About this report

This audit assessed the effectiveness of the regulation of gaming machines in clubs and hotels, with a focus on harm minimisation requirements.

In NSW, the Independent Liquor and Gaming Authority (ILGA) and the Department of Creative Industries, Tourism, Hospitality and Sport (the Department) share responsibility for regulating gaming machines in clubs and hotels.

Findings

More than half of all gaming machines in Australia are located in NSW.

The Department and ILGA regulate gaming machines in a structured and consistent manner but are not supporting harm minimisation outcomes effectively.

The Department has a regulatory strategy that sets out its priorities clearly. It has communicated this to stakeholders. However, the strategy does not have a sufficient focus on the areas that are considered high-risk for gambling harm and does not set targets for reducing harm associated with gaming machines. Gaming machine losses and the social costs of gambling harm continue to be disproportionately concentrated in socio-economically disadvantaged communities.

ILGA and the Department have clear processes for assessing applications to operate gaming machines. However, ILGA does not proactively review licence conditions after they are granted.

Most venues that have the largest number of gaming machines have not had their licence conditions reviewed in recent years and are operating gaming machines with licence conditions that may not be consistent with contemporary approaches to harm minimisation.

A legislated forfeiture scheme that aims to reduce the number of gaming machines in NSW has existed since 2001. The number of gaming machines operating in NSW has decreased gradually, noting there has been an increase in the number of gaming machines in NSW since 2021–22.

Recommendations

The report made recommendations including:

• the Department should increase the focus of its regulatory strategy on improving harm minimisation outcomes and ensure the gaming machine forfeiture scheme is achieving its legislative objectives
• ILGA should commence periodic reviews of licence conditions for venues operating gaming machines and increase clarity to industry and other stakeholders about the reasons for its decisions.

Appendix 1 – Responses from audited entities

Appendix 2 – About the audit

Appendix 3 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #409 - released 12 June 2025

About this report

This report examined whether the NSW Police Force has been efficient and effective in managing and supporting the psychological wellbeing of the police workforce.

Findings

In 2023, the NSW Police Force funded a range of additional wellbeing initiatives to support police. In 2024, a standalone command was established to deliver these initiatives and manage the health and wellbeing of the workforce.

Over the five years from July 2019 to June 2024, the NSW Police Force had increasing numbers of psychological injury claims, escalating compensation costs, and increasing psychological injury medical exits. Since October 2024, there has been a reduction in the number of psychological injury notifications.

The NSW Police Force monitors and reports on psychological injuries to the workforce, but does not monitor, analyse or report on the root causes of these injuries. As a result, the NSW Police Force is not efficiently or effectively preventing future psychological injuries to the police workforce. Work is currently in progress to improve psychological risk reporting.

NSW Police Force wellbeing initiatives provide counselling and support for police after traumatic incidents. The initiatives do not address other psychological risk factors such as fatigue, role overload, or burnout.

Some police commands have higher workload volumes than others, and the NSW Police Force does not have a staffing allocation model to distribute police to locations under the greatest workload pressure.

In the five years from 2020 to 2025, the NSW Police Force invested $34 million on proactive wellbeing services for police, and an additional $60 million on the administrative costs of running the Health Safety and Wellbeing Command.

The cost of compensation for police psychological injuries amounted to approximately $1.75 billion from July 2019 to June 2024.

Recommendations

The NSW Police Force should, by July 2026:

1. develop and implement a workforce allocation model that matches police numbers to command-level workload demands and changing workload levels
2. fully implement the health and safety incident notification system and regularly report on the causal factors that lead to psychological incidents and injury claims
3. investigate and report on the factors that contribute to police role overload and burnout, and adjust policy settings, practices and controls accordingly
4. implement a strategy, process, and evaluation framework, that links police wellbeing initiatives and resources to evidence-based psychological risk factors.

A significant proportion of police report poor wellbeing in the People Matter Employee Survey, but managers do not have detailed information about workforce-wide stressors and risks

In 2024, 44% of police respondents to the People Matter Employee Survey reported unfavourable levels of wellbeing. The self-reported poor wellbeing of police included a reduced ability to function well in the role, and a lack of resources to manage wellbeing in the course of work duties. Other results from the People Matter Employee Survey show that the majority of police respondents do not believe they have support from managers to assist with wellbeing. While 44% of police reported low wellbeing in 2024, this is an improvement on 2023 levels, when 58% of police reported unfavourable wellbeing via the People Matter Employee Survey.

The People Matter Employee Survey is the only workforce-wide, self-reported source of information about police wellbeing risks. While the People Matter Employee Survey provides some insight into police wellbeing, it does not describe the nature, prevalence, or causes of psychological risk to employees. The NSW Police Force does not have an alternative means by which employees can report their psychological stressors, such as a workforce-wide survey.

The People Matter Employee Survey asks generalised questions about whether stress is manageable for the individual, whether employees are experiencing burnout, and whether employees are satisfied with the workplace practices that aim to manage wellbeing. In 2023 and 2024, more than 50% of police respondents recorded unfavourable responses to these three questions.

In the five years from 2019–2020 to 2023–2024, the NSW Police Force recorded an average of 1,100 psychological injury claims each year. Over this timeframe, the cost of psychological workers compensation claims accounted for 74% of total workers compensation claims costs, with physical injuries accounting for 26% of all costs. The psychological injury numbers recorded each year grew from 790 in 2019-2020 to just over 1,200 in 2023-2024.

In 2020, the NSW Police Force conducted a one-off, point-in-time survey, the ‘Mental Wellbeing Climate Survey’. It asked police about their experience and knowledge of existing wellbeing services. However, this survey did not ask police employees about their workplace stressors, or about their views on the nature or cause of psychological risks and injuries.

The NSW Police Force is in the early stages of meeting its obligation to understand workforce psychosocial risks, but needs to do more to understand risks associated with job demands

The NSW Police Force management reporting on psychological health and safety risks has not been sufficiently detailed to assist decision-makers to identify, address, and potentially mitigate risks to the workforce. Police management reports do not contain meaningful data on the causes of psychological injuries in the workforce.

While psychological injury rates were rising across the NSW police workforce, police management reports have lacked information about psychological injury types, or the causes of these injuries. For example, the most common psychological injury type was listed as ‘other mental stress factors’. The second most common psychological risk factor was described as ‘exposure to workplace or occupational violence’, and the third was ‘work pressure’. While these categories are set by Safe Work Australia, they are not sufficiently detailed for the NSW Police Force to understand its workforce risks.

The ten psychological injury categories are listed in order of their prevalence amongst the NSW police workforce are as follows:

• other mental stress factors
• exposure to workplace or occupational violence
• work pressure
• work related harassment and/or workplace bullying
• exposure to a traumatic event
• suicide or attempted suicide
• other and multiple mechanisms of incident
• mental stress related to Novel Coronavirus (COVID-19)
• being assaulted by a person or persons
• other harassment.

From 2019 to 2024, the NSW Police Force had limited identifiers about the nature or causes of these ten risk categories, and no indication of the causes of psychological injury claims. This meant that the NSW Police Force lacked evidence on which to base its control measures, or to manage hazards.

Some of the data in health and safety reports is combined, so it is not possible to distinguish between physical or psychological injury types. For example, reports on the 1,307 injured workers who were unfit for work in June 2024, do not show differentiated data between psychological or physical injuries. Managers cannot see the proportion of 403 police who were deployed to other ‘suitable’ duties in June 2024, by those recovering from psychological injuries, compared to those with physical injuries. This means that managers lack evidence to plan rehabilitation services based on the level of requirement for different service types.

