, including ‘Affordable, reliable and fast internet to support people and businesses.’

The RDCP sub-programs also align with the 2018 and 2022 State Infrastructure Strategies. In particular, the 2018 strategy has a set of recommendations around improving connectivity across NSW and another set of recommendations around investing in technology that improves productivity and social outcomes. One of the roles of the Gig State program is to help to implement the 2018 strategy’s recommendation to support statewide access to 50Mbps download and 10Mbps upload capacity by 2025. These speeds are specifically stated in the Gig State grant guidelines as an eligibility requirement for funded programs.

Both sub-programs of the RDCP also align with the NSW Connectivity Strategy. The NSW Connectivity Strategy has two directions of particular relevance: ‘All customers have metropolitan equivalent digital capacity’ and ‘Connectivity blackspots continually decrease across the State’. The first of these objectives has three strategic directions which are directly relevant to both the Gig State program and the mobile coverage program:

• remote, rural and peri-urban citizens can access and effectively use digital systems and services for employment, justice, education, health, social, personal and entertainment use
• Aboriginal and Torres Strait Islander communities have equitable access to connectivity that meets their local community needs
• connectivity services are affordable for citizens no matter where they live, with access to a choice of providers.

Elements of both the Gig State and mobile coverage programs align with these, including the focus on expanding access and affordability.

In regard to regional Aboriginal communities, the RDCP may also contribute to the NSW Closing the Gap Implementation Plan, as the merit criteria in the grant guidelines for mobile coverage and Gig State grants include the extent to which the project will contribute to sustainable procurement and employment outcomes, including supporting Aboriginal businesses and employment. The criteria for prioritising locations for mobile coverage also includes extending coverage to discrete Aboriginal communities as something which could improve the score given to an application. However, this is not set out as an explicit objective of the program.

The department has not set out an overarching investment strategy for the RDCP to address potentially conflicting priorities or identify situations where funding may not align with program objectives

As noted above, the overall objectives of the RDCP have not been defined. The department does not have an overarching strategy setting out program objectives, how funding will be aligned with these objectives, and how the objectives will be prioritised. It is important to set out funding principles to establish how the elements of the stated objectives will be delivered and prioritised. Not setting these out risks funding decisions that do not align with program objectives.

As noted above, the mobile coverage ASP pilot business case lists two objectives around addressing mobile black spots and promoting consumer choice in the delivery of mobile services. These objectives may be potentially in conflict as expanding coverage can be done by funding one carrier to expand their own network, while promoting consumer choice could conceivably be done by funding a carrier to expand their network into areas already covered by only one existing carrier, thus increasing competition in those areas.

The department has not set out the relative weighting of its objectives across the RDCP funding packages and how it will prioritise funding in accordance with them. An overarching strategy would assist the department with prioritising funding in accordance with the objectives of the program, including determining the relative weight of each objective.

In addition, the department has not described the extent to which price reductions in the cost of internet will be prioritised as an objective of the Gig State program. The Gig State business case sets out that one of the objectives of the program will be to provide metropolitan equivalent or better service, quality and pricing for internet services in regional areas. It is unclear how internet pricing fits into the overarching objectives of the RDCP given that it is not mentioned as an objective of the SHLF. There would be value in setting out strategic investment principles and objectives to guide this decision-making and clarify the extent to which internet investment is intended to fulfil this purpose.

A lack of clarity about program objectives may also have impacted decisions about funding priorities. For example, the Gig State program business case sets out a plan to invest in Low Earth Orbit (LEO) satellites through a subsidy program. As noted above, the Gig State business case sets out some objectives for the RDCP, including leveraging government assets. While an investment in LEO satellites through subsidies may assist with bridging the digital divide, it is not clear how this aligns with the objective of leveraging government assets. More clarity over program objectives and a clear investment strategy may assist with clarifying this and similar investment decisions in future. As discussed below, the investment in LEO satellites did not proceed.

The department comprehensively identified priority areas that require improved mobile coverage for the mobile coverage program

As outlined above, the final business case for the mobile coverage ASP pilot program identifies three objectives for the mobile coverage program, including addressing the digital divide between metropolitan and regional NSW, and resolving market failures in regional NSW telecommunications. The department identified priority areas for improved mobile coverage in line with these objectives. The department refined its approach to prioritising locations for the mobile coverage ASP main program which resulted in a more comprehensive analysis of potential sites.

The department developed and implemented a structured process using a range of criteria to identify and prioritise suitable locations for funding. Before allocating funding to its mobile coverage program, it was necessary for the department to determine areas that required additional mobile coverage. The department undertook this work for both its mobile coverage ASP pilot program and the ASP main program as part of designing the grant programs. A key source of information it relied on for identifying priority areas for the pilot program was the Australian Government’s National Mobile Black Spot Database. The database identified around 4,000 mobile black spot locations across NSW. This database is no longer in use as it relied on community reports of mobile black spots which were unverified.

For its mobile coverage ASP pilot program, the department applied a series of filters to the mobile black spots identified in the database. It removed metropolitan areas, areas within a 10km radius of an existing mobile tower site, and areas that had already been selected for funding under either Commonwealth or State funded programs, such as the Connecting Country Communities Fund. This left the department with a list of around 1,200 potential sites.

The department then mapped the 1,200 identified black spot sites to their respective 383 unique locations and assessed and prioritised the mobile black spots and locations against a range of economic, community and feasibility criteria. Under the economic criteria, the department prioritised areas that had higher numbers of employed persons and higher proportions of land being used for agriculture or farming. Under the community criteria, the department prioritised areas based on the increase in the population that would benefit from expanded coverage, the increase in Aboriginal and Torres Strait Islander people that would benefit from the coverage, the increase in the kilometres of highway and main roads that would benefit that were within five kilometres of a mobile black spot, and areas with more square kilometres prone to bushfires or flooding that would benefit. Under feasibility criteria, the department prioritised areas that were closer to government and nbn infrastructure. This process resulted in 50 prioritised locations containing 307 black spot sites across 34 Local Government Areas in NSW.

For its mobile coverage ASP main program, the department undertook a detailed coverage analysis to identify locations with no and limited mobile coverage. It identified these using the latest publicly available coverage maps from the three mobile network operators and the distance of locations from existing sites/towers as published by the Australian Communications and Media Authority and the Radio Frequency National Site Archive databases. Using this data as the key source of information in determining mobile coverage resulted in a more comprehensive outcome than relying on the National Mobile Black Spot Database. The department did not use the National Mobile Black Spot Database, as this information was considered unreliable and had not been updated since 2018, and the coverage maps were more reliable.

The analysis focused on locations with small populations, road corridors, and tourism locations. It identified 257 locations with no or poor coverage consisting of 68 small population locations, 117 road corridors and 72 tourism locations. The department then analysed these possible locations against a range of criteria. These included maximising the number of people and businesses that would be supported, increasing the extent of existing coverage, determining whether coverage would support government strategies or Premier’s Priorities, other positive social impacts, focusing on the greatest length of road and most heavily used roads, and maximising the number of tourism businesses and points of interest impacted.

The department conducted analysis based on these criteria and shortlisted 24 small population locations, 24 road corridor locations and 12 visitor economy locations. These locations were taken forward for concept design, cost estimation, and economic and financial appraisal as part of the final business case.

The department’s initial approach to prioritising Gig State funding was based around larger regional centres

The department undertook a two-stage process for identifying priority areas for Gig State program investment. The first involved the identification of larger NSW towns that would benefit from additional internet coverage and where data centres could be located, and the second involved a selection of more remote locations to receive additional funding.

The department did not undertake an initial detailed analysis of internet coverage across NSW to prioritise funding for the Gig State program. Undertaking this work would have been in line with the Gig State program objectives of addressing the digital divide between metropolitan and regional NSW and resolving market failures in regional NSW telecommunications. In order to meet these objectives, it was important to first establish the extent of the digital divide and market failure before seeking to resolve it.

Instead, it categorised NSW towns according to their relative size and importance from a connectivity perspective. It prioritised towns with larger populations and more business users to maximise the potential benefit of the infrastructure. The department also prioritised locations that were closer to other telecommunications infrastructure, and it also considered proximity to other potential elements of the Gig State network for greater connectivity and to ensure that it was taking a whole-of-State approach to investment decisions. This process identified 14 major regional towns.

The department then prioritised two of these regional towns, Dubbo and Wagga Wagga, due to the higher prices paid by NSW Government agencies in the two locations for average internet bandwidth usage when compared to other regional and metropolitan population centres across NSW. The costs to government were considered a proxy for how much business users are likely to be charged for connectivity services in regional NSW towns. The department conducted surveys in both towns indicating that business users were paying higher prices than their metropolitan counterparts for higher-grade connectivity. This aligned with the department’s Gig State program objectives which related to providing price, quality and choice.

The department also included five satellite towns along the road from Dubbo to Cobar (Cobar corridor) in the Gig State final business case as well as the towns of Wamboin, Bywong and Sutton. The department’s prioritisation of funding for these locations was not based on any detailed analysis of need. The department identified that as part of its initial plan to expand the internet connectivity from Dubbo to Cobar, it would be able to connect a number of towns between those two at a reduced cost. There was no analysis of alternative options for expending this money, such as expanding coverage to other areas, or to determine the extent of coverage required in each town. The Wamboin, Bywong and Sutton project was prioritised as a result of a $5 million NSW Government commitment. This project is discussed further below.

The department strengthened its approach to targeting Gig State funding in 2021

The department reviewed and updated its approach to the Gig State program in September 2021. As part of this, it revised its approach to targeting funding, including the use of additional data and identifying areas with greater digital connectivity issues. This represented an improved approach compared to the original business case and aligned more closely with the changes that were made to the Gig State program in 2021, outlined in the Gig State addendum, which focussed more on the delivery of fixed wireless services rather than data centres.

The department carried out an analysis of areas that only have satellite internet coverage (i.e., no fibre or fixed wireless internet availability) to identify areas suitable for different types of technology such as fibre optic cables, fixed wireless and LEO satellites. This was more in line with the Gig State program objectives of addressing the digital divide and resolving market failures. It identified that these locations had challenging digital connectivity issues that were not likely to be resolved without government intervention. This process identified around 1,000 locations. This list was then refined by looking to maximise the number of premises and businesses, maximising the density of premises, prioritising locations with other Government assets, mobile sites and other technology available in the area, and locations close to an existing exchange to leverage existing infrastructure.

The location list was then prioritised based on scoring criteria for economic drivers, feasibility, risk and stakeholders. The economic criteria included the number of residential and business premises, the number of businesses, and the estimated construction costs for the infrastructure. The feasibility criteria included availability of existing and planned infrastructure. Stakeholder related criteria included identifying synergies with other government led programs, as well as sites that scored low on Australian Digital Inclusion Index (ADII) scores and the Socio-Economic Indexes for Areas. These criteria are appropriate and align with the objectives of the Gig State program.

The department’s process resulted in a list of 23 prioritised areas. These were generally areas with a higher density of premises and affordable access to infrastructure for power supply and data transmission.

The department considered socio-economic data when planning for Gig State and mobile coverage programs but did not use this to inform its pilot mobile coverage program

NSW Government Business Case Guidelines (TPP18-06) state that one of the main reasons for government action is promotion of equity where the distribution of economic costs and benefits is considered inequitable. It is therefore important for the department to consider socio-economic data in the planning of the RDCP.

The department has included some socio-economic data and ADII scores in the profiles it developed for each Local Government Area. It applied socio-economic data to identify additional priority areas for new and improved internet coverage through the Gig State program. However, it did not apply this data to identify priority areas across the pilot mobile coverage program of the RDCP. It improved its approach when developing the ASP main program by including socio-economic data as a component of its scoring for prioritising locations.

The department considered socio-economic data when selecting locations for grant funding. The mobile coverage grant guidelines and the Gig State grant guidelines both include merit criteria that consider whether the proposed solution would address disadvantage within a community. Both guidelines ask the grant applicants to consider the Index of Relative Socio-economic Advantage and Disadvantage.

The department engaged with key stakeholders when developing the RDCP

Under TPP18-06, NSW Government departments are required to identify and consult with key stakeholders as they can contribute to the development of the investment proposal by providing their expert opinions, research, and evidence.

The department identified key stakeholders, developed stakeholder engagement plans, and used feedback gained through consultations to design and adjust the RDCP. Key stakeholders have been involved on the RDC Steering Committee and the RDC Project Control Group ensuring that they have an avenue to provide input into the overall RDCP. This includes the Commonwealth department responsible for telecommunications infrastructure and telecommunication providers.

The department engaged with stakeholders when developing the ASP pilot program. As discussed below, the department transitioned the program from a one-stage pilot program, where telecommunication providers would be procured to provide the solution, to a two-stage program where the department would first work with telecommunication providers to identify technical solutions and then carry out the procurement. This involved significant engagement with stakeholders to identify the technical solution and procurement model.