Reports show the impacts of injury on police over time, and the workforce attrition rates that are due to injury. While this data indicates overall impacts of police injury on workforce functioning, data does not show psychological and physical medical exits. In addition, reports do not show psychological medical exits by location or command. Specific data on injury type by location, may point to problem areas in different segments or locations of the workforce.

As an employer, the NSW Police Force has obligations to its employees under the Work, Health and Safety Act 2011 (NSW)

The Work, Health and Safety Act 2011 (NSW) (the Act) requires that employers identify health and safety risks and take reasonable steps to minimise both physical and psychosocial risks. Under Section 27(5) of the Act, ‘reasonable steps’ means that employers must ‘ensure … appropriate processes for receiving and considering information regarding incidents, hazards and risks and responding in a timely way to that information’.

NSW Police Force management reports on health and safety incidents show the number of incidents with psychological risk factors present. While these reports allow managers to track psychological injuries over time, information is not sufficiently detailed to indicate the causes of these injuries. Risks are not fully understood at the workforce-wide level, and so resources cannot be targeted to identified problems.

The NSW Police Force is also able to source information about workforce psychological hazards from individual risk reports made by police employees. The majority of these reports describe potential hazards to the physical safety of police, and in rare instances, psychological risks are reported to peer representatives. Reports are escalated to senior managers and provide some corporate insight into psychological health and safety risks.

Safe Work Australia has identified some of the contributing factors to workforce psychological risks. These include high job demands, excessive workloads, exposure to traumatic incidents or content, and long working hours without enough breaks. Excessive job demands become a psychosocial hazard when workload levels are unmanageable for prolonged periods. Other psychological risk factors include jobs with ‘high emotional demands’. The features of ‘high emotional demands’ have strong correlations with police work. They are:

• exposure to aggression, violence, harassment or bullying
• supporting people in distress (for example, giving bad news), or
• displaying false emotions (for example, being friendly to difficult customers).

The NSW Police Force is implementing a new incident notification system that aims to improve incident investigation reporting on psychosocial risks and hazards

At the time of this audit’s publication in June 2025, the NSW Police Force is implementing a new incident notification reporting system. This system will provide a greater level of detail about the types and causes of psychological incidents, hazards and near misses. In addition, the new system has built-in welfare response notifications that are matched to the workplace incident.

In October 2022, amendments were made to NSW Work Health and Safety Regulations. These obligations imposed a higher standard for monitoring workforce psychosocial risks. They now require that employers introduce a range of control measures to mitigate psychosocial risks and hazards and to ‘eliminate psychosocial risks so far as is reasonably practicable’. The control measures are described in Section 55D (2) of the Regulations and include consideration of:

The NSW Police Force’s new incident notification reporting system has potential to improve the level of information about psychosocial risks and hazards, including information that shows the investigation stages and outcomes, and indicates the root causes of incidents and near misses.

At the time of this audit, NSW police employees are able to report their wellbeing concerns to line managers, but a number of frontline police advised that this course of action can be ‘career limiting’. Police employees are also able to speak with peer-appointed, work, health and safety officers. Work health and safety representatives have meetings with local police in their command on a monthly or quarterly basis, depending on the size of the command. During these meetings, work, health and safety officers record staff issues relating to trauma, psychological risks, and other wellbeing matters. The minutes from these meetings are escalated to senior human resource managers.

Frontline police are able to report individual health, safety and wellbeing concerns through an online ‘safe reporting’ portal. This online option is used to report local risks along with colleague misconduct concerns. However, this feedback portal was not well known by police interviewed for this audit. Those police that knew about the portal option, were concerned that feedback would not be anonymous, and could be traced back to individuals.

The NSW Police Force does not utilise information collected from critical incident reports to identify common psychological hazards that may contribute to these events

Police management reports do not include aggregated data about the factors that were evident in the lead up to critical incidents. Individual incident reports may include information about whether fatigue, stress, or excessive haste were evident when the incident occurred. Reporting on these factors in the aggregate, may reveal to managers, some potential risks, and the root causes of critical incidents.

The NSW Police Force correlates some command-level data about police accidents, work, health and safety incidents, but does not report on the factors that contributed to the psychological injury incident. This information should be visible to central managers and decision-makers who have the authority to direct resources to the areas where risks are identified. For example, managers need information to understand whether segments of the workforce are operating under workload pressures. These pressures can be indicated through workplace accidents and incidents.

In the five years from 2019–2020 to 2023–2024, NSW police officers were involved in 171 critical incidents. Critical incidents are incidents that result in deaths or serious injuries to the public and, or police. Critical incidents are those which occur as a result of police vehicle pursuits and collisions, or the discharge of police firearms. Police managers do not receive reports that might indicate common factors in these incidents – factors that may provide insight into workforce wellbeing and optimal functioning.

Police critical incident notification forms include fields for police to record the time in the shift when an incident occurred. However, police managers have not used this information to observe trends and patterns of incident times and risks. It means, for example, that police managers did not know if factors such as fatigue played a part in police critical incidents.

There is potential for the NSW Police Force to do more to understand the stressors on the workforce. Other employers have developed mechanisms to monitor risks. For example, health providers and hospital managers review and analyse clinical incident trend data. They use this information to identify system-level harms that indicate emerging risks to the workforce and the public, and take action at an organisational level.

Safe Work Australia identifies strategies to understand psychosocial pressures on the workforce. These include monitoring and observing workforce mistakes, as potential indicators of areas where job demands are too high. In addition, Safe Work Australia recommends workforce-wide consultation processes, including the use of surveys and tools to seek the views of workers on a wide range of psychosocial risks.

Ultimately, the NSW Police Force lacks systems to understand and report on structural risks to the workforce. This level of information would allow managers to review policies if necessary, and target resources to mitigate these risks.

The NSW Police Force does not use a workforce allocation model to distribute its workforce according to workload burden

Workload stress is a significant factor in police wellbeing. The frontline police who were interviewed for this audit, were consistent in the view that unmanageable workload pressures have the greatest impact on their wellbeing. 'Work pressure' is the third most common source of psychological injury cited in police injury notification data. While police managers have information about the police workload pressures across commands, they do not use a workforce allocation model to allocate workforce resources in a way that effectively mitigates this risk. In general, police managers measure workload pressures by assessing the number of calls that local police are unable to attend within the hour across the 57 NSW local area commands.

The NSW Police Force lacks a formula to allocate and distribute its police workforce across commands. The location of police across the State has been largely determined by historical factors, such as the location of an existing workforce. Staffing levels are also determined by political decisions. Some staffing allocations are made via election commitments to place additional police in certain regions, without an analysis of workforce requirements.

The NSW Police Force has been operating with significant workforce shortages since 2023. Workforce vacancy rates differ across commands. Some police area commands and districts are operating with workforce vacancies of more than 30%. Others have lower workforce vacancy rates at 11%. While workforce vacancies are not always a true indicator of workload burden, the data can show commands under changing workforce pressures. The ability of a command to meet its call-out volumes provides a clearer assessment of workload demand. That said, the NSW Police Force has not done any analysis of its authorised workforce strength by command over the past eight years.

Each year, police managers can make minimal changes to the distribution of police across the State. This is almost exclusively through the placement of newly graduated police. The process for placing new probationary constables is determined via annual meetings with Deputy Police Commissioners and region-level commanders. During this process, police workload levels and vacancy rates are assessed, and region-level bids are made for new graduates based on regional needs.

The NSW Police Force does not use a staffing allocation model to distribute its personnel based on an assessment of the workloads of each command. While police managers have access to data that shows the areas experiencing the highest workload across the 57 NSW local area commands, they are limited in their ability to change the workforce levels across the State.

In instances where there are significant increases in crime or call-out rates, the NSW Police Force is able to temporarily deploy additional police as part of a surge capability. These deployments seek to surge police in crime hotspots. However, they are a temporary measure and do not solve entrenched under-resourcing of some commands.

Senior police managers advise that they are limited in their ability to transfer police positions, or to increase the overall workforce headcount to respond to workload demands. While Deputy Commissioners and region-level commanders can monitor police workloads, they lack a staffing allocation model that would allow them to transfer police to commands under the highest levels of workload pressure.

The NSW Police Force does not assess or compare the effects of police taking up a second job to determine whether secondary employment impacts on police fatigue, stress or performance

Over the past five years, around 1,650 NSW Police Force employees were engaged in secondary employment annually. Central managers and policy makers do not receive data or reports that would allow them to monitor and compare levels of secondary employment across commands, and its impacts on police performance.

Police managers do not receive data that correlates secondary employment levels with sick leave data or adverse incident data, for example. While police managers advise that secondary employment is monitored at the local command level, there is no capability to assess impacts centrally, and make policy adjustments if data shows impacts on workforce wellbeing or functioning.

Given that the NSW Police Force has not collected or analysed system-level, psychological risk factor information, managers are unable to inform the design of police wellbeing programs based on evidence of workforce needs.

NSW frontline police work some of the longest shifts in the country and the NSW Police Force has not sufficiently assessed the risks or impacts of this shift cycle on performance and fatigue

Frontline police complete four 12-hour shifts that are condensed into a four-day timeframe, followed by six days off. In general, frontline police complete two day-shifts followed by two night-shifts, that are completed consecutively. Police are required to have a ten-hour break in between shifts, but unplanned overtime and travel to and from the workplace and home, can reduce the time available for rest and recovery.

The NSW Police Force has a 'flexible work arrangements manual' with principles that allow for flexible rostering of shift lengths between six and 12 hours throughout the day and overnight. In practice, however, rostering patterns show that 96% of general duties police undertake shift lengths of 12 hours. Most other police jurisdictions in Australia, with the exception of the Northern Territory, implement shift lengths that vary between eight and ten hours.

The NSW Police Force does not analyse its incident notification reports to assess whether there are any trends in the times when adverse incidents occur. The NSW Police Force is not able to identify correlations between the length of shifts and incidents, or the patterns of shifts and adverse incidents. As a result, police managers do not know whether the current shift arrangements for frontline police are a contributing factor to fatigue and stress. They do not have trend data to show if fatigue is leading to increases in accidents, incidents and performance matters.

The NSW Police Force’s work readiness framework advises that a 'review of workplace incident data' is a method that can be used to identify factors contributing to fatigue. Aggregated data about the ‘time in shift’ when incidents occur, would assist managers to understand whether shift patterns have inherent safety risks.

The NSW Police Force does not have sufficient controls and tools to regulate the number of hours worked by police, and potentially mitigate police fatigue levels

The NSW Police Force currently manages fatigue through a work readiness framework that includes policies, guidelines and tools, that are designed to assist managers and employees to develop and implement work readiness management plans and strategies. Police commanders are not mandated to implement these guidelines and tools, and there is no register of police working hours or work readiness.

The framework does not address the ways in which the fatigue assessment tools will be used and monitored across local commands. The NSW Police Force does not have a process to ensure the implementation of tools and control measures. In addition, the fatigue assessment tools lack clarity or guidance on rest and stop-work directives. Some employers of emergency service workers and first responders are able to proactively monitor fatigue. For example, NSW Ambulance has an automated fatigue management calculator that allows managers to view the hours worked by employees in real time, in order to manage risks.

The NSW Police Force work readiness framework contains guidelines that can be used to mitigate some of the contributing factors to fatigue. Guidelines advise police managers to conduct 'consultation with workers'. However, there is limited evidence that the NSW Police Force has consulted with, or sought feedback from the workforce on fatigue risks. There is no evidence that police employees have been surveyed about the effects of shift hours on the available time for sleep, or on work readiness.

In October 2023, the NSW Police Force developed a risk control ‘ready reckoner’ which includes ‘fatigue’ as a risk factor in police work. This risk control system is still in draft form and has yet to be implemented. The register identifies potential controls that can be used to manage fatigue, but it does not assign owners or business areas as responsible for the controls and risks. The impact of the ready reckoner is not yet known, nor has there been any monitoring of its uptake to date.

SafeWork NSW has identified fatigue as a potential workforce health and safety hazard for employees across all industries. Fatigue has both physical and psychological impacts. According to the regulator, each employer has responsibility to identify and manage fatigue risks to employees. In recent decades, numerous supreme court decisions have found employers liable for breaching their duty of care in failing to take reasonable steps to minimise the risks of fatigue to their workers.

SafeWork NSW recommends that employers develop a fatigue policy in consultation with their employees. The policy should define clear roles and responsibilities for employers that include the management of excessive working hours, workplace assessments of fatigued workers to gauge fitness for work, and procedures for reporting hazards and managing risks.

Complaints and legal claims relating to alleged police misconduct are costly to the State

Frontline police are more likely to be recipients of public complaints than other police as they have more interaction with the public during events such as domestic violence incidents, assaults, neighbourhood disputes, mental health incidents, and other crime responses. Specialist police such as detectives and forensic experts have less interaction with the public and therefore receive fewer public complaints.

Frontline police told audit staff that complaints against them have significant impacts on their wellbeing. These negative impacts are compounded by the fact that police are not told about the nature of the complaint against them or the name of the complainant. For many police, this process seems unjust as in some instances, they have no information about what they have done to receive the complaint, and no recourse to defend their case.

Public complaints about police are handled differently across the six police regions. In one region, the region commander has determined that police will not be informed about complaints that are shown to be vexatious and declined. This is to ensure that morale is not affected. In another region, all complaints are reported to police, even if they are declined. Some police argue that declined complaints should not be recorded on their files, as is the current practice. They advise that complaints can have an adverse impact on their promotion eligibility, even when the complaints are vexatious.

Police told us that there was an inadequate level of wellbeing support available for officers who were subject to complaints or investigations. Complaint and investigation policies and procedures make mention of the availability of Employee Assistance Program services, but this is the only external support. According to the policy, local commanders are responsible for monitoring the welfare of complaint recipients and all other people involved. Procedure documents do not include any requirement for commanders to refer police to wellbeing support services.

During the five years from 2019–2020 to 2024–2025, a total of 2,124 legal claims were made against NSW police employees for misconduct matters. The NSW Police Force paid $155.44 million to settle these claims over the five-year period. Despite the significant cost of these claims, the NSW Police Force does not report basic information about these legal matters. The NSW Police Force does not report on the number of claims that were settled via payments to claimants, the number of claims that proceeded to Court, or the claims that were successfully defended in Court.