The department has assessed the suppliers of internet and mobile connectivity to determine their capacity and willingness to participate in RDCP sub-programs

As part of procurement planning, when building a business case, NSW Government agencies are required to analyse and engage with the market. This involves developing a profile of the market, the capabilities of suppliers, innovative and emerging technology, and factors that influence the market such as customer preferences and competition.

The department considered the capacity of telecommunications suppliers, their level of interest, and willingness to participate in the program when developing the business cases for its mobile and internet coverage programs. In addition to doing this when constructing initial business cases, the department adjusted its approach when market factors changed, as evidenced by the changes it made to its Gig State program in 2021. In September 2020, the nbn announced an expansion of its fibre network nationally, with a focus on regional improvements. This meant that internet coverage for some of the locations included in the Gig State business case would be addressed by nbn and continued investment was not needed in those areas. The initial Gig State business case also planned an initial investment in data centres in regional NSW. Following this, a private market operator also announced plans to construct 14 regional data centres across NSW. This meant that the planned Gig State data centres were no longer required. The department changed it approach to avoid duplication by ceasing its planned internet coverage expansion into regional centres, including the data centres, and prioritising a range of new sites for coverage.

Conflicts of interest and probity procedures have largely been followed, although there were some gaps in declarations

Maintaining a record of conflict of interest declarations is important to provide a higher level of transparency, and therefore control, over officials in high-risk roles. Disclosing an interest before it becomes a conflict of interest also reduces the likelihood that an official will be tempted to conceal or favour the interest.

Conflict of Interest declaration forms have been completed for staff involved in the mobile coverage program, Gig State program and the Australian Government co-funded Regional Connectivity Program Round 3 (RCP3) and Mobile Black Spot Program Round 7 (MBSP7). Whilst the list of declarations is extensive, it is unclear whether it includes all relevant staff from the department, the NSW Telco Authority and consultants involved with the program.

In relation to the mobile coverage and Gig State programs, there was no declaration recorded for one consultant and three staff from the department, including the program sponsor. These omissions have the potential to create risks that conflicts of interest go unmanaged. The department advises that the register is now complete for all those working directly on the program. It also advises that, due to the breadth of programs senior staff oversee, conflicts of interest are managed by the department's Governance team centrally through a Declarations App.

Four declarations of a ‘real, potential or perceived conflict of interest’ were made under the RCP3 and MBSP7 grant programs, which were co-funded with the Australian Government. No declared conflicts were made for the other programs. The identified conflicts of interest have documented actions to manage them, and there is evidence to indicate that these were implemented. For example, a senior staff member and a consultant excluded themselves from parts of a grant process due to declared conflicts.

The NSW Grants Administration Guide states that officials must seek probity advice for all grant opportunities that are complex, high-risk or high-value, to support the design, application, assessment and decision-making phases. The department followed appropriate probity processes throughout and these probity reports did not find any material breaches of probity in the grant processes.

There have been delays in all streams of the RDCP which may have been reduced through proactive project and risk management

The business cases set out expected timelines for each program of the RDCP. The department has not met any of these expected timelines, with some projects delayed by over a year compared to their initial planned timelines. Some of these delays have been caused by changes to the department’s approach to the mobile coverage and Gig State business cases. While some of these changes were outside of the department’s control, others could have been anticipated and better managed by a stronger approach to project management and risk management.

Exhibits 1 and 2 set out the status of each Gig State and mobile coverage project reviewed as part of this audit as at April 2024 and the planned completion date for that project at the outset of the program. Note that this does not include projects co-funded by the Australian Government due to the department’s limited ability to influence the process. This also excludes projects which have not yet distributed funding, such as the mobile coverage ASP main program.

Source: Audit Office analysis.

Source: Audit Office analysis.

As can be seen from Exhibits 1 and 2, each project in the RDCP has been delayed past its initially planned completion date, and the Wamboin, Bywong and Sutton project has been delayed past both its original planned completion date and also the revised completion date in the Gig State addendum.

Some of these delays can be accounted for by the fact that the department revised its approach to both the mobile coverage ASP pilot and the Gig State programs. While some of these changes were outside of the department’s control, others could have been anticipated and managed by more proactive risk management. In the case of the mobile coverage program, some of this change in approach may have been foreseeable. The March 2021 mobile coverage ASP pilot business case set out a one-stage tendering process with construction planned for completion in June 2022. The department revised this approach in July 2021, when it changed to a two-stage process involving a technical stage and then a grant process. This was the result of additional research by the department that identified that the market may not have sufficient interest in the initial proposed approach. Undertaking this additional research earlier may have allowed for this alternative approach to be identified sooner.

In addition, the department only allowed two months in the business case for contract negotiations with providers for the mobile coverage ASP pilot program, however this has taken a significantly longer time and in one case has been ongoing for over twelve months. Given the complexities of the funding deed negotiations, this may also have been foreseeable. The department advised that some delays in the mobile coverage program can be attributed to the proposed merger of major mobile network operators which delayed funding deed negotiations.

As with the mobile coverage program, the Gig State program was also delayed by a change in approach, though this was driven by market changes. As part of the original Gig State business case, the department intended to deliver data centres in regional NSW, as well as expanding internet coverage. The business case was approved in December 2019 and the department intended to complete the Gig State program in June 2022. Little progress had been made by the time that the Gig State program underwent a significant change in scope following a review in September 2021. The department removed some aspects of the original business case, such as the construction of data centres in regional NSW, and changed the approach to other parts of the business case. The revised business case, called the Gig State addendum, delayed the planned delivery date of some projects into 2022.

The most significantly delayed sub-program has been the expansion of internet access to the towns of Wamboin, Bywong and Sutton as part of the Gig State program. In January 2019, the NSW Government announced $5 million of funding to provide internet access to these towns. The department ran a tender for this work in mid-2021 with a plan to start construction in late 2021. However, this tender resulted in no contract being awarded due to no providers being willing to provide the project within the proposed $5 million budget. The department started working on technical solutions with providers in late 2021 and gave them until May 2022 to identify solutions and potential budgets. The contract for Wamboin, Bywong and Sutton was executed in June 2022, with an expected completion date of June 2024, though given delays with construction this date will not be met. As discussed below, if the department had provided better advice to Government on the expected costs at the planning stage, it may have reduced the delays in this sub-program.

The department has not effectively managed RDCP timelines

The department has provided limited evidence of effective project management in place to monitor overall progress against program timelines, such as regularly updating a detailed project plan. The department may have identified and managed the above delays sooner through a stronger project management approach.

The department set out timelines at the outset of each of the sub-programs. This was not always done in detail but for all the sub-programs at least key milestones were mapped. While this was done at the outset, there is no evidence that the department regularly updated timelines across the various sub-programs to ensure that these projects were on track and to monitor expected completion dates.

The department provided regular updates on project status to relevant governance committees. This included providing information on upcoming milestones and associated delays. However, holistic monitoring of program completion dates and the impact of delays on subsequent milestones was not presented to the governance committees. As a result, there has been little monitoring and oversight of how projects are tracking against their target end dates.

Gaps in the governance framework have limited the oversight of the implementation of the RDCP

There are three key committees that oversee the implementation of the RDCP: the SHLF Steering Committee, the RDC Steering Committee, and the RDC Program Control Group. These three committees are intended to provide oversight of the implementation of the RDCP, however there are deficiencies that limit the effectiveness of their oversight.

The SHLF Steering Committee is intended to provide oversight of all programs funded through the SHLF, including the RDCP. Despite an intended meeting schedule of quarterly, the committee only met once in 2023 and three times in each of 2021 and 2022. While the Committee did receive reports on each of the programs funded through the SHLF at these meetings, this reporting did not identify any key risks for these projects that might affect achieving the objectives of the SHLF. This reduces the level of oversight that the SHLF Steering Committee can provide for these projects.

The RDC Steering Committee provides oversight of the RDCP and is intended to act as an escalation point for key issues in the program. While the committee receives regular reports on the components of the RDCP, including on program risks, there are some gaps that limit the oversight it can provide. The committee operated throughout 2021, 2022 and 2023 without finalised terms of reference, which were finalised in February 2024. Prior to this, it was unclear how often the RDC Steering Committee was intended to meet, but it met only four times in 2023 compared to six in 2022.

The RDC Steering Committee terms of reference include a role for the committee in making key decisions around program strategy and implementation. Prior to 2023, the committee was involved in many key decisions. For example, in 2022 it endorsed decisions around the ASP pilot grant guidelines. By contrast, a review of meeting minutes since the start of 2023 shows that the RDC Steering Committee has not made decisions or provided endorsements for any key decisions. The committee was not involved in endorsing the MBSP7 and RCP3 grant guidelines in 2023 and was not involved in strategic decision-making about the budget reprofiling in 2023 and the decision to remove the LEO satellite pilot from the Gig State program scope.

The RDC Program Control Group did not have terms of reference until February 2024. The purpose of the RDC Program Control Group is to oversee and support the strategic direction and implementation of the RDCP. This should be carried out through regular meetings and reporting, however the control group only met six times in 2023 despite an intention that they would meet monthly. The expected meeting frequency has since changed to every six weeks.

The RDC governance committees routinely discuss risks, but the department did not identify or mitigate all key risks at the outset of the program

The department has a structured approach to risk management for the RDCP, though this risk management approach has not always succeeded at mitigating key risks. The RDCP program team identified a number of key risks at the outset of each program and designed mitigations for them. In addition, the RDC Steering Committee and RDC Project Control Group both receive risk reports and discuss risks at meetings where appropriate. This reporting indicates a proactive approach to risk management throughout the program.

However, not all key risks were successfully mitigated or identified at the outset of the program. For example, one of the key causes of delays with the mobile coverage program has been protracted contract negotiations. Despite the fact that the program team understood the complexities of the mobile contract negotiations that would be required, this was not identified as a risk at the outset of the program. Later in the program this was identified by the RDC Program Control Group and Steering Committee as a key risk. While the risk was identified, it was not sufficiently mitigated, as demonstrated by the delays that resulted from the contract negotiations.

Other risks were not identified at the outset of the program. For example, the Snowy Mountains Highway Safety program was delayed due to the need to get development approval from the National Parks and Wildlife Service. There is no separate risk register for the Snowy Mountains Highway Safety program, and the potential for delays due to approval processes is not mentioned in any of the overall mobile business cases. Stronger initial project management may have allowed for this to be identified.

The Wamboin, Bywong and Sutton internet coverage program has been delayed numerous times throughout the course of its delivery. One of the key delays in 2023 was that, after the contract was signed and building works had commenced, it was discovered that challenging ground conditions with a higher than anticipated rock concentration around the towns was delaying construction. Potential delays from construction issues were not foreseen in the Gig State program risk register. While the specific issues relating to ground conditions may not have been easily foreseeable at the outset of the program, the department’s evaluation of potential providers in 2021 noted that rock was present and could have an impact on the cost of the program. It is reasonable to expect that this would have led to additional risk mitigation at the time, detailing the potential impact of the rock concentration on both cost and timelines. When the issue was eventually discussed in the RDC Project Control Group in 2023, the only mitigation for the risk was to review and monitor the existing and future schedule. This was not sufficient to mitigate the risk.

The department conducted cost-benefit analyses for all RDCP sub-programs, but did not implement the element with the highest return on investment

The ‘NSW Government Guide to Cost-Benefit Analysis’ requires that a cost-benefit analysis (CBA) be undertaken for capital, recurrent or ICT projects valued at more than $10 million. Undertaking a CBA provides a benefit-cost ratio (BCR) which helps to determine if a program will provide a net benefit to the people of New South Wales. A BCR greater than one indicates that the benefits will exceed the costs. For programs funded through the SHLF, such as the RDCP, there is no requirement for a program to achieve a BCR of greater than one.

The department conducted a CBA for the Gig State and mobile coverage programs, as well as all the sub-programs under both programs, including revising the CBA for the Gig State program after it was reviewed in late 2021. The BCR for the mobile coverage and Gig State programs are shown in Exhibit 3. Only the Gig State initial business case achieved a BCR of one, meaning that it delivers benefits equivalent to its costs. However, when this program was amended in 2021, this BCR reduced to 0.62. When combined, the RDCP does not have a BCR greater than one, meaning that it represents a net cost to New South Wales. However, as noted above, there is no requirement for the RDCP to reach a BCR of one.

Source: Department of Regional NSW.

The highest BCR was calculated for the planned investment in Low-Earth Orbit (LEO) satellites which is an element of the Gig State addendum, but this investment did not go ahead. LEO satellites can be used to provide digital connectivity to isolated properties. They sit closer to the Earth’s surface than a geostationary satellite and can transmit data with lower delay and improved connectivity. This LEO satellite pilot was identified to deliver a BCR of 2.62, including approximately 40% of the benefits attributable to the Gig State addendum. The Gig State addendum anticipated that the pilot would commence in 2022, however the department did not proceed with this. The 2023 budget reduced the funding for the Gig State program, and the department decided to discontinue the proposed pilot. The department advises it plans to revisit the LEO satellite project in mid 2025.

The RDCP’s grant guidelines largely comply with mandatory NSW Government requirements

In September 2022, the NSW Government released the revised ‘Grants Administration Guide’ (the guide) which, among other things, sets out mandatory requirements for NSW Government grant guidelines. Premier’s Memorandum ‘M2022-07 Grants Administration Guide’ makes it mandatory for agencies to follow the requirements of the guide for all grants released from 19 September 2022.

The guide states that clear and consistent grant guidelines must be prepared that contain the purpose and objectives of the grant, selection criteria (comprising eligibility and assessment criteria) and assessment process, grant value, opening and closing dates, application outcome date, the source agency, and the decision-maker.

The department developed grant guidelines for grant schemes funded by the RDCP. The guidelines explain the application and selection process, eligibility criteria and assessment criteria, and key dates. These include:

• Mobile Coverage Project – Active Sharing Partnership Grant Guidelines (September 2022)
• Gig State Grant Guidelines (October 2022)
• NSW Government Co-Investment in RCP3 and MBSP7 Program Guidelines (July 2023).

The guidelines for these three grant programs largely align with the requirements of the guide, but there were some gaps. The ASP pilot and Gig State program guidelines both note the contact person for complaints, but the RCP3 and MBSP7 guidelines do not state this. While the RCP3 and MBSP7 guidelines set out the relevant decision-maker and the role of key individuals in the assessment process, the guidelines for the ASP pilot did not identify the decision-maker and the Gig State Grant Guidelines did not provide the membership of the assessment panel making the recommendations.

The department’s grant programs were designed to target identified priority locations

Across the RDCP sub-programs, the department designed grant programs in a way that targeted funding towards its priority locations and other locations that met its eligibility criteria. The department has not been prescriptive about locations that would be funded through grant programs, but designed the programs in a way that encouraged providers to co-fund either the target locations or those that fit the criteria that the department was interested in funding.

For the Gig State grant program, the department released a list of preferred locations to potential applicants. The grant guidelines make clear that any proposals to build infrastructure to provide coverage to these areas would be given preferential treatment. The merit criteria are also aligned with this as the department awarded additional points for providing coverage to the target areas. Locations outside the preferred list were also eligible, provided they met the grant program’s objectives and eligibility criteria.

Similarly, for the mobile coverage ASP pilot program, the department released a list of preferred locations to potential applicants. The grant guidelines similarly encouraged potential applicants to follow this target list, both in terms of eligibility and also in terms of the way that the grants program provided additional points for providing coverage to the target areas. In addition, applicants could consider locations outside of the preferred list provided they met the grant program’s objectives and eligibility criteria set out in the grant guidelines.

For the co-funding opportunity with the Australian Government’s RCP3 and MBSP7 programs, a list of target locations was again provided. Applicants could consider locations outside of the target locations provided they were still eligible under Australian Government requirements for the RCP3 and MBSP7. Alternative solutions that provide mobile coverage on road corridors and mobile solutions for First Nations communities in other remote and very remote NSW locations could also be considered, however, funding was to be allocated to target locations and target transport corridors as a priority.

The department was not able to demonstrate a similar approach for the co-investment in the Mobile Black Spot Program Round 5A. The Australian Government developed eligibility criteria for the program, which align with the department’s mobile program objectives.

The department has selected grant recipients in line with its funding priorities

The department developed grant guidelines and an assessment methodology for the Gig State program and the ASP pilot program to guide its assessment panel, and applicants, through the process. The department assessed the applications for the Gig State and the ASP pilot grant programs against the eligibility and merit criteria contained in its guidelines, and in accordance with its assessment methodology. This resulted in the department funding locations that aligned with its target locations or areas that were in line with the purpose of each grant opportunity.

For the Gig State grant program, the department determined that projects were to be located in one of the 93 regional NSW Local Government Areas (LGA) identified in the grant guidelines. Eligible locations were in areas where internet access was via satellite services only and there were no committed or planned projects for fixed services in the area. The assessment panel for the Gig State grants recommended projects in 34 eligible locations from four applicants, for funding totalling $58.3 million (excl. GST), intended to bring improved connectivity to around 13,900 premises.

For the ASP pilot program, eligible locations were areas of regional NSW, where there was no existing handheld coverage provided by any Mobile Network Operators (MNO) or existing handheld coverage was provided by only one MNO. The assessment panel for the ASP pilot grants recommended 32 projects for funding totalling $30.4 million (excl. GST), intended to improve mobile coverage across ten regional LGAs. All other projects were considered not suitable for funding or ineligible.

The department provided a list of preferred locations for both grant programs. Applicants received a marginally higher score against assessment criteria if they put forward a preferred location but the location they identified could still be accepted if it was not in a preferred location but met the eligibility criteria. Funding was allocated to the majority of the Gig State program preferred locations identified in the Gig State business case addendum, but funding was allocated to only two of the 23 preferred locations identified in the business case for the ASP main program.

For the grants co-funded by the Australian Government (RCP3 and MBSP7), the department prioritised and selected grant recipients based on whether they met the eligibility criteria. It developed an assessment methodology to guide the assessment panel through this process. A probity advisor was present at both assessment panel meetings.

The department intends to further verify the RCP3 and MBSP7 application’s compliance with the RDCP objectives and eligibility criteria, following the assessment of applications by the Australian Government. Once verified, deeds will be negotiated and issued.

The department did not advise Government on the full cost of the Wamboin, Bywong and Sutton project, leading to a protracted and difficult process

The department’s process for awarding the grant to construct a fibre network for internet connectivity in the Wamboin, Bywong and Sutton regions was complex. The department appears to have estimated the initial costs of this program to be significantly higher than the funds allocated to the project. The department did not advise Government of this, and conducted the tender process based on the budget of $5 million committed by the Government. This budget proved insufficient, and the department had to request additional funds to contract the project. Not providing this advice to Government at an earlier stage means that the process which followed was more complex and protracted than it may have been if the department had provided this advice.

In January 2019, the NSW Government announced that it would provide $5 million to upgrade internet in the Wamboin, Bywong and Sutton region based on costings undertaken by a local community organisation. The department included this cost in the Gig State business case in December 2019 and also the Gig State addendum in September 2021. Documentation from late 2020 indicates that the department conducted an initial estimate that the full cost of the Wamboin, Bywong and Sutton project would be up to $16.3 million. It is unclear whether this was conducted before the Gig State business case was completed. The department was unable to provide the analysis that led to this initial cost estimate to the audit team. However, this indicates that the department was aware that the cost of the project would be greater than $5 million but did not provide this advice to Government. The additional cost was to be funded from the remainder of the Gig State business case.

In mid-2021, the department commenced a tender process with a budget of $5 million in January 2021. Only two applicants responded to this initial request for tender, and only one was evaluated as meeting the technical and construction requirements of the project. The cost estimates provided in the complying tender response were significantly higher than $5 million. As a result, the department did not award a contract following this tender.

The department then planned to undertake an in-depth analysis into alternative technology options. It noted the most promising option in terms of speed of delivery, quality of service, and value for money was LEO satellites. The department was unable to provide a copy of this analysis and so it is unclear the extent of the work undertaken to find alternative solutions for Wamboin, Bywong and Sutton rather than the construction of a fibre network to the premises.

After the initial market approach resulted in no contract being awarded, the department altered its procurement approach. A closed Expression of Interest (EOI) was sent to both respondents to the request for tender in November 2021 seeking a recommended technical solution, a proposed delivery method and timeframes. Both respondents achieved satisfactory scores for the EOI and were invited to submit a detailed design. As the department had determined through the tender process that the budget of $5 million was insufficient to ensure that it could provide internet services across the Wamboin, Bywong and Sutton region, the budget limit for the procurement was increased.

Both respondents submitted a detailed design and in May 2022 the department received approval to negotiate. The unsuccessful respondent scored marginally higher against the selection criteria. However, the assessment team considered that their proposal contained too much unmitigated risk. In May 2022, the department received approval to proceed to the negotiation phase with the successful proponent. Following this negotiation, a $9.5 million grant was awarded to the successful respondent to connect 1,352 premises. Around 140 premises were not included in the scope due to the significantly higher costs in connecting these premises.

The project cost has since increased to over $12 million, in part due to challenging terrain and ground conditions. Additional funding of around $1.7 million was also approved to connect an additional 134 properties that were identified during the detailed design phase. The department advises that these were initially missed due to boundary changes, incorrect council records and quality issues in the geospatial databases. It indicated that this is a separate group of properties to the 140 premises that were excluded due to higher connection costs.

The fact that the Wamboin, Bywong and Sutton project has a total cost of over $12 million, more closely aligned with the department’s internal cost estimate, indicates that fully advising Government of the costs may have saved significant time in the delivery of the project.

The department monitors the progress of its grant agreements but has not formalised its acquittal process

The department receives progress reports and milestone reports from grant recipients to assist in monitoring the progress of RDCP projects and assess if works provided match the requirements listed in the grant funding agreements. It also advises it has regular meetings with grant recipients, although no minutes are kept of these meetings.

The projects that have progressed to the construction phase are:

• Mobile coverage to Brewarrina and Wilcannia through the mobile coverage ASP pilot
• Improved internet to Wamboin, Bywong and Sutton.

The department receives regular progress reports for both projects, including some photographs and technical drawings. The reports provide information on progress against milestones and any changes to expected completion dates.

The department receives quarterly progress reports on improved internet for the Cobar corridor and the 56 other sites scheduled for fixed wireless internet, which are yet to progress to construction. The current scheduled completion date is March 2025. It also receives monthly reports on progress with mobile towers it is co-funding with the Australian Government as part of the Mobile Black Spot Program Round 5A.

The department provided few acquittal process documents or milestone acquittal documents, apart from the site qualification report for the Cobar corridor and its evaluation of the detailed design for the Wamboin, Bywong and Sutton project. The department advises it has an acquittal process in place for processing milestone reports, however it is yet to formalise this process. The three projects which have progressed enough to require acquittal are Wamboin, Bywong and Sutton, Wilcannia and Brewarrina, and the Cobar corridor.

The department has provided funding deeds for each project it has funded. Whilst the deeds include milestones, they do not include the dates for each milestone making it more difficult for the department to track the progress of each project.

The department’s approach to reporting its expenditure on consultants is inconsistent and does not always meet reporting requirements

Under the Annual Reports (Departments) Regulation 2015 agencies are required to report any consultancy engagements over $50,000 in their annual reports. The NSW Procurement Board Direction PBD-2023-05 Engagement of professional services suppliers defines a consultancy agreement as a type of professional services agreement where a person or organisation is engaged to provide recommendations or professional advice to assist decision-making by management.

The department has several professional services agreements as part of the RDCP, some of which are consultancy engagements within this definition and some of which contain elements of the contract that would be considered a consultancy agreement. For example, one of the major consultancy agreements involves providing strategic advice across the Gig State program, as well as providing advice on market engagement, and reviewing technical advice. This aligns with the definition of a consultancy agreement as the contracted organisation is providing professional advice to assist decision-making by management.

The department has not reported any of its agreements used as part of the RDCP in its annual reports, despite having several agreements that exceeded the $50,000 threshold which may fall into this definition.

The department advises that the agreements are categorised in the General Ledger as contractors and as such, are not required to be reported in the Department’s Annual Report. This interpretation is not in accordance with NSW Treasury and NSW Procurement Board requirements. It also identifies one contracted consultant as a ‘consultancy’ in its contract variation documentation but has not reported this expenditure in its annual reports.

Further, the department has not applied its interpretation consistently. For example, it has reported the preparation of some strategic and business planning documents as consultancies in its annual reports and not others.

The department is not monitoring the outcomes of the RDCP

Measuring outcomes of a program is important to determine whether that program is fulfilling its intended purpose. While many elements of the RDCP are still at an early stage, there is value in monitoring the outcomes of those elements which have completed construction to inform project implementation. There are no outcome measures for the effectiveness of the RDCP as a whole, and only limited measures for the mobile and Gig State programs. The department has the following outcome that it has set out for the Gig State program:

• Improve the digital connectivity (accessibility) in rural and remote NSW communities.

When developing the final business case for the Gig State program, the department utilised the ADII scores to identify the digital divide between Metropolitan Sydney and rural NSW. The ADII uses data from the Australian Internet Usage Survey to measure digital inclusion across three dimensions of access, affordability and digital ability. While the department utilised the ADII to determine the baseline for accessibility of digital connectivity in regional and remote NSW communities, the department is not using the ADII to measure whether the program has led to improvements in these communities. This limits the department’s ability to determine whether the RDCP has met its objectives.

At the time of the Gig State business case being developed, rural NSW ADII scores were reported, allowing the department to utilise the figures as a baseline, but since 2020 these are not publicly reported. The department is in the process of determining how it can use ADII scores to measure the performance of the program over time.