Since 2019–2020, there have been increases in psychological injury claim numbers and costs across the NSW public sector, for police these costs have risen by almost 50% year on year

Despite increases in mental health services and psychological support for police, the costs of psychological injuries have been increasing year on year. While compensation claims for physical injuries occur at more than twice the rate of psychological injury claims, the costs associated with psychological injury claims are higher than for physical injuries. Compensation costs to psychologically injured police totalled approximately $1.75 billion from 2019–2020 to 2023–2024. The NSW Police Force is not alone in experiencing increases in psychological injuries and costs, higher claim numbers and costs are also evident in other NSW government agencies.

Police compensation costs were covered by two different insurance schemes during the five years from 2019–2020 to 2023–2024. The icare workers compensation insurance scheme covered costs of $927.84 million, and the Police Blue Ribbon Insurance Scheme covered $817.29 million in costs. The Police Blue Ribbon Insurance Scheme was managed by a private insurer.

From 2019–2020 to 2023–2024, NSW police employees made approximately 3,080 compensation claims for physical injuries each year, compared to a yearly average of 1,100 claims for psychological injuries. Over this timeframe, psychological claims accounted for 74% of the total compensation claims costs, with physical injuries accounting for 26% of costs.

Exhibit 6 shows the number of physical and psychological compensation claims numbers each year, and the claim costs for the different injury types by year.

Appendix 1 – Response from entity

Appendix 2 – About the audit

Appendix 3 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #408 - released 11 June 2025

About this report

Financial audit results of the NSW public universities’ financial statements for the year ended 31 December 2024.

Findings

Unmodified audit opinions were issued for all ten universities.

Six universities reported net deficits in 2024, compared to eight in 2023. Nine universities’ net results improved from 2023.

The main driver of revenue growth in 2024 was a 25.5% increase in fees and charges revenue from overseas students, due to increased enrolments of 18.9%. Revenue from domestic students increased by 12%, however, enrolment numbers remain below 2020 levels.

In 2024, revenue growth of 14.9% exceeded the 9.4% growth rate of expenses. However, universities are still recovering from the shortfalls experienced in 2022 and 2023 following financial disruptions caused by the COVID-19 pandemic.

Half of the universities show indicators of financial risk in the form of liquidity ratios of less than one and having less than three months of cash reserves to fund operating and financing activities.

The number of reported audit findings has decreased from 111 in 2023 to 98 this year. Most control deficiencies related to information technology /cyber security, governance, and payroll.

Universities are not consistently following their own procedures for recording cyber incidents, data breaches and privacy breaches.

Data breaches that required mandatory notification resulted in unauthorised access and disclosure of personal information, and mainly caused by phishing attacks and human error.

Recommendations

Universities should:

• finalise mitigating actions to address the risk of future wage underpayments and prioritise repayments to affected staff
• adequately prepare themselves to comply with the climate disclosure requirements under NSW Treasury’s reporting framework
• clearly document the requirements for business cases and post-completion reviews for capital projects
• comply with established processes when recording cyber security incidents and data breaches
• require staff to complete cyber security training regularly, include simulated phishing attacks and provide students with basic cyber security training
• create a central artificial intelligence (AI) inventory, establish and implement an AI policy and consider the benefits of establishing an AI strategy.

Read the PDF report

About this report

This audit assessed the effectiveness of the governance arrangements for the implementation of the 2020 National Agreement on Closing the Gap (the National Agreement) in NSW.

The stated objective of the National Agreement is to overcome entrenched inequality faced by Aboriginal and Torres Strait Islander people. It is an agreement between all Australian governments.

The implementation of the National Agreement in NSW is led by the Premier’s Department and the NSW Coalition of Aboriginal Peaks (NSW CAPO). NSW CAPO is a group of Aboriginal Community-Controlled Organisations that advocate for the rights and wellbeing of Aboriginal people in NSW.

Findings

The governance arrangements are not operating effectively.

Formal shared governance bodies have been established, but the governance structure does not provide clear accountability for the delivery of National Agreement initiatives or drive the behaviours needed to achieve the National Agreement’s stated outcomes.

The Premier’s Department and NSW CAPO agreed to work together to implement the National Agreement, but they have not formed a genuine partnership.

Recommendations

The report made four recommendations that aim to:

1. increase the accountability of NSW Government agencies for implementing the Priority Reforms of the National Agreement
2. ensure the Premier’s Department and NSW CAPO are working in genuine partnership
3. improve the planning and oversight of the implementation of the National Agreement in NSW
4. improve the transparency of NSW CAPO’s work conducted under the National Agreement.

Appendix 1 – Response from entities

Appendix 2 – Priority Reforms and socio-economic outcomes in the National Agreement

Appendix 3 – About the audit

Appendix 4 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #407 released 29 May 2025.

Read more about the cover image for this report

About this report

This audit examined whether activities relating to Cancer Institute NSW’s (the Cancer Institute) 2023–24 anti-tobacco and vaping control campaigns were carried out effectively, economically and efficiently, and in compliance with the Government Advertising Act 2011 (the Act), the Government Advertising Regulation 2018 (the Regulation), other laws, and the NSW Government Advertising Guidelines.

Findings

The Cancer Institute’s anti-tobacco and vaping control campaigns complied with the requirements of the Act, the Regulation and largely complied with the Advertising Guidelines.

The vaping control campaign’s evaluation indicates that the campaign was effective in reducing the uptake of vaping among young people in NSW.

The anti-tobacco campaign achieved positive results but did not meet two of its key outcome targets. However, these were set prior to a reduction in the campaign’s budget and so it is not clear whether the campaign was undertaken effectively.

The Cancer Institute ensured that the audiences for both campaigns were targeted through appropriate media channels and with inclusive messaging.

The Cancer Institute conducted a cost-benefit analysis for each campaign and demonstrated that the campaigns likely represented value for money.

Both campaigns were undertaken economically. The Cancer Institute directly negotiated with a provider to develop the creative materials for its vaping control campaign, but took steps to ensure that value for money was still achieved.

Smoking tobacco is the greatest preventable cause of cancer in NSW, causing one in eight cancer cases and one in five cancer deaths. Lung cancer remains a significant cause of death in Australia, with about 81% of lung cancer cases estimated to be caused by smoking. Smoking rates have declined over recent years, and in 2023, 10.8% of NSW adults were daily or occasional smokers. This proportion is significantly higher among Aboriginal people² (29.7%) and people of lower socioeconomic status (18%).

The Cancer Institute runs annual anti-tobacco campaigns that aim to communicate and personalise the health risks of smoking and increase individuals’ sense of urgency around quitting. The 2023–24 anti-tobacco campaign ran from 2 April 2024 until 30 June 2024. It aimed to influence NSW smokers over the age of 18 that quitting is achievable and to use the available smoking cessation support services to successfully quit smoking.

The anti-tobacco campaign comprised two elements. The ‘16 Cancers’ element highlighted why people should quit smoking. The ‘Beat the Cravings’ element provided information on how to quit and aimed to give people the confidence to reach out to cessation services. The anti-tobacco campaign was delivered through a variety of channels, including television, radio, outdoor advertising, social media and print. It cost approximately $4.1 million.