In addition to the Gig State program outcome measure, the department has one outcome measure for its mobile coverage program:

• Square kilometres with improved mobile coverage in regional NSW.

This outcome measure will not allow the department to understand the impact of the RDCP’s mobile coverage program. While measuring the number of square kilometres of coverage will allow the department to determine whether the mobile towers it is funding are achieving the intended extent of new mobile coverage, it will not allow the department to measure the quality of service, price of coverage, and other key information that could measure the impact of the new coverage.

In December 2023, the NSW Telco Authority released the NSW Digital Connectivity Index (DCI), which provides an overview of connectivity in each LGA and suburb across NSW. Each LGA and suburb is given a score out of 100 for access, affordability and demographics (as a proxy for the ability to use technology). The DCI includes several data points, including coverage from telecommunications providers, mobile signal strength, and internet speed. Given that the DCI includes useful data points and can allow for data to be inspected at the suburb level, there is an opportunity for the department to use this to identify the impact of its program both at a statewide level and in regions targeted for funding. However, the department has no plans to utilise the DCI to measure program performance.

In addition to not collecting data to measure the overall effectiveness of the RDCP, the department is also not collecting data to measure whether a number of the objectives of the Gig State and mobile coverage programs are being achieved. For example, both programs aim to reduce the price of digital services in regional areas, however there is no measurement of price in place to determine whether this is being achieved. Similarly, there is no plan in place to measure the speed of internet services or signal strength for mobile services, despite improvements in these things being part of the objectives of both programs as set out in their business cases.

The department is also not measuring whether there are improvements in competition in the mobile market through the mobile coverage program, despite one of the objectives of that program being to encourage competition in the regional telecommunications market. The department also has no plans to measure its contribution to the Closing the Gap target to understand the impact of the RDCP on Aboriginal communities. This is despite it identifying that seven locations with current or pending funding will support discrete Aboriginal communities. Four of these locations are part of the ASP project for Wilcannia and Brewarrina, and the other three are funded through the MBSP7 project.

The department has some output performance measures in place for the RDCP, but these focus on contracted outputs rather than outcomes

The department has identified performance measures for the program in reporting templates, in its final business cases for the Gig State and mobile coverage programs, and in its evaluation plan for the RDCP. These performance indicators measure the outputs of the program rather than the outcomes that would demonstrate whether program objectives have been met.

The measures that the department uses to report to NSW Treasury as part of its budgeting process have changed over time. Until June 2023, the department used two key output measures to determine the progress of the RDCP:

• Number of premises covered by signed contracts to deliver upgraded internet connectivity.
• Number of sites with signed contracts for new mobile coverage.

As noted, these are output measures and will not enable the department to determine whether the project is delivering its intended purpose. Since July 2023, the department has used two output measures:

• Number of premises covered by signed contracts to deliver upgraded internet connectivity.
• Contracted square kilometres for new and improved mobile coverage.

These four measures relate only to contracted coverage and do not provide a clear picture of ongoing progress with the construction and connection of new mobile and internet projects. Projects can have long lead times for a variety of reasons such as acquiring access to land, designing a solution and the time required to construct the solution. In addition, only measuring contracted coverage will not enable the department to determine whether these outputs are being delivered and will not reflect delays in those stages, nor will it enable the department to determine whether the towers are achieving their intended purpose. While there is value in measuring contracted coverage as an early lead indicator of performance, there is also value in reflecting the current state more accurately through measuring the progress of the construction of each project.

The department did not meet its original mobile coverage performance targets but met its Gig State program target

As noted above, the department had three metrics that it was using to measure the RDCP until June 2023. The department successfully achieved its Gig State program target but did not achieve its mobile coverage program targets. Exhibit 4 shows the results against targets for the RDCP measures. As can be seen, the result for square kilometres of improved mobile coverage delivered was significantly below the target.

* This comprises two towers funded through the ASP project and 22 towers co-funded through the Australian Government’s Mobile Black Spot Round 5A. This does not include five small towers for the Snowy Mountains Highway Safety project as the department has identified these as a temporary service.

Source: Audit Office analysis.

The department revised its performance measures after June 2023. This included revising output targets for the mobile and Gig state programs. The updated performance targets can be seen in Exhibit 5. The mobile coverage program performance measure was changed to measure the contracted square kilometres of new coverage rather than the actual square kilometres of new coverage. At the same time, the target value increased from 36,000 square kilometres to 60,000 square kilometres. The target value for the Gig State program was also updated compared to the 2023–24 target.

Source: Department of Regional NSW.

The department had nearly achieved its December 2025 target for contracted upgrades to internet connectivity by June 2023. As can be seen in Exhibit 4, 13,330 premises were covered by signed contracts to deliver upgraded internet connectivity as at June 2023.

In early 2023, the department estimated that it would have 12,279 square kilometres of new or improved mobile coverage delivered by December 2025. The department advised that it is likely to deliver on this forecast as early as December 2024, through its co-funding of two ASP locations and 22 locations under the Commonwealth’s Mobile Back Spot Program 5A.

There is uncertainty around whether the data the department is using is reliable to measure its performance

The department is collecting or planning to collect data from grant recipients to determine whether they are delivering the intended projects to the required quality. The funding deeds contain obligations on the quality and extent of the services to be provided by grant recipients and require that the contracted organisations report to the department on the construction and the extent of coverage (new ground covered for the mobile towers and number of premises connected for internet coverage). This aligns with the output measures set out above. The department is not collecting information that it could use to inform outcome measurement as part of its grant funding deeds with each grant recipient.

Grant recipients provide the department with the data that it has requested in line with the terms of the funding deeds. This information is collected through a regular schedule of status reporting. These status reports include information on progress with internet or mobile coverage, including the number of premises that will be able to connect to a service.

Information on the availability of fixed fibre connections to premises should be reliable, as with the Wamboin, Bywong and Sutton project. However, data on the availability and quality of fixed wireless internet connectivity and mobile coverage is likely to vary with terrain. While the department is collecting this information, it currently has no plans or a formal process to undertake validation testing following each project completion. This means that the department will not be able to provide assurance that the information collected is accurate.

The department has not updated the expected benefits of the program despite significant changes in scope

In September 2021, following a review of the Gig State program, the department prepared an addendum to the original Gig State business case to change the program from capital expenditure to operational expenditure, and set out a range of other changes. The department’s addendum to the business case noted that the approach to delivering benefits would remain the same, and it did not revisit the benefits realisation register nor attempt to recalculate expected benefits. Given the significant scope changes in the business case addendum, it is likely that there would have been an impact on expected benefits that would justify recalculating the program benefits.

This was not the only time where significant changes in the Gig State program’s operations did not result in an updated benefits realisation register. As noted in the introduction, the RDCP budget was reduced in the 2023 budget, and the remaining budget was extended out to 2028. As discussed above, the change in budget coincided with the department’s decision to discontinue the LEO satellite pilot, which was anticipated to deliver 40% of the financial benefits of the program. The change in budget profile for the program has likely led to a change in the benefits profile of the program, however the department has not updated its program assumptions in line with this change.

The department has documented key lessons learned from its funding rounds to date

Documenting lessons learned from early delivery of any given program is important, particularly pilot programs, to ensure that these can be incorporated into future program development. The department has documented lessons learned across the two programs of the RDCP, including the early grant rounds.

For its Gig State program, the department documented lessons learned in relation to the management of grants, industry engagement, the grant guidelines, the assessment of grants, and the time that the grants went to market. These lessons include reinforcing positive experiences, such as releasing a list of preferred locations to applicants, which the department believes served to encourage funds to be directed to those areas. The department also identified potential improvements, including how it communicated with industry and the data that it would request from future applicants. There have been no grant programs run through the Gig State program since these lessons were documented so it is not yet clear whether the department will implement changes as a result of these lessons learned.

As noted above, the mobile coverage ASP pilot program was delivered across two phases: the first phase involved working with industry to determine potential technical solutions, and the second phase was a grant program to deliver the preferred solutions. The department commissioned a lessons learned report of the first phase of the ASP pilot program with the intention of using this to inform the mobile coverage ASP main program business case development. The lessons learned report and the mobile coverage ASP main program business case were both completed in the same month, however, meaning that lessons could not be fully incorporated into that business case. The department has also identified additional lessons learned specifically in relation to the grant process. There have been no grant programs run through the mobile coverage ASP main program since these lessons were documented so it is not yet clear whether the department will implement changes as a result of these lessons learned.

In addition, the department has conducted an internal audit on the governance of the RDCP. The internal audit had largely positive findings about the governance structures and the grant guidelines. The internal audit did not make findings on the governance issues outlined above, such as not having finalised terms of reference. However, the internal audit did note that not all probity advice had been documented and some had been provided verbally, which increased the risk of grant processes not being undertaken with integrity.

The department has planned evaluations for all grant programs within the RDCP

The department has a draft evaluation plan for the RDCP that includes evaluations for each program to validate whether they have achieved their objectives, as well as finalised evaluation plans for each of the programs. Both process and outcome evaluations are planned. Process evaluations ensure that planned processes were followed and that lessons are learned for future grant programs. The department is planning process evaluations for when all funding deeds have been signed and outcome evaluations are planned for after project delivery is largely complete.

The sub-programs have not yet reached the point where the department will undertake outcome evaluations. The department has indicated that the outcome evaluations will be undertaken when each project has been delivered, which means that while it will determine whether the project has achieved its objectives, it will not be measuring outcomes on an ongoing basis to determine whether changes are needed for the program to meet its objectives. The funding deeds with grant recipients make it clear that the department will undertake an evaluation and may collect relevant information for this purpose. While the department should be able to collect information, the limitations in data collection noted above may need to be resolved to ensure that required data is available.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #397 released 27 June 2024.

About this report

Financial audit results of the NSW public universities’ financial statements for the year ended 31 December 2023.

Audit findings

Unmodified audit opinions were issued for all ten universities.

Eight universities reported net deficits. Three of these improved on their 2022 results.

Total fees and charges returned to pre-pandemic levels, with 40.5% earned from overseas students from three countries.

Employee related expenses increased 10.2% in 2023 mainly due to an additional 2,830 full time equivalent staff, in response to increased teaching and research activities.

Key issues

The number of findings reported to management has increased to 111 matters in 2023 up from 88 in 2022.

These included one high risk finding and 62 moderate risk findings, a 72% increase from last year.

Gaps identified in universities governance processes included delays in responding to findings and recommendations; staff not attesting compliance with codes of conduct annually; and not capturing and recording staff conflicts of interests within central registers.

Seven of the ten universities have cyber security risks above what they determine as an acceptable risk. Four universities did not have a cyber security uplift program.

Recommendations

Universities should address all recommendations made in the report (see Appendix one for a summary of these).

In particular, there should be a focus on prioritising remediation of wage underpayments to affected employees; ensuring a centralised conflict of interest register is maintained for all staff; considering emerging risks in university risk registers; ensuring controlled entities are considered when determining internal audit plans; and focusing efforts to improve cyber security risk management and cyber resilience capability.

This report provides NSW Parliament with the results of our 2023 financial audits of universities in New South Wales and their controlled entities, including analysis, observations and recommendations in the following areas:

• financial reporting
• internal controls and governance
• teaching and enrolments
• cyber security.

Financial reporting is an important element of good governance. Confidence and transparency in university sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines audit observations related to the financial reporting of universities in NSW for 2023.

Appropriate financial controls help to ensure the efficient and effective use of resources and administration of policies. They are essential for quality and timely decision-making. Effective governance is essential for the stability, sustainability and ethical operation of universities. It ensures accountability, transparency and promotes responsible decision making.

This chapter outlines our observations and insights from our financial statement audits of NSW universities.

Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These, along with the less significant matters, are reported to universities for management to address.

Universities' primary objectives are the functions of teaching and research. They invest most of their resources aiming to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.

This chapter outlines teaching and enrolment outcomes for universities in NSW for 2023.

This chapter of the report focuses on the cyber risk environment for universities, how universities have assessed that risk, what frameworks they use to strategically identify controls that respond to those risks, and the extent to which they have implemented or have plans to implement those controls. We also address some specific controls in respect of cyber resilience.

Appendix one – List of 2023 recommendations

Appendix two – Status of 2022 recommendations

Appendix three – Universities' controlled entities

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

About this report

This audit assessed the effectiveness of the Department of Communities and Justice (DCJ) in planning, designing, and overseeing the NSW child protection system.

The audit used 'follow the dollar' powers to assess the performance of five non-government organisations (NGOs), that were contracted to provide child protection services. More information about how we did this is included in the full report.

Findings

The NSW child protection system is inefficient, ineffective, and unsustainable.

Despite recommendations from numerous reviews, DCJ has not redirected its resources from a ‘crisis driven’ model, to an early intervention model that supports families at the earliest point in the child protection process.

DCJ's organisational structure and governance arrangements do not enable system reform.