The anti-tobacco campaign included two additional digital sub-campaigns:

• ‘New Year, New You’ – which aimed to leverage New Year’s resolutions as an opportunity to quit smoking. The Cancer Institute had run this campaign during the four preceding financial years using the same creative assets. The campaign ran in December 2023 and January 2024.
• ‘Quitting Smoking in Pregnancy’ – which was designed to motivate and support expectant mothers to quit smoking and reduce harm to both mother and baby. The campaign, which ran from 2 April 2024 until 30 June 2024, had been run in the previous financial year and re-used the same creative assets.

Vaping involves the inhalation of an aerosol vapour by way of an e-cigarette, which delivers nicotine and other chemicals to the lungs. This typically includes hundreds of toxins and chemicals with various health impacts, including those linked to cancer. In NSW, e-cigarette usage among 16–24-year-olds is the highest of any age group and more than twice the rate of the general population (19% in 2022–23 compared to 8.5% in the general population). This represents a seven-fold increase from 2018–19. It also creates the risk of a new generation becoming addicted to nicotine and increasing the uptake of tobacco smoking, thereby further increasing the risk of cancer.

The NSW Government previously delivered vaping control campaigns focused on awareness about the dangers of vaping in 2021–22 (managed by the Ministry of Health) and in 2022–23 (managed by the Cancer Institute). The 2023–24 campaign ran from 14 January 2024 to 22 June 2024. It aimed to effect behavioural change by encouraging young people aged 14–24 to remain vape-free or to quit vaping. The campaign was based on new creative assets ‘Every Vape is a Hit to Your Health’, which aimed to confirm the health harms of vapes, address the social norms around vaping, and upskill young people to reject or quit vaping. The vaping control campaign was delivered through a variety of channels, including social media, online video, audio streaming, outdoor advertising, search engine marketing and influencers. The cost of the 2023–24 vaping control campaign was approximately $2.9 million.

Appendix 1 – Response from entities

Appendix 2 – About the audit

Appendix 3 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #406 released 27 May 2025.

About this report

The NSW and Commonwealth governments announced the Special Disaster Assistance (SDA) grant program to support primary production businesses affected by significant flood events in areas of NSW in August and September 2022.

This audit assessed whether the NSW Rural Assistance Authority (RAA) and the NSW Reconstruction Authority (Reconstruction Authority) implemented the SDA - storms and floods AGRN 1030 and AGRN 1034 program in line with the principles and mandatory requirements outlined in the Grants Administration Guide, and in line with the program guidelines.

This audit was conducted following a request from the Special Minister of State that the Auditor-General conduct a recurring performance audit of emergency relief grants under section 27B(3)(c) of the Government Sector Audit Act 1983.

Findings

The RAA and the Reconstruction Authority followed the program guidelines and met most of the requirements of the Grants Administration Guide in administering the program.

However, the RAA did not implement appropriate controls to mitigate the risk of fraud for applicants who received only the upfront payment of $25,000. It did not require evidence of how these funds would be spent, or validate claims of estimated damage, before distributing the payments. The total value of these payments was approximately $40 million.

The RAA conducted an effective process to determine each applicant’s eligibility for the program and implemented appropriate fraud controls for higher-value grants.

The Memorandum of Understanding between the RAA and the Reconstruction Authority has not been updated since 2015. Neither agency conducted a cost-benefit analysis to assess value for money or planned an evaluation of the program. There were also gaps in the way that the RAA managed program risks.

Recommendations

Both audited agencies should:

• update the Memorandum of Understanding to better define responsibilities for grants administration.

The NSW Rural Assistance Authority should:

• improve its risk management of grant programs by:
  • defining its risk tolerance
  • ensuring appropriate controls to reduce fraud risks are in place
• ensure that conflict of interest declarations are collected from all assessment and claims staff
• update its cost estimate model
• develop additional performance measures for future grant programs.

The NSW Reconstruction Authority should:

• complete the cost-benefit analysis and outcome evaluation for the program.

New South Wales experienced multiple rain events between February and November 2022, which resulted in flooding across the state. Owing to the significant impact of this flooding on primary producers, the NSW and Commonwealth governments announced a series of SDA grant programs to support primary production businesses.³

The purpose of the AGRN⁴ 1030 (Southern and Central West NSW Floods from August 2022 onwards) and AGRN 1034 (NSW Flooding from 14 September 2022 onwards) SDA program was to provide a timely and proportionate response to minimise the impact these storm and flood events had on primary producers and allow them to return to normal operations as soon as possible. Applications for the SDA program opened on 18 November 2022 and closed on 30 June 2023.

Under the AGRN 1030 and 1034 SDA program, 28 LGAs were declared disaster-affected in Southern and Central West NSW in August 2022. A further 47 LGAs were declared disaster-affected across NSW in September 2022, including all 28 LGAs affected by the August event, bringing the total to 75 declared LGAs plus the Unincorporated Far West Area.

The agencies’ Memorandum of Understanding does not clearly set out responsibilities for key aspects of grant program development and evaluation

The GAG sets out expectations for how multiple agencies involved in grants administration should define responsibilities, including:

• agencies should agree between themselves which agency is responsible for applicable mandatory requirements set out in the GAG during the planning and design phase of a grant program
• mandatory requirements are recommended to be captured in a MoU, particularly if funds are transferred between the agencies for the purpose of delivering the grant.

The MoU between the Reconstruction Authority and the RAA was last updated in 2015 and does not clearly set out responsibilities for some of the mandatory requirements of the GAG.

For example, the MoU does not specify which agency was responsible for the design of the program, including the responsibility for conducting a CBA during its development. A CBA was not conducted during the program’s development. This is discussed in more detail below. The MoU sets out some responsibilities relating to the evaluation of the program but it does not establish responsibility for determining whether the outcomes and benefits of the program were realised. Under the MoU:

• the RAA is required to submit a Post Disaster Assessment Report which captures data on the number of applications, number of approvals and value of grants paid
• the Reconstruction Authority is required to operate a compliance function to ensure that expenditure claimed against the DRFA complies with the NSW Disaster Assistance Guidelines and the MoU.

These evaluation mechanisms only relate to financial and probity oversight and do not include responsibilities for key aspects of evaluation, including determining if the program met intended outcomes and the impact of the program relative to its costs.

In addition, the MoU does not outline which agency was responsible for probity in program design, defining the risk tolerance for the program or for the management of program risks. Key risk management activities such as defining program risk tolerance and the ongoing monitoring of program risks were not conducted.

The RAA and the Reconstruction Authority are working together to draft an updated MoU. However, as at April 2025 the MoU had not been finalised.

The Rural Assistance Authority did not clearly define its risk tolerance for this program

The Reconstruction Authority identified key risks and defined its tolerance for strategic risks, such as those relating to the administration of the DRFA. The Reconstruction Authority did not define a risk tolerance that was relevant to this program, but it was not responsible for administering the program and so the RAA was best placed to identify a relevant program risk tolerance.

The RAA did not define its tolerance for key program risks, such as in a risk appetite statement. Although the GAG does not mandate the development of risk appetite statements for grant programs, the lack of a risk appetite statement meant that there was no guidance available for the RAA as the administering agency to inform risk-based decisions, including risks relating to balancing the risk of fraud with speed of assessment.

The program’s Assurance and Probity Plan assessed the program as having a low probity risk, but the RAA did not retain documentation to explain how this risk rating was determined. The RAA advised that the program was assessed as low-risk because:

• it was open and non-competitive
• it did not involve any discretionary decision-making or external involvement in decision-making
• there was no comparative merit-based assessment against other applicants.