DCJ has over 30 child protection governance committees with no clarity over how decisions are made or communicated, and no clarity about which part of DCJ is responsible for leading system improvement.

DCJ's assessments of child protection reports are labour intensive and repetitive, reducing the time that caseworkers have to support families with services.

DCJ has limited evidence to inform investments in family support services due to a lack of data about the therapeutic service needs of children and families. This means that DCJ is not able to provide relevant services for families engaged in the child protection system. DCJ is not meeting its legislated responsibility to ensure that families have access to services, and to prevent children from being removed to out of home care.

DCJ does not monitor the wellbeing of children in out of home care. This means that DCJ does not have the information needed to meet its legislative responsibility to ensure that children 'receive such care and protection as is necessary for their safety, welfare and well-being’.

In August 2023, there were 471 children living in costly and inappropriate environments, such as hotels, motels, and serviced apartments. The cost of this emergency accommodation in 2022–2023 was $300 million. DCJ has failed to establish ‘safe, nurturing, stable and secure’ accommodation for children in these environments.

Since 2018–19, the number of children being returned to their parents from out of home care has declined. During the five years to 2022–23, families have had limited access to restoration services to support this process.

Recommendations

The audit made 11 recommendations to DCJ. They require the agency to identify accountability for system reform, and to take steps to ensure that children and families have access to necessary services and support.

The child protection system aims to protect children and young people under 18 years old from risk of abuse, neglect, and harm. In NSW, child protection services can include investigations of alleged cases of child abuse or neglect, referrals to therapeutic services for family members, the issuing of care and protection orders, or the placement of children and young people in out of home care if it is deemed that they are unable to live safely in their family home.

A key activity in the child protection process is to determine whether a child is at ‘risk of significant harm’ as defined by Section 23 of the Children and Young Persons (Care and Protection) Act 1998. The Act describes significant harm as when ‘the child's or young person's basic physical or psychological needs are not being met or are at risk of not being met'. The Department of Communities and Justice (DCJ) has developed a process for determining risk of significant harm. It requires multiple assessments of child concern reports and at least two separate assessments of the child in the home. This process can take a number of months, and until all of these activities are complete, DCJ describes the child as suspected or presumed to be at risk of significant harm.

DCJ has primary responsibility for the child protection system in NSW. DCJ is both a provider of child protection services and a purchaser of child protection services from non-government organisations (NGOs). As system steward, DCJ has a role to establish the policy environment for child protection services and operations. In addition, DCJ is responsible for all governance and reporting arrangements for the commissioned NGOs that deliver services on its behalf, as well as for the governance and reporting arrangements of its own DCJ staff. DCJ must ensure that the child protection system is achieving its intended outcomes – to protect and support children in ways that meet their best interests - as described in legislation.

This audit assessed the effectiveness of DCJ’s planning, design, and oversight of the statutory child protection system in NSW. We assessed whether DCJ was effective in ensuring:

• there is quality information to understand and effectively plan for child protection services and responses
• there are effective processes to manage, support, resource, and coordinate child protection service models and staffing levels
• there is effective oversight of the quality and outputs of child protection services and drivers of continuous improvement.

To do this, the audit assessed the statutory child protection system with a particular focus on:

• initial desktop assessments and triaging of child protection reports
• family visits and investigations of child protection reports
• case management services and referrals to services
• the management of all types of care and protection orders
• the assessments and placements of children in out of home care.

The audit also assessed the performance of five NGOs that provide commissioned child protection services. Collectively, in 2021–2022, the five audited NGOs managed approximately 25% of all out of home care services in NSW. The policies, practices, and management reporting of the five NGOs was assessed for effectiveness in relation to the following:

• quality of data used to understand service requirements
• arrangements for operational service delivery to meet identified needs
• governance arrangements to deliver safe and quality out of home care services under contract arrangements with DCJ.

This audit was conducted concurrently with another audit: Safeguarding the rights of Aboriginal children in the child protection system.

The child protection system aims to protect children and young people (aged less than 18 years) from the risks of abuse, neglect, and harm. Child protection services can include investigations, (which may or may not lead to substantiated cases of child abuse or neglect), care and protection orders, and out of home care placements.

The Department of Communities and Justice (DCJ) has statutory responsibility for assessing whether a child or young person is in need of care and protection. DCJ’s Child Protection Helpline receives and assesses reports of possible child abuse or neglect. If the information in the report is assessed as meeting a threshold for risk of significant harm, DCJ caseworkers at Community Service Centres investigate the report and decide on a course of action. Follow-up actions can include referring the family to services, visiting the family to conduct ongoing risk and safety assessments of the child, or closing the case. If a child is determined to be unsafe, the child may be removed from the family home and placed in out of home care.

Non-government organisations (NGOs) are funded by the NSW Government to provide services to children and young people who require out of home care and other support services. NGOs provide approximately half of all out of home services in NSW, and DCJ provides the other half.

Government agencies such as Health, Education and Police also play a role in child protection processes, particularly in providing support for children and families where there are concerns about possible abuse or neglect. NSW Health provides some support services for families, along with the Department of Communities and Justice. Exhibit 1 shows some headline child protection statistics for NSW in 2022–2023.

Source: Audit Office summary of DCJ data on child protection statistics.

DCJ has not made progress in shifting the focus and resources of the child protection system to an early intervention model of care, as recommended by major system reviews

DCJ has not readjusted its resource profile so that its operating model can take a more preventative approach to child protection. A preventative approach requires significant early intervention and support for families and children soon after a child has been reported as being at risk of significant harm. This approach has been recommended by a number of reviews into the child protection system.

In 2015, the Independent Review of Out of Home Care in New South Wales recommended an investment approach that uses client data and cost-effective, evidence-based interventions to reduce entries to out of home care and improve outcomes for families and children.

The NSW Government response to the Independent Review of Out of Home Care in New South Wales was a program entitled: Their Futures Matter. This program commenced in November 2016 and was intended to place vulnerable children and families at the heart of services through targeted investment of resources and services. A 2020 report from our Audit Office found that ‘while important foundations were laid and new programs trialled, the key objective of establishing an evidence-based whole of government early intervention program … was not achieved. The majority of $380 million in investment funding remained tied to existing agency programs, with limited evidence of their comparative effectiveness.’

DCJ’s expenditure since 2018–2019 shows that most additional funding has been used to address budget shortfalls for out of home care, and to expand the numbers of frontline case workers. Budget increases show that during the period from 2018–2019 to 2022–2023, DCJ’s expenditure on out of home care increased by 36%, and expenditure on caseworkers increased by 26%. DCJ’s expenditure on family support services, including early intervention and intensive support services, increased by 31% during the audit period.

These resourcing priorities indicate that DCJ has not shifted its focus or expenditure in ways which reorient the child protection system. DCJ has not dedicated sufficient resources to early intervention, and therapeutic support for families and children, in order to implement the recommended changes made by systemwide child protection reviews.

In 2019, the Family is Culture Review recommended increased investment in early intervention support services to prevent more Aboriginal children entering out of home care, with a preference for these services to be delivered by Aboriginal Community Controlled Organisations. Progress towards enhancing a culturally appropriate service profile has been limited. DCJ last published progress against the Family is Culture recommendations in August 2021, when it reported that projects to increase financial investment in early intervention services were under review.

Data from March 2023 shows that 89% of the DCJ-funded, family support service volume across NSW is delivered by mainstream providers compared with ten per cent provided by Aboriginal Community Controlled Organisations, and one per cent by culturally specific providers. Given that Aboriginal children make up approximately half of all children in out of home care, there is still significant work required to shift the service profile.

DCJ’s governance arrangements are not structured in a way that ensures transparency and accountability for system reform activity and service improvements

DCJ’s organisational structure reflects multiple operational and policy functions across its three branches - the Commissioning Branch, the Operational Branch, and the branch responsible for Transforming Aboriginal Outcomes. Some branches have responsibility for similar functions, and it is not clear where overall executive-level accountability resides for system reform. For example, all three branches have a policy function, and there is no single line of organisational responsibility for this function, and no indication about which branch is responsible for driving system reform.

DCJ has over 30 governance committees and working groups with responsibilities for leadership and oversight of the statutory child protection and out of home care system. DCJ’s governance committees include forums to provide corporate and operational direction, to make financial and resourcing decisions, and to provide leadership and program oversight over the different functions of child protection and out of home care. Some committees and working groups oversee DCJ’s activity to meet government strategic priorities and respond to the findings and recommendations of child protection and out of home care reviews and commissions of inquiry.

Much of DCJ’s work in child protection and out of home care is interdependent, but its governance arrangements have not been structured in a way that show the lines of communication across the Department. There is no roadmap to show the ways in which decisions are communicated across the various operational and corporate segments of DCJ’s child protection and out of home care business operations.

In 2022, DCJ commenced activity to reorganise its operational committees into a four-tier structure, with each tier representing a level in the hierarchy of authority, decision-making and oversight. Draft documents indicate the ways in which the new organisational structure will facilitate communication through the different business areas of DCJ to the Operations Committee where most of the high-level decisions are made or authorised before being referred to the Executive Board for sign off. The new governance arrangements indicate a more transparent process for identifying Department and divisional priorities across policy and programs, though the process for reforming governance processes was not complete at the time of this audit.

DCJ’s strategic planning documents do not contain plans to address the pressure points in the child protection system or address the increasing costs of out of home care. After the merger of the Department of Family and Community Services (FACS) and the Department of Justice, DCJ’s Strategic Directions 2020–2024 document sets out the direction for the expanded Department in generalised terms. While it describes DCJ’s values, and describes an intention to improve outcomes for Aboriginal people and reduce domestic and family violence, it does not contain enough detail to describe a blueprint for Departmental action.

In April 2023, DCJ published a Child Safe Action Plan for 2023 to 2027. This plan includes a commitment to hear children’s voices and to ‘improve organisational cultures, operations and environment to prevent child abuse’. In September 2023, the NSW Government committed to develop ‘long-term plans to reform the child protection system and repair the budget, as part of its plan to rebuild essential services and take pressure off families and businesses'. Any activity to implement these commitments was not able to be audited, as it was too soon to assess progress at the time of this report publication.

DCJ’s expenditure priorities predominantly reinforce its longstanding operating model – to focus on risk assessments and out of home care services rather than early intervention

More than 60% of DCJ’s budget for child protection is spent on out of home care. In the five years from 2018–2019, DCJ’s expenditure on out of home care increased by 36% from $1.39 billion in 2018−19 to $1.9 billion in 2022–23.

During the same timeframe, DCJ’s expenditure on risk report assessments and interventions at the Helpline and Community Service Centres increased by 25%. It grew from $640 million in 2018–2019 to $800 million in 2022–2023. This not only reinforced the existing model of child protection, it expanded upon it, at the expense of other activity.

While DCJ’s expenditure on family support services increased by 31% from $309 million in 2018–2019 to $405 million in 2022–2023, it remains a small component of DCJ’s overall expenditure at 13% of the total budget spend in 2022−2023, as shown at Exhibit 6.

Note: Expenditure is actual spending in each year, not adjusted for inflation. Totals may be more than the sum of components due to rounding. percentages may not sum to 100 due to rounding.

Source: Audit Office analysis of Productivity Commission data published in Reports on Government Services 2024, Table 16A.8.

DCJ has not done enough to support the transition of Aboriginal children to the Aboriginal community controlled sector as planned

In 2012, the NSW Government made a policy commitment to ensure the transfer of all Aboriginal children in out of home care to Aboriginal Community Controlled Organisations. DCJ acknowledges that over the past 12 years, the NSW Government has made limited progress in facilitating this transition.

In June 2023, a total of 1,361 children were managed by Aboriginal Community Controlled Organisations across NSW. At the same time, 1,746 Aboriginal children were being case managed by non-Aboriginal NGO providers, and 3,456 Aboriginal children were case managed by DCJ. In total there were 5,202 Aboriginal children waiting to be transferred to Aboriginal Community Controlled Organisations in June 2023.

The transition process was planned and intended to occur over a ten year timeframe from 2012 to 2022. This has not been successful. DCJ has revised its timeframes for the transition process, and now aims to see the transfer of the ‘majority’ of Aboriginal children to Aboriginal Community Controlled Organisations by June 2026. At the current rate of transition, it would take over 50 years to transfer all 5,202 children to Aboriginal Community Controlled Organisations, so this timeframe is ambitious and will require close monitoring by DCJ.

The cost of transitioning all 5,202 Aboriginal children from DCJ and the non-Aboriginal NGOs to the Aboriginal Community Controlled sector will add close to $135 million to the NSW Government out of home care budget. The increased costs are due to the higher costs of administration, accreditation, and oversight of services provided by the Aboriginal Community Controlled sector.