The RAA also advised that the program was considered low-risk because the agency had previously administered similar programs and therefore was aware of the inherent program, grantee and governance risks. As there was no risk appetite statement in place, this assessment was made without a formal framework that considered the RAA’s overall approach to risk.

A risk appetite statement may have informed key decision points in the program. For example, the RAA did not require evidence of how funds would be spent before distributing upfront payments. This increased the risk that fraudulent applications would be approved. Defining its risk tolerance for the program may have helped the RAA to manage this risk.

In addition, in October 2023, the RAA implemented a rule which stated that it would not validate proof of payment for reimbursements below $2,500, which it termed the ‘de minimis’ rule. The RAA considered the impact of this change on fraud risk. However, because it did not have a defined risk tolerance to assist with decision-making, the RAA did not have a framework to determine whether these risks were within the tolerance it was willing to accept.

The Department of Regional NSW (DRNSW) had a risk management framework in place at the time of the program; it defined a risk tolerance across all of DRNSW for various types of risk, including for entities like the RAA, which formed part of DRNSW at the time. It stated that the agency had a low-risk appetite for fraud and corruption. Although the RAA’s risk management plan aligns with DRNSW’s approach, there is no evidence that the RAA used DRNSW’s risk appetite statement to guide its decision-making in relation to risk-based decisions.

The Rural Assistance Authority identified risks for the program but it did not adequately monitor these risks

The RAA Risk Management Plan states that the program Steering Committee is responsible for overseeing and monitoring the program risk register throughout the program’s lifecycle. Although the Steering Committee monitored risks prior to the program launch, it did not meet after the program launched and there is no evidence that the program risk register or program risks were reviewed, discussed or monitored beyond this point. This lack of monitoring meant that the RAA did not have a comprehensive view of how changes in the program risk profile may have impacted program delivery. Risks were reported at each of the Steering Committee meetings that occurred before program launch, but these risks remained the same at each meeting even when those risks were no longer relevant. The Steering Committee’s minutes are not clear on whether the risks were discussed in detail or reassessed during these meetings.

The RAA created a risk register for the program, including designing controls for each of the identified risks and identifying actions to further reduce those risks. The program risk register was last updated in October 2022, with no evidence that this document was updated regularly after this date. This is despite changes in the program’s risk profile. For example, the risk register identified a risk related to the program being upgraded from DRFA category C to category D which would result in a more complex application process. This change in category occurred, impacting the program’s overall risk profile. However, there was no evidence that the program’s risk register was revised once the program changed to a category D program.

The RAA designed and implemented mitigating controls to reduce the likelihood or impact of identified risks. For example, to reduce the risk of fraudulent applications, the agency required financial assessments of all applicants to be conducted to ensure their eligibility for the program. The RAA undertook these financial assessments for each applicant. The RAA also included a declaration on the application form to provide a legal avenue to recover fraudulently acquired funds.

The RAA also identified a risk that program delivery would not be timely. To mitigate this risk, the RAA planned to monitor and report on processing and notification times for the program. As discussed below, the RAA regularly reported to the executive on program timelines, though there were long processing times for both assessments and grant claims.

The RAA’s enterprise risk management occurs through the agency-wide Assurance Working Group (AWG). This group is responsible for reviewing key business processes, high-risk areas and key risk controls that inform business improvement processes. The group only discusses broader, enterprise-wide risks relevant to the RAA’s agency-wide objectives, rather than program-specific risks. Although some of the risks that are reviewed by the AWG may be relevant to the management of the RAA’s programs, risks specific to each program are not discussed in the AWG. The AWG did not review or discuss the program’s risk register, demonstrating that it was not responsible for the program-level risks. The AWG monitoring alone was not sufficient to manage risks to the AGRN 1030 and 1034 program, as program-level risks were not monitored specifically.

The Rural Assistance Authority implemented appropriate fraud controls for higher-value grants, but not for applicants who only received the up-front payments

The GAG requires agencies to develop and implement fraud controls that are proportionate to the value and risk of the grant. RAA identified the risk of fraudulent applications being submitted to the program as high, due to the substantial value of the grants. However, the controls in place to mitigate the risk of fraud posed by people only claiming the upfront payment were not appropriate given the value of the grant.

Under the program guidelines, applicants were able to receive the upfront payment of up to $25,000 without providing proof of payment. The program guidelines stated that the payment would be provided on the basis of quotes or estimated costs. The RAA required applicants to provide an estimated value of damage and a description of the impact of the flood event(s). If applicants did not claim any further funding above the $25,000 threshold, they were not required to submit any further documentation to prove that the applicant planned to spend the upfront payment on eligible expenditure in compliance with the guidelines.

In addition to not requiring evidence of how the grant recipient planned to use their upfront payment, the RAA also did not collect proof that the payment had been spent on eligible items to confirm that it complied with the grant guidelines, unless an applicant was making subsequent claims for funding above the upfront payment. As it did not seek to validate the planned or actual use of the upfront payment, the RAA did not put in place appropriate controls to manage the risk of fraud among the upfront payments.

Of the 8,959 approved and disbursed applications to the program, 1,701 claimed $25,000 or less and were therefore only required to submit an estimate of their damage to receive the grant. This made up 19% of applications to the program, with a total value of approximately $40 million. Some of these applicants provided further evidence to support their claim, but this was not required. The provision of up-front grants is discussed further in the next chapter.

The RAA did require paid tax invoices to be provided prior to payment of claims above the upfront $25,000. For payments above this threshold, applicants were required to provide invoices and proof of payment for both the upfront payment and any amount over the $25,000. A payment officer checked this evidence for claims, and this work was verified by a program officer. This served as an appropriate control for the risk of fraudulent applications above the upfront payment threshold.

The RAA advised that it engaged with Service NSW and the RAA’s equivalent agencies in Queensland and Victoria to ensure applicants were not applying for payments under other grant programs that may have resulted in their ineligibility for the SDA program. Applicant details were cross-referenced with a list of applicants from these grant programs as part of the eligibility assessment process.

The RAA identified 32 out of 10,715 applications as potentially fraudulent. The value of these applications was $982,002, with only one of these grants being disbursed. The RAA is in the process of reclaiming the $25,000 payment from this applicant.⁷ The limitations of the fraud controls in place mean that the RAA is not able to determine if potential fraud rates within the program are higher.

The Rural Assistance Authority obtained internal probity advice for the program

The GAG requires officials to seek probity advice for complex, high-risk or high-value programs to support the design, application, assessment and decision-making phases of the program. The RAA identified this program as having a low probity risk and as such the GAG requirement did not apply. As noted above, the rationale for assessing the program as low-risk was not documented.

The program’s Assurance and Probity Plan outlined its assurance activities, along with the responsibilities for and frequency of these activities. The plan advised that due to the program being assessed as low-risk, an external probity advisor was not required. As such, the RAA sought internal probity advice, which was provided by staff from the governance team.

The Rural Assistance Authority did not effectively identify conflicts of interest

The GAG states that officials should ensure that any real or perceived conflicts of interest are effectively avoided, managed and disclosed. The RAA’s Fraud and Corruption Control Plan documents a series of controls and their owners, and outlines how the agency should identify and control potential fraud and corruption by its staff and third parties. The plan describes a series of controls to manage conflicts of interest, including developing conflict of interest registers for each program and training with common scenarios and guidance from senior staff. The RAA did not ensure that conflicts of interest for those administering and overseeing the program were identified and therefore effectively managed.