DCJ has prioritised the transfer of Aboriginal children from non-Aboriginal NGOs to Aboriginal Community Controlled Organisations before the transfer of Aboriginal children from DCJ’s management. This prioritisation is due, in part, to the fact that most of the non-Aboriginal carers of Aboriginal children are with NGOs. NGO contract requirements should have been one of the drivers of the transition of Aboriginal children to Aboriginal Community Controlled Organisations.

The most recent NGO contracts, issued in October 2022, required that NGOs develop an Aboriginal Community Controlled transition plan by 31 December 2022. This timeframe was extended to 30 June 2023. All of the NGOs we audited have now prepared detailed transition plans for the transition of Aboriginal children, including service plans that identify risks and document collaborative efforts with Aboriginal Community Controlled Organisations.

One important requirement in the success of the transitions, is the willingness of carers to switch from their existing NGO provider to an Aboriginal Community Controlled Organisation. During the period of this audit DCJ failed to provide sufficient information to carers, to assure them of the NSW Government’s commitment to the transition process. Since July 2023 DCJ has written to carers of Aboriginal children case managed by non-Aboriginal Community Controlled Organisations and provided them with more information about the transition process.

NGOs have had limited success in transitioning Aboriginal children to Aboriginal services, and can do more to report on activity, so that system improvements can be made

Non-Aboriginal NGOs have had limited success in transferring Aboriginal children to the Aboriginal-controlled out of home care sector. For example, of the approximately 1,700 Aboriginal children that were managed by non-Aboriginal providers in 2022–2023, 25 Aboriginal children were transferred from non-Aboriginal NGOs to Aboriginal Community Controlled Organisations in that year. While DCJ controls the key drivers in this transition, there is limited evidence that NGOs have initiated consultations with Aboriginal Community Controlled Organisations during the audit period.

NGOs advised that some of their carers do not want to transition to Aboriginal Community Controlled Organisations, and this is slowing the transfer process. NGO contracts in force until September 2022 required that: ‘The express agreement of carers must be sought prior to the transfer of an Aboriginal Child to an Aboriginal Service Provider.’ This audit was not able to verify the extent to which carers have resisted the move to Aboriginal Community Controlled Organisations.

DCJ did not provide NGOs with sufficient direction, coordination, or governance through its contract arrangements to effect transitions from non-Aboriginal NGOs to Aboriginal NGOs. DCJ has established a project control group with representatives from NGO peak bodies and has set up an internal program management office to manage the transition.

There are limited drivers for the transition of Aboriginal children to Aboriginal-controlled services, and financial risks for both Aboriginal Community Controlled Organisations and non-Aboriginal NGOs in the process

Aboriginal Community Controlled Organisations and non-Aboriginal NGOs are carrying significant financial risk due to a lack of certainty in the transition process of Aboriginal children to the Aboriginal Community Controlled sector. These agencies are responsible for planning and making changes to their business models in order to facilitate the transition process. DCJ does not provide funds for this activity.

Some non-Aboriginal NGOs have high numbers of Aboriginal children in their care. These agencies risk financial viability if children and their carers are transitioned in a short space of time. There is a degree of uncertainty about the timelines for transitions to Aboriginal Community Controlled Organisations, and the numbers of children that will be transitioned at any given time.

Non-Aboriginal NGOs are not in a position to require Aboriginal Community Controlled Organisations to take Aboriginal children. Similarly, Aboriginal Community Controlled Organisations cannot compel the transition of children to their care. There are no real system drivers for this activity, and some financial disincentives for NGOs supporting large Aboriginal caseloads.

Throughout 2023, some Aboriginal Community Controlled Organisations have been upscaling their businesses to prepare for the transition of Aboriginal children to their care. They have employed additional caseworkers and enhanced administrative and infrastructure arrangements to take on new children, without receiving new intakes. They report that they have been financially disadvantaged by the failure of the transition process. Aboriginal Community Controlled Organisations advise that they don’t expect confirmation of the child transition process and timelines until 2024 and must carry the financial consequences of upscaling.

DCJ does not collect sufficient data to assess the effectiveness of its child protection service interventions and does not know whether they lead to improved outcomes

DCJ does not collect sufficient information to understand whether its child protection risk and safety interventions are effective in protecting children from abuse, neglect, exploitation, and violence.

DCJ is the sole entity with responsibility to make assessments of children after there has been a child protection report. After a child has been reported, DCJ caseworkers conduct a range of assessments of the child and family context, to determine whether the child is at risk of significant harm. If DCJ caseworkers determine that a child is ‘in need of care and protection,’ Section 34 of the Care Act requires DCJ to ‘take whatever action is necessary to safeguard and promote the safety, welfare and well-being of the child or young person’, including ‘providing, or arranging for the provision of, support services for the child or young person and his or her family’.

DCJ has limited measures to assess the effectiveness of its service interventions. DCJ monitors and reports on the number of children who are re-reported within 12 months after receiving a DCJ caseworker intervention. However, DCJ does not monitor or report any comparative data that would potentially demonstrate the effectiveness of its service interventions. For example, DCJ does not collate and publish data on re-report rates of children who do not receive a DCJ service intervention. This comparative data would give DCJ greater understanding about the effectiveness of its service interventions.

In addition, DCJ’s re-report data does not differentiate between re-reports of children that are substantiated, from those that are not. Children can be re-reported for a variety of reasons. Some re-reports are of children who are not at increased risk of significant harm. Therefore, the current re-report data is a limited measure of the effectiveness of DCJ’s service interventions.

DCJ does not collect data or compare outcomes based on the kinds of services that are accessed by children and families. For example, DCJ does not report on instances where families were denied service interventions because support services were full, or did not exist in their region. DCJ does not collect data or report on children who were taken into out of home care in areas where there were no available services to support the family.

DCJ caseworkers can support families by making referrals to drug and alcohol rehabilitation services, family violence services, parenting support courses, or mental health services. It is not known whether families receive services that are relevant to their needs. Some services are offered as additional DCJ caseworker support, some are NGO funded support packages, some offer therapeutic interventions, and some are provided via external government agency services, such as NSW Health. Support services are highly rationed in NSW, and many families engaged in the child protection system do not have access to them.

Limited outcomes data and reporting means that DCJ cannot demonstrate how its actions and service interventions are reducing risks and harms to children, and promoting their safety, welfare, and wellbeing in line with the Care Act.

While child protection reports have significantly increased over the past ten years, around 40% do not meet the threshold for suspected abuse and neglect to warrant a response

The overall number of child protection reports received by the Helpline has increased significantly over the past ten years. Reports to the Helpline ensure that children at risk of significant harm come to the attention of DCJ, but around 40% of reports do not meet the threshold of abuse and neglect to warrant a child protection report and response from child protection caseworkers. DCJ has finite resources, and responding to reports that do not require intervention reduces the capacity of DCJ to effectively respond to children who are at risk of significant harm.

In 2022–2023, the Helpline received 404,611 concern reports, an increase of over 60% since 2012–2013 when there were 246,173 reports. Between 2012–2013 and 2017–2018, reports grew slowly, then increased rapidly for three following years up until 2021. While the number of Helpline reports fell in 2021–2022, this reduction was partly due to a drop in reports by teachers during COVID school closures, and was not maintained in 2022–2023.

DCJ attributes the rapid growth in child protection reports to increasing awareness amongst mandatory reporters about their statutory responsibilities to report, along with the introduction of the online reporting option. Mandatory reporters include medical practitioners, psychologists, teachers, social workers, and police officers. These personnel are legally required to report children that they suspect are at risk of significant harm. In one 3-month period from April to June 2021 there were over 40,000 reports from mandatory reporters that did not meet the threshold that activates a statutory child protection response from DCJ caseworkers. The assessment of these reports consumes significant resources, costing over $4 million during the three month period in 2021, which equates to over $15 million per annum.

In 2010, Child Wellbeing Units were established so that mandatory reporters from Education, Police and Health could be assisted in child protection reporting. The units were established in response to recommendations made by the Wood Special Commission of Inquiry into Child Protection Services. They aimed to reduce the number of reports to the Helpline and to support mandatory reporters to assist children and families to receive an appropriate response. DCJ managers advise that the units are underutilised, and mandatory reporters continue to submit reports to the Helpline. The Child Wellbeing Units have not successfully reduced the overall number of reports to the Helpline.

DCJ advised that it is evaluating the Child Wellbeing Units and is developing new guidance for mandatory reporters that aims to address the culture of over-reporting.

Exhibit 7 shows the ten years of Helpline reports from 2012–2013 to 2022–2023.

DCJ does not collate or analyse its service referral data, and as a result, is unable to commission relevant services for families engaged in the child protection system

DCJ lacks data to understand the supply and demand requirements for therapeutic services across the child protection system. DCJ does not collect or report aggregate data about service referrals for children and families, nor does DCJ report data about service uptake across its Districts. DCJ does not collect the necessary information to plan for commissioned therapeutic services, or to fill its service gaps. DCJ does not know whether its funded services are competing with, or complimentary to, services funded by other agencies.

DCJ is required to monitor its therapeutic service interventions in order to comply with the objectives and principles of the Care Act. The Care Act requires that ‘appropriate assistance is rendered to parents and other persons … in the performance of their child-rearing responsibilities in order to promote a safe and nurturing environment’, and that any intervention ‘must … promote the child’s or young person’s development.

DCJ does not collect reliable data on the success of service referrals after a child has been identified as being at risk of significant harm. DCJ does not collect information or report on the uptake and outcomes of its referrals where there is a low to intermediate risk of significant harm to the child or young person. In most cases, DCJ does not know whether children or families received a therapeutic service after a referral. The uptake of referrals is voluntary, and families may decide that they do not want to access therapeutic services. DCJ does not routinely record data about the numbers of families that decline services.

DCJ does not collect data on instances where a referral was needed but not made because there was no available service in the District or there were no available places in the service. It is well known within DCJ that therapeutic services are lacking in regional and remote NSW. These include poor access to paediatricians and adolescent psychiatrists, disability assessors, mental health services, alcohol and other drug rehabilitation services, and domestic violence services.

Over the past five years, there is no evidence that DCJ has conducted an assessment of the statewide therapeutic service needs of children and families in NSW, or matched its statewide service profile to these needs through the targeted commissioning of therapeutic services. There has been a lack of system stewardship to ensure there is equity of service access for children and families in all Districts.

In each District, Commissioning and Planning units undertake market analyses at the point when programs are due for recommissioning, generally every three to five years. This market analysis includes an assessment of the availability of local services. There is no consistency in how this work is done across the Districts. While the purpose of District-level, market analysis is to identify gaps and opportunities for services, we did not find evidence of services being newly commissioned where gaps were identified.

District-level Commissioning and Planning units conduct some assessment of the demographics of the local area, as well as information about socio-economic characteristics, and expected population growth. For example, one DCJ District identified that their population is expected to grow by 33% by 2031. This means that more contracts for family preservation places will be needed. Another District identified that they do not have culturally appropriate services. However, the contracts for this District are in place for at least three years, so the District cannot provide the required service profile for local families.

While DCJ is taking some steps to arrange an expanded service profile, the efforts are piecemeal. Different programs are managed and commissioned across different parts of DCJ. For example, one District has developed a localised partnership with the Ministry of Health, but DCJ has not developed a state-wide Memorandum of Understanding with NSW Health to give priority access to all children engaged in the statutory child protection system.

In 2015, the Independent Review of Out of Home Care in New South Wales recommended that DCJ ‘establish local cross-agency boards in each … district to provide local advice, and commission services in line with its priorities and defined outcomes.’ In response, DCJ developed a program known as Their Futures Matter. In 2020, the NSW Audit Office’s assessed this program and found that DCJ had not established any cross-agency boards with the power to commission services. At the time of this audit, in 2024, there is no evidence that DCJ has created cross-agency boards.

DCJ advises that, in future, it plans to issue extra contracts to increase the number of intensive therapeutic care services. DCJ is using data on the locations of children in emergency out of home care placements as part of its needs analysis. The process includes mapping the service system across the State. DCJ’s work to date, has identified a lack of intensive therapeutic care places in Western NSW. The lack of services in Western NSW impacts on the ability of DCJ to keep Aboriginal children on their traditional country, and connected to family and kin.

DCJ is using District-level data in its future-focused recommissioning for family preservation services. DCJ advises that, commencing in 2024, the agency will identify family support service requirements by matching data on instances of risk of significant harm to children by category of harm, and assess service availability at the District level. This audit has not received evidence that the work has begun.

DCJ lacks an integrated performance management system to collect, collate, and compare data about the effectiveness of NGO providers or the outcomes of child support programs

DCJ does not have an integrated performance management system to manage its many programs and contracts with NGO service providers. DCJ advises that at March 2024, it had 1,816 active contracts in its contract management system. DCJ has multiple reporting systems for its different program streams, with information on early intervention programs provided through a different information technology system than the system that is used for out of home care placements. Central program teams do not have good oversight of historical data or trends.