The Assurance and Probity Plan outlined a requirement for all Steering Committee members to make an active conflict of interest declaration for the program, including declaring if they did not have a conflict. Five of the 16 members of the Steering Committee did not make any declaration for the program, and four of these five members had not made an annual conflict of interest declaration.

In addition, 63 of the 88 officers involved in the assessment or payments processes for the program did not have a conflict of interest declaration recorded. Most of these officers were temporary staff employed specifically to process applications for the SDA programs. This was because the RAA’s onboarding documentation only required staff to identify if they had a conflict of interest. It did not require staff to assert that they did not have a conflict of interest, which is not in line with good conflict of interest management. All staff, including those engaged temporarily, are required to complete a training module on DRNSW’s code of ethics and conduct during onboarding and to complete it again annually as part of their refresher training.

The Assurance and Probity Plan stated that RAA policies and procedures relating to conflicts of interest are consistent with DRNSW conflict of interest policies. However, DRNSW did not have a specific conflict of interest policy in place when the program was being administered. In place of a specific policy, DRNSW’s Code of Ethics and Conduct contained a brief outline of the process for declaring conflicts of interest. The process outlined did not cover risk mitigation strategies for conflicts, review of disclosures or the process for handling breaches.

The Department of Primary Industries and Regional Development, which RAA is now a part of, implemented a specific conflict of interest policy in November 2024, along with an updated Code of Ethics and Conduct. The new policy requires staff who work in high-risk roles to submit an annual conflict of interest declaration. High-risk roles are defined in the policy to include those involved in administering or advising on grants or approvals. The RAA advised that it has adjusted its procedures to require all RAA staff to complete an annual conflict of interest declaration, in line with this policy.

The Rural Assistance Authority did not actively manage conflicts of interest for the program

The conflict of interest declarations made by RAA assessment and payment officers are held in a register managed by DRNSW. The Fraud and Corruption Control Plan advised that the RAA’s conflicts of interest would be managed by key RAA staff for the SDA programs. Due to DRNSW’s management of the conflict of interest register, the RAA could not readily access declared conflicts of interest without having to make a specific request to DRNSW. This limited the RAA’s oversight of conflicts of interest.

RAA advised that assessment and payment officers were able to see some details of each applicant prior to processing their applications so they could determine if they had a conflict of interest. If they identified that they had a conflict of interest, they would be deemed unable to complete the assessment or approval and another staff member would undertake it. If a staff member wished to apply for a grant under the program, the staff member had to declare the application through DRNSW’s declarations portal. The assessment and approval of this application had to be performed by an independent staff member.

The RAA was reliant on staff identifying conflicts and recusing themselves from processing applications and claims where required. There is no evidence that line managers actively monitored the processing of applications or claims to ensure staff were not processing applications or claims where there was a declared conflict of interest.

In addition, staff were required to recuse themselves from assessment or approval of grants for their relatives. This was an informal process managed by the officer’s line manager, and the RAA advised that these situations were recorded as a file note. The RAA did not monitor these cases at a program level. If it was perceived as a conflict, officers were required to formally submit a conflict of interest declaration for the register.

The program guidelines mostly aligned with Grants Administration Guide requirements

The GAG mandates that grant program guidelines include the following information:

• the purpose and objectives of the grant
• selection criteria and assessment process
• grant value
• opening and closing dates
• any support available to grant applicants
• application outcome date (not relevant for this program)
• source agency or agencies
• the decision-maker.

The program guidelines met all of the above requirements. The program’s overall compliance with the mandatory requirements of the GAG is set out in Appendix 2.

The GAG also states that, where relevant, a description of complaint handling and review and/or access to information mechanisms should be included in program guidelines. The guidelines for the program did not include a description of the complaint handling process, despite the RAA having an appeals process for the program. This process was attached to refusal emails sent to applicants, along with a link to lodge an appeal. Although refused applicants were made aware of this process, this was not communicated to all potential grantees in the program guidelines. Publishing this information in the guidelines could have provided a more accessible and transparent system for applicants.

Neither agency conducted a cost-benefit analysis to assess value for money in the program design as required by the Grants Administration Guide

The GAG requires public officials to demonstrate at the planning and design stage of the program how it will deliver value for money by identifying benefits and costs. This CBA provides a valuable tool for decision-makers to understand the expected impact of a program.

Neither the RAA nor the Reconstruction Authority conducted a CBA at the program design stage to assess the grant program’s value for money. As a mandatory requirement of the GAG it was necessary for the agencies to ensure that the CBA for the program was undertaken. Neither agency was assigned responsibility for conducting a CBA in the MoU.

The GAG advises that for time-critical grant opportunities, which likely includes emergency relief grants, it may be possible to assess value for money through a more streamlined rapid CBA. This was not undertaken as an alternative. NSW Treasury’s Disaster Cost Benefit Framework (TPG23-17) also outlines the requirements for disaster-related programs’ CBA. It advises that when responding to a disaster there may be insufficient time to complete a CBA prior to funding.

For grant programs over $50 million, the GAG recommends that the post-program evaluation includes a CBA. In addition, TPG23-17 states that where disaster resilience initiatives valued at over $10 million are not supported by a business case and CBA, it is mandatory to complete an evaluation and ex-post CBA within a reasonable period of time. The Reconstruction Authority plans to conduct an economic evaluation of the program that will include a post-program CBA. A CBA conducted after the program can assist in determining whether the program achieved its intended objectives and provided value for money.

The Rural Assistance Authority’s model for estimating the total cost of the program significantly underestimated the total expenditure

While a CBA was not undertaken, the RAA did estimate the costs of the program before it launched. The RAA had commissioned modelling in 2021 to allow it to estimate the costs of future disaster events. The model used previous disaster events, including flood events, to predict the number of applicants, the number of approved applications, the amount of funding predicted to be approved and the amount of funding predicted to be disbursed to applicants. The RAA model used data from the February to March 2021 and the November 2021 flood events to underpin its assumptions. While these were the two most recent completed flood programs, the 2022 flood events were significantly larger and saw different applicant behaviour than that observed in the previous two events. There is now an opportunity for the RAA to revisit its cost estimate modelling to update the assumptions that are used with data from the 2022 SDA programs.

Using this model, the RAA estimated that the total cost of the program would be $267.6 million; it provided this estimate to the then Resilience NSW to inform the overall program budget. The RAA first advised the then Resilience NSW about this figure on 27 October 2022 and again on 7 November 2022. When the RAA first provided this advice, 55 LGAs had been disaster-declared and were therefore eligible for the program. When the RAA provided this advice the second time, 66 LGAs had been disaster-declared but the RAA did not update its assumptions to revise the expected program expenditure. If it had updated its assumptions, the RAA could have provided more accurate figures to the then Resilience NSW to estimate the program budget. A total of 75 LGAs and the Unincorporated Far West Area were disaster-declared.

The total program cost of $536.5 million was double the initial estimate. The model had a number of assumptions that resulted in this cost being underestimated. Even if cost estimates had factored in all of the disaster declared areas, the total cost of the program would most likely have been underestimated due to these other assumptions proving inaccurate. The assumptions and estimates compared to actual expenditure are outlined in Table 2 and include:

• an underestimation of the amount that each applicant would apply for
• the percentage of applicants that would be approved
• the amount of money that each approved applicant would claim back from their allowed maximum.