Until 2022, data related to DCJ’s Family Preservation Program was collected separately from each NGO provider, via quarterly spreadsheets. There was no consistency in the ways in which the data was collated or analysed. This means that DCJ does not know how many families entered the Brighter Futures program in each District, even though contracts were issued at a District level and over 7,000 families entered Brighter Futures program in 2018–2019, 2019–2020 and 2020–2021. DCJ does not have a statewide view of the location or effectiveness of this, or any of its other family preservation services.

Contracts with NGOs for out of home care contain service volume requirements, for example a minimum number of children in out of home care each year. Contracts also include performance measures and financial penalties for underperformance. Underperformance includes failure to notify DCJ about out of home care placement changes within contracted time periods. Due to problems with NGOs accessing the ChildStory system, DCJ does not collect reliable data on out of home care placements provided by NGOs and therefore DCJ is not able to issue financial penalties.

DCJ has also failed to deliver expected outcomes from the Human Services Dataset. The dataset was recommended by the 2015 Independent Review of Out of Home Care, and approved by the NSW Government in August 2016. The aim of the dataset was to bring together a range of service demand data in order to prioritise support for the most vulnerable children and families. It was intended to deliver whole-of-system reform that would lead to improved outcomes for children and families with the highest needs.

The dataset brings together 27 years of data, and over seven million records about children, young people, and families. The records contain de-identified information about all NSW residents born on or after 1 January 1990 (the Primary Cohort) and their relatives such as family members, guardians, and carers (the Secondary Cohort). The Independent Review of Out of Home Care recommended that the dataset include information about the service requirements of the most vulnerable families. This recommendation has not been implemented to date. The Human Services Dataset does not contain records about the service interventions made by NGOs, and has minimal child protection and out of home care placement data.

DCJ’s package-based funding system has not been successful in tailoring services to children in out of home care

When a child is transferred to an NGO for out of home care services, DCJ provides the NGO with relevant funding packages to support the child. NGOs receive different funding packages according to the care needs of the child. Some packages relate to the placement of the child, whether it be a foster care placement, or an intensive therapeutic care placement for children with complex needs. Other packages relate to the permanency goals for each child. These goals can include restoring the child to their parents, establishing the child in long-term foster care, or supporting the child through an adoption process. Each funding package is based on an average cost for the different service type.

While the funding packages are attached to individual children, in practice, NGOs can allocate this funding flexibly. NGOs can integrate the funds from the packages into their global budgets and use the funds for a range of activities. The package-based system that was intended to deliver tailored services to individual children in out of home care, is not being implemented in the ways it was intended.

NGOs do not receive funding for administrative or management costs. They are not funded for supporting Children’s Court work, or the recruitment of new foster carers. NGOs calculate how much they need for these different activities, and use the required funds from funding packages and other sources of income.

DCJ does not collect data from NGOs to determine the nature of the services that were delivered to the child against the funding for each package. In fact, NGOs are not required to report on the expenditure of package funds in relation to any outcomes that relate to the child’s health, wellbeing, cultural, or educational needs.

An external evaluation of the permanency support package system was completed in 2023. It found that children receiving permanency support packages did not achieve better outcomes than children in a control group who did not receive them. This indicates that the package-based system has not achieved its objective to shift the out of home care system from a bed per night payment model, to a child-centred funding model, aimed at supporting safety, wellbeing, and permanency in out of home care.

DCJ’s contract arrangements for NGO funding are overly complex and administratively burdensome

NGO recipients of package-based funding must liaise with separate DCJ contract managers for the different types of funding packages they receive. Within each DCJ District, a range of contract managers have oversight of the different package types – including the packages for out of home care placements, and for the family preservation program. In addition, many NGOs have contracts in more than one DCJ District. This means that NGOs must liaise with a number of different contract managers and operational teams across different units in multiple DCJ Districts. NGOs advise that the time spent navigating the DCJ system reduces the time they can spend actively supporting children and families.

NGOs report that DCJ District personnel can vary in their preferred communication styles and channels. Some District staff prefer email contact, others prefer phone calls, and some prefer service requests that are entered into ChildStory. NGOs must adapt to these different styles depending on the District.

DCJ Districts also vary in the processes that NGOs must follow to have a child’s needs reassessed. This is a routine process, but some Districts take three months to consider and approve a reassessment, while others complete the process more rapidly. If a child is reassessed as requiring a higher category of support, DCJ does not back-pay any increased allowances. This is regardless of the time during which the NGO has provided the child with increased services. In these Districts, NGOs must carry the financial burden for the time it takes for re-assessment approval processes.

The NSW Procurement Policy Framework includes an objective of ‘easy to do business’. This includes a requirement to pay suppliers within specific timeframes, and recommends that government agencies should limit contract length and complexity.

An external evaluation of the package-based system found that that the funding packages are complex and administratively burdensome, and that DCJ Districts have different models and approaches to implementing them. As a result, a child and family living in one District could receive very different care from a child in another District. In 2023, DCJ advised that it is considering the recommendations of the evaluation with the aim of operationalising relevant system reforms, while not increasing the administrative burden on NGOs.

Exhibit 16 shows the multiple stages that NGOs must navigate in DCJ’s complex, contract environment.

DCJ’s case management system lacks an effective business to business interface with NGO partners, and has not produced data on key deliverables

DCJ’s case management system promised a single entry point for NGOs to interact with DCJ. In 2017, DCJ commenced the rollout of ChildStory, its new case management system, at a cost of more than $130 million. While the ChildStory system has become an important repository for information about children in the child protection system, it has failed to deliver on some of its key intended functionalities. ChildStory does not provide an integrated business to business system interface with commissioned NGOs where they can record information about children and families in their care.

Most of the ChildStory system is locked off to NGOs, meaning that NGOs cannot use it as a case management system. NGO personnel must enter data into their own client information systems before manually replicating any required data into the ChildStory system. Until June 2022, NGO staff lost access to ChildStory if they did not log onto the system for a three month period, and staff had to reapply for access, increasing the administrative burden on some NGO personnel.

The lack of an integrated business to business interface between DCJ’s ChildStory and the NGO case management systems, has vastly increased levels of administrative handling for all parties, and frequently results in mismatched data between DCJ and NGOs. The process for NGOs to correct data errors in ChildStory requires contact with DCJ, and the process can be protracted. NGOs advise that they spend significant time on complex data reconciliation processes and that these processes have financial implications. In some instances, NGOs are asked to repay contract ‘underspends’ as a result of DCJ data errors.

The lack of system interface between DCJ and NGOs has been a lost opportunity to produce and report NGO trend data on a wide range of metrics. While some data is manually entered by NGOs into ChildStory Partner, and some systemwide data produced, it is only available for a limited number of key performance indicators. For example, it was intended that ChildStory would be used to collect and collate information about the status and wellbeing of children. According to DCJ, this has not been possible, as the system does not have the functionality to collate data from questionnaires or instruments that assess child wellbeing.

Given that many of the smaller NGO data systems have limited sophistication and functionality, the failure of ChildStory to become a case management system for all NGOs, means they are not able to produce trend data on a wider range of metrics. The inability to collate key data from all NGO service providers limits the statewide data that is available for service planning.

Until 2022−2023, DCJ did not contribute all required data to a national, publicly-reported dataset on child protection. The Australian Institute for Health and Wellbeing (AIHW) collates data from Australian states and territories every year. Child protection information is published on the AIHW website and provided to the Productivity Commission for the annual Report on Government Services. Since 2014−2015, AIHW requested that all states and territories provide anonymised child-level data for reporting and research purposes. DCJ did not provide this requested child-level data until 2022−2023. In previous years, DCJ provided the AIHW with aggregated data tables that lacked some of the required information.

ChildStory has not been effective for the contract management of NGOs and commissioned services. The system cannot be used to report and generate information about NGO contract activity, nor can it be used to make payments to NGOs.

Caseworkers advise that they spend significant time updating the case management system, limiting the time they have for child and family visits

DCJ has not quantified the amount of time that staff spend entering information and updating records. While DCJ completed a time and motion study on caseworker activity in 2021, the study did not include information on the time it takes for caseworkers to enter data for individual tasks. The DCJ caseworkers who were interviewed for this audit, advised that they spend a large proportion of their total working week entering data into the case management system, rather than visiting families or providing phone support to families.

DCJ’s ChildStory system does not display all of the summary information that caseworkers need in order to be efficient and effective in their role. For example, triage caseworkers need to know when a report was made to the Helpline, in order to meet the statutory period for response of 28 days after the report was received. This information is not shown in the triage transfer list and is only visible by clicking into case notes for each child, one at a time.

ChildStory does not contain accurate information about decisions made by frontline staff. Caseworkers are required to choose a reason when they close a child protection case. Reasons can include that the family was referred to an external service. There is no field for a caseworker to indicate that a case was closed because the child protection report related to a person who was external to the family. ChildStory does not have a case closure field to record that the parents were protective in instances when a child was at risk from someone outside the home. These cases are closed with the reason ‘No capacity to allocate’, resulting in inaccurate management reporting. This incorrect record keeping can be problematic for the family. It can mean that if the child is re-reported, there may be unnecessary interventions by DCJ in future.

DCJ advises that ChildStory is not being used to its full functionality and that District DCJ Offices have created arrangements that increase the administrative burden on staff. For example, in some Districts before a caseworker can submit an approval request in ChildStory to the relevant Director, the caseworker must attach an email with the same Director’s written approval. DCJ managers advise that ChildStory is not being used in ways that would allow for efficient approvals of ‘out of guidelines’ expenses. It is not known whether this is a training deficit, or related to another matter.

Up until recently, DCJ’s information management system did not have functionality to record and collate information about the service needs of children and families. DCJ advises that in 2022, a referral function was added to ChildStory. While DCJ advise that this functionality is being used for referrals to family preservation services, there is no evidence that caseworkers are using the function, or that referral data is collated and reported. Prior to July 2022, decisions to refer a child or family to therapeutic services were recorded in individual ChildStory case notes, and could not be extracted and reported as trend data.

Some Districts have developed local monitoring systems to track vacancies in local family preservation and targeted early intervention services. These local initiatives go some way to improving the planning for child protection services responses at the local level, but they are yet to be systematised.

DCJ advises that it is developing a service vacancy dashboard and it is due to be rolled out to all Districts in late 2023. In order for service information to be visible to DCJ staff, NGO partner agencies will need to regularly update their service vacancy information in the dashboard. Initially DCJ will collect data on which families were referred to services, and NGOs will be expected to enter information on attendance at program sessions at a later date.

DCJ has management reporting systems to track activity and outputs for child protection work, however some key metrics are missing

DCJ’s interactive internal dashboards effectively report against an agreed performance framework that measures caseworker activity. This provides DCJ managers with caseworker progress against targets such as seeing new children and families within specified timeframes. Managers can drill into the dashboard data to see individual cases and the caseworkers behind the numbers. This assists managers in allocating new cases to their frontline staff. While DCJ managers advise that they use the dashboards on a daily or weekly basis, they raised concerns that dashboards did not account for staff vacancies or new recruits who cannot carry a full caseload.

DCJ dashboards do not allow managers to focus on groups of children who are at greater risk of harm, or on children who require a tailored service. This limits the effectiveness of DCJ’s response. While Aboriginal children are identified on most internal dashboards, there are gaps in the identification of Aboriginal children, especially at the early Helpline assessments of child protection reports and at the initial caseworker assessment of child safety and risk. There is no indication in DCJ’s system to show whether a family has experienced intergenerational removal, despite these families needing a specific trauma-informed response. Children from Culturally and Linguistically Diverse (CALD) backgrounds are not reported clearly on dashboards and refugee children are not flagged.

Children and parents with disability are not identified accurately in ChildStory and are not reported on dashboards. The Disability Royal Commission found that parents with disability are over-represented in all stages of the child protection system, and that they are more likely to have their children removed from their care. The Commission found that child protection agencies are less likely to try to place children back in the care of parents with disability.

DCJ data is stored in a Corporate Information Warehouse, which combines child protection data and data about children in out of home care. This information is sourced from ChildStory. The Corporate Information Warehouse also includes staffing data, and contract management data from the Contracting Online Management System. The Warehouse is updated every night to ensure that management reports and dashboards are current. However, some key datasets are not included in the Warehouse, such as the Helpline report backlog, which means that the DCJ Executive does not have easy visibility of Helpline workload or delays in responding to electronic reports.

DCJ’s external dashboards provide limited public transparency about child protection and out of home care activity. Until early 2024 the dashboards did not show the numbers of children in emergency out of home care. In addition, the main quarterly and annual dashboards do not show the average time that children have been in out of home care. 

External reporting is managed by DCJ’s Insights Analysis and Research directorate, known as FACSIAR. In addition to quarterly and annual dashboards reporting key statistics, FACSIAR hosts monthly seminars presenting research findings aimed at improving caseworker practice. The seminars are well attended by DCJ and NGO caseworkers. FACSIAR also maintains a public evidence hub summarising research papers and evaluations.

While regular quantitative data is necessary for day-to-day management purposes, it is not sufficient to understand the experience and outcomes of children in out of home care. In order to deliver additional insights, DCJ has invested in a long-term study of children in out of home care through the Pathways of Care Longitudinal Study. This study follows children who entered care in NSW for the first time between May 2010 and October 2011 and includes data from external sources such as Medicare data, health and education records, and youth offending data. DCJ has used this data for research studies on topics such as outcomes for children with disability in out of home care, and to assist caseworkers in working with children and families through Evidence to Action notes.

DCJ’s system for requesting out of home care placements is ineffective, resulting in multiple unsuccessful requests to NGOs to place children

DCJ does not have a centralised system where its NGO service providers can indicate that they are able to take on new children requiring out of home care. There are almost 50 providers of out of home care services across the State, but no consolidated database showing that there are foster carers who are able to take on new children by location.

DCJ uses a system (known as the broadcast system) to notify NGOs that it needs a foster care placement or another placement type for a child. The number of placement broadcasts has increased from around 450 per month in 2018–2019, to over 1200 per month in 2022–2023, even though the number of children in out of home care has not risen during this timeframe.

Exhibit 17 shows the monthly numbers of children that were ‘broadcast’ to NGOs as requiring out of home care placements from July 2018 to June 2023.

Appendix one – Response from entities

Appendix two – DCJ Organisational Structure for Child Protection

Appendix three – Child protection flowchart from Family is culture review report 2019

Appendix four – About the audit

Appendix five – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #394 - released 6 June 2024

About this report

The Department of Communities and Justice (DCJ) is responsible for safeguarding the rights of Aboriginal children, families, and communities when they encounter the child protection system. These rights are known as the Aboriginal and Torres Strait Islander Principles (the Principles), which are set out in legislation.

DCJ provides early intervention, prevention and out of home care services and also subcontracts non-government organisations to provide these services.

This audit assessed whether DCJ, and five funded non-government organisations that provide out of home care services, are effectively safeguarding the rights of Aboriginal children in the child protection system.

Findings

DCJ cannot demonstrate its compliance with the Principles. DCJ has not embedded the Principles in its governance, accountability arrangements, policy and day-to-day casework practice.

Insufficient governance and accountability arrangements have contributed to DCJ's failure to deliver on Aboriginal strategies and reforms in the last five years.

DCJ has not developed holistic family preservation models based on Aboriginal ways of healing.

DCJ is aware that its structured decision-making tools, used to make significant casework decisions, adversely affect Aboriginal children and their families. However, DCJ continues to use the tools.

DCJ has no quality assurance mechanisms over its child protection system and casework practice.

As system steward, DCJ has not provided non-government organisations with means to satisfy the Principles.

Recommendations

The audit recommends that DCJ:

• establish governance and accountability arrangements that provide oversight of the safeguards and outcomes for Aboriginal children and families
• develop and implement a quality assurance framework to ensure compliance with safeguards for Aboriginal children at all points in the child protection system
• fulfil its commitment to develop and implement a healing framework for child protection services
• commission family preservation services consistent with the principles of self-determination and participation set out in the Principles.

In this report, the term Aboriginal people is used to describe Aboriginal and Torres Strait Islander peoples. The Audit Office of NSW acknowledges the diversity of traditional Nations and Aboriginal language groups across the state of New South Wales.

The Department of Communities and Justice (DCJ) is responsible for the administration of the child protection system in NSW.

Aboriginal children and their families' rights in the child protection system are contained in the Children and Young Persons (Care and Protection) Act 1998 and the United Nations Conventions on the Rights of the Child and the Declaration on the Rights of Indigenous Peoples. These rights are also binding on DCJ funded non-government organisations (NGOs) through the administration of service contracts.

In 2022–23, DCJ spent $3.1 billion on child protection and out of home care services. This includes $1.9 billion on out of home care services, $800 million on child protection services and $405 million on early and intensive family preservation services.

DCJ subcontracts various early intervention, prevention programs and out of home care services to NGOs. However, DCJ is responsible, as system steward, for the effectiveness of the entire child protection system.

This audit assessed whether DCJ and five of its funded NGOs are effectively safeguarding the rights of Aboriginal children in the child protection system. The audit period was June 2018 to June 2023 (five years). In this report, children and young people under 18 are described together as children.

We addressed the audit objective by answering three questions:

1. Does DCJ and its funded non-government organisations have established governance and accountability arrangements to understand and track performance in safeguarding the rights of Aboriginal children in the child protection system?
2. Does DCJ and its funded non-government organisations have effective policies, practices, systems, and resources to support and enable staff to safeguard the rights of Aboriginal children in the child protection system?
3. Does DCJ and its funded non-government organisations have effective monitoring and quality assurance systems to ensure that the outcomes for Aboriginal children in the child protection system are consistent with their legislative rights and their human rights?

This audit was conducted concurrently with the Oversight of the child protection system performance audit.

The child protection system aims to protect children and young people from the risks of abuse, neglect and harm. This report refers to several parts of the child protection system including:

• Helpline: DCJ receives and triages reports about children suspected to be at risk of significant harm
• Investigation of reports (mostly performed at community service centres): DCJ determines if reports meet the suspected risk of significant harm threshold and the subsequent assessment and investigation of suspected risk of significant harm reports
• Case work: where risk of significant harm has been substantiated, DCJ provides and procures services to prevent a child’s entry into the child protection system
• Entry into care decisions: DCJ determines when a child enters out of home care
• Out of home care services: where a child cannot safely remain at home, DCJ or a contract service provider, place the child in foster care, kinship care, temporary care arrangements or residential care.

DCJ is not monitoring or reporting on safeguards for the rights of Aboriginal children 

Decisions and actions that affect families and children in contact with the child protection system are often made within the context of complex circumstances. They are also deeply impactful on children and their families and can have lifelong implications in areas such as mental health and wellbeing, social inclusion and the likelihood for descendants to also be in contact with the child protection system. Legislative safeguards exist to ensure that the rights of children are paramount.

DCJ governance arrangements are not informed by, and do not reflect, legislative safeguards for the rights of Aboriginal children. Such safeguards include the Convention on the Rights of the Child or the Declaration on the Rights of Indigenous Peoples and the Aboriginal and Torres Strait Islander Principles (the Principles) contained in sections 11 to 13 of the Children and Young Persons (Care and Protection) Act 1998.

DCJ has not established mechanisms to:

• address the reasons, including those arising from its own process deficiencies, that Aboriginal children are disproportionately reported at suspected Risk of Significant Harm, seen by caseworkers and enter statutory out of home care
• assess and hold its funded non-government organisations (NGO) accountable for the quality and outcomes of family preservation services that aim to prevent Aboriginal children entering out of home care
• hold departmental districts and NGOs accountable for outcomes for Aboriginal children in out of home care.

Department districts are instead held accountable against nine key performance indicators at Quarterly Business Review Meetings. The performance indicators reflect activity in the child protection and out of home care system. None are disaggregated by Aboriginality, and no indicators require districts to demonstrate casework outcomes for Aboriginal children and families.

DCJ has not developed effective accountability mechanisms for its staff to safeguard the rights of Aboriginal children in the child protection system

DCJ does not have formal accountability mechanisms for any of its staff to safeguard the rights of Aboriginal children. Because of this, DCJ does not have a framework to address staff non-compliance with safeguards for Aboriginal children and their families.

DCJ does not collect data to demonstrate adherence to the Principles or consistently collect feedback from the Aboriginal community to understand its performance. Without Aboriginal outcomes focused data and feedback from Aboriginal stakeholders, DCJ cannot understand its performance or hold its staff accountable for complying with the Principles.

DCJ advises that it plans to introduce a new performance framework that will require senior executives to demonstrate their performance with respect to Aboriginal children in the child protection system. DCJ has not nominated when the framework will come into effect.

DCJ has made negligible progress in implementing key recommendations, strategies and reforms designed to improve outcomes for Aboriginal children and their families

DCJ has not delivered on any Aboriginal specific child protection reform strategy and made negligible progress in implementing key recommendations from the Family is Culture report.

Exhibit 5 identifies major Aboriginal specific reforms to address longstanding issues that impact Aboriginal children and their families. These reviews attempted to reorient the system toward preventing children from entering care and focused on improving outcomes for Aboriginal children in contact with the child protection and out of home care system.

DCJ’s organisational structure and governance arrangements are not enabling the system reform needed to meet the NSW Government’s commitment to Closing the Gap Target 12

The NSW Government is a signatory to the National Agreement on Closing the Gap 2021-2031. The objective of the Agreement ‘is to overcome the entrenched inequality faced by Aboriginal and Torres Strait Islander people so that their life outcomes are equal to all Australians’. The agreement commits the NSW Government to ‘mobilise all avenues and opportunities available, to meet the objectives’.

DCJ established a temporary Deputy Secretary Transforming Aboriginal Outcomes (TAO) role and associated unit in November 2021 to lead its Closing the Gap targets, which includes Target 12 (to reduce the proportion of Aboriginal children in out of home care by 45% by 2031). The TAO unit does not have decision-making powers over policy, commissioning of DCJ funded services or operational decisions. Instead DCJ has nominated a series of 18 disparate projects to achieve Target 12, which are monitored by TAO.

DCJ districts make significant child protection decisions that would likely contribute to achieving Target 12, including whether Aboriginal children enter out of home care and whether Aboriginal children currently in out of home care are restored to their families. However, there are no targets, measures or data to hold districts accountable to demonstrate progress in these key areas which would likely contribute to achieving Target 12.

Although senior executives meet regularly, the meetings are not used to drive the structural reform needed to achieve Target 12. DCJ is not on track to achieve Target 12.

Aboriginal children are over-represented in the child protection system. Approximately 6,500 Aboriginal children were in out of home care as at 30 June 2023, making up 45% of the out of home care population. By comparison, around seven per cent of children in NSW are Aboriginal. Aboriginal children are three times more likely than non-Aboriginal children to be reported at risk of significant harm and four times more likely to be allocated to a community service centre for a caseworker to undertake a face-to-face safety assessment. One in eight Aboriginal children seen by caseworkers enters out of home care.

DCJ does not have a quality assurance framework in child protection to safeguard the rights of Aboriginal children

DCJ has no quality assurance framework over systems and processes prior to the removal of a child into out of home care. Without such a framework, DCJ cannot be assured of its compliance with legislative safeguards afforded to Aboriginal children.

In late 2022, DCJ engaged a consultant to examine Aboriginal quality assurance for the child protection system. In July 2023, the consultant report highlighted deficient quality assurance systems and concerns with cultural capacity of staff to support Aboriginal families and children. DCJ has not indicated how or when it plans to address this deficiency.

DCJ does not have assurance that out of home care services are safeguarding the rights of every Aboriginal child in out of home care

The Office of the Children’s Guardian accredits out of home care providers, including DCJ and its funded NGOs, to a minimum standard set out in the Child Safe Standards for Permanent Care. As a result, DCJ and NGOs can demonstrate a range of internal quality controls and processes for children in out of home care to support the Office of the Children’s Guardian accreditation process.

However, the Office of the Children’s Guardian cannot provide qualitative assurance that DCJ and the NGOs have adhered to safeguards for each of the approximately 6,500 Aboriginal children in statutory out of home care at any given time. For example, the Office of the Children’s Guardian looks at whether a cultural plan exists for an Aboriginal child, but generally does not provide feedback for agencies to improve cultural plans.

DCJ, as the system steward, has a duty of care to ensure that it, and all NGOs it contracts with, have quality assurance processes to demonstrate compliance with safeguards for every Aboriginal child that is placed in out of home care. DCJ needs to do more than the minimum requirements of Office of the Children’s Guardian accreditation to gain assurance, commensurate with the risk of poor compliance and practice set out in this report, that it is adequately safeguarding the rights of every Aboriginal child in out of home care.

DCJ contracts NGOs to provide out of home care services through Service Level Agreements, aligned with the Principles in the Children and Young Persons (Care and Protection) Act 1998. This audit assessed whether NGOs are effectively safeguarding the rights of Aboriginal children in out of home care.

Five NGOs were selected as auditees for this performance audit. Selection of the providers was based on criteria which included:

• a mix of faith- and non-faith-based entities
• Aboriginal and non-Aboriginal entities
• number of children in care
• funding
• location
• service model.

Collectively, the NGOs selected for this audit were contracted to provide 2,600 foster care places in the 2021–22 financial year. This equated to one third of the total number of contracted foster care places in NSW in 2021–22. The two Aboriginal Community Controlled NGOs selected case managed about 20% of Aboriginal children in out of home care who were contracted out to NGOs.

Appendix one – Response from entities

Appendix two – The Aboriginal and Torres Strait Islander Principles (extract from the Children and Young Persons (Care and Protection) Act 1998

Appendix three – Data tables

Appendix four – About the audit

Appendix five – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #395 - released 6 June 2024.