Source: Rural Assistance Authority modelling and Audit Office of NSW analysis.

Further, there were some differences between the 2021 flood programs and the AGRN 1030 and 1034 flood events. In particular, the previous events allowed six months for applications and 12 months for claims. In this case, the program was open for seven months and claims were open for 18 months, providing a greater opportunity for businesses to lodge applications and claims. The RAA advised that the Reconstruction Authority did not request forecasting based on these extended application and claim periods.

Inaccurate cost estimates meant that decisions were made on the basis of incorrect assumptions. The approved program budget assumed that $267.6 million was an accurate forecast, however the Reconstruction Authority had to seek approval in August 2023 and May 2024 for additional funds to make up the program shortfall. The RAA advised that monthly forecasts were provided to the Reconstruction Authority to support the request for additional funds. In addition, the RAA based its resourcing and administration assumptions on the initial cost estimate, meaning that its estimated administration costs and the number of staff that were contracted to administer this program was significantly lower than would have been the case if the assumptions had been more accurate. The RAA added more staff during the program when it became clear that the program would exceed the expected level of demand.

⁷ A ‘Show Cause’ letter was issued to this applicant to provide them the opportunity to rectify the issues identified with their application. As the applicant did not respond, a tax invoice was issued requesting the payment to be repaid to RAA.

The Rural Assistance Authority conducted an effective process to determine each applicant’s eligibility for the program

The GAG states that all grants should have clear eligibility criteria that outline the minimum requirements an applicant must meet to be eligible for funding. The program guidelines outlined the criteria that would determine applicant eligibility for the grant. Administering a program in accordance with its guidelines is a mandatory requirement of the GAG. This is essential to ensure the program is administered fairly and that the program achieves its objectives. The program’s overall compliance with the mandatory requirements of the GAG is set out in Appendix 2.

To determine whether the grant program had been administered in line with the program guidelines, the audit team tested a sample of applications, which included the assessment of application eligibility. All approved applicants examined by the audit team were correctly found to be eligible. All rejected applicants in the sample were correctly found to be ineligible.

To ensure applicants were assessed equitably against the eligibility criteria, assessment officers were provided with an assessment template and training guidance. This documentation provided guidance on interpreting the program guidelines and was designed to ensure that each applicant would be assessed consistently.

In line with the program guidelines, assessment officers reviewed the lodged tax returns and financial statements to ensure that applicants derived at least 50% of their gross income from the primary production enterprise. They also reviewed applicant ABNs to ensure that these were active and current at the time of the flood event(s), and LGA rate notices to determine if the enterprises were located within an eligible area. Applicants were also required to provide an estimated value and description of damage incurred.

The assessment of this evidence was entered into the assessment template for each applicant and the completed template was provided as written advice to a program officer as the decision-maker. The program officer then approved or declined the application based on the advice provided by the assessment officer. For each application, the RAA retained documentation that related to the application outcome and the reasoning behind the outcome. It also documented the decisions on both approved and rejected applications.

The Rural Assistance Authority processed most claims for the grant program in accordance with the program guidelines and the Grants Administration Guide

The program guidelines outlined a list of items and activities that were eligible for reimbursement, along with the evidence required to claim. This list was created to ensure that only eligible expenses were reimbursed. In addition, the RAA provided further guidance to payment officers, particularly covering more difficult situations that may arise. This included creating a payment schedule template. This documentation aimed to ensure that each claim was assessed against the same criteria.

For anyone seeking to claim additional funds after receiving the upfront payment, payment officers reviewed the invoices submitted, including the supplier, date, invoice amount and the description for each claim. Payments officers reviewed the invoice item descriptions to determine if expenses were eligible for reimbursement under the program guidelines. In addition, payment officers reviewed proof of payment for these invoices, usually in the form of bank statements. The payment schedule and the supporting evidence was provided to the program officer as written advice for approval or denial.

The procedure for assessing and processing the upfront payments is discussed in detail below.

The audit team tested a sample of applications for the program, which included the processing of claims for these applications. The sample demonstrated that invoices and proof of payment were retained for all applicants who claimed funding above the $25,000 upfront payment amount. Payment schedules were generated for these applicants, and invoice and payment data was entered into the schedule template to evidence claim eligibility. The payments made aligned with the invoices and followed the established process.

Most of the applicants in the sample were only reimbursed for eligible expenditure. The audit team identified one applicant who was reimbursed for ‘business advice post-flood’, which was not eligible expenditure under the program guidelines. The documentation retained for this applicant did not outline any reasons for approving the ineligible expense, as required by the GAG.

Applicants were required to provide proof of payment for any previous SDA grants they had made under the other 2021 and 2022 storm and flood disaster events before they could receive payment from the AGRN 1030 and 1034 SDA program. Payment officers checked if applicants had made claims under previous programs and validated this expenditure as per the guidelines.

The Rural Assistance Authority did not require evidence of how funds would be spent or validate claims of estimated damage before distributing the upfront payments

Applicants who had not successfully applied for grants under previous iterations of the SDA program were entitled to an upfront payment of $25,000 without the need to provide invoices at the point of application. Applicants who had received grant payments under previous SDA programs were only eligible for the upfront payment if they had fully validated their previous grant funding. The RAA advised that this was to assist primary producers with their cash flow by providing them with enough money to begin recovery works.

The program guidelines, which were designed by the RAA and approved by the then Resilience NSW, stated that payment would be provided on the basis of quotes or estimated costs. The guidelines also included an application checklist which specified the documentation the applicant would need to provide at the point of application. This checklist included ‘quotes, estimates, photos, valid tax invoices and proof of payment (if you have them)’. The program guidelines did not explicitly require applicants to provide evidence to support their estimates or to validate their expenditure post payment.

The frequently asked questions (FAQs) for the program, which were published on the RAA website, stated that reasonable evidence was required to be submitted by all applicants to prove damage from the flood event(s). The following examples of evidence were listed:

• quotes or estimates for works to be completed
• tax invoices of expenses incurred for clean-up or salvage works already completed following the flood event(s)
• photos of damaged property with time, date and location stamps (not mandatory).

The audit team tested a sample of 16 applicants who received only an upfront payment of $25,000 or less. Two applicants in the sample submitted evidence of their intention to spend this money in accordance with the program guidelines although this was not required by the guidelines. The remaining applicants submitted an estimated value of the damage and explained the impact of the flood on their business, which was confirmed by an assessment officer through a phone call. The RAA advised that the purpose of this phone call was to test the applicant’s claim against results from the Primary Industries Natural Disaster damage survey. This is an online survey that farmers, DPIRD, Local Land Services Staff and agricultural industry representatives can use to record damage to primary production and animals from natural disasters such as floods, fires and storms. Assessment officers could use this data to assess if applicants’ claims were consistent with the level of damage recorded in the survey results.

While it was in line with the guidelines, by not collecting this evidence, the RAA could not ensure that applicants who applied for payments below the $25,000 threshold had estimated damage accurately or validate that applicants intended to spend, or had in fact spent the grant in line with the program guidelines. The lack of appropriate controls increased the risk of fraudulent applications being made for these upfront payments and funds disbursed to those applications, as well as the risk that the upfront payments were not spent on eligible activities.

The program guidelines included a provision for the RAA to request additional evidence from applicants once a payment had been made. However, the RAA did not validate these applications post program to confirm that grant money had been spent in line with the guidelines.

There were long processing times for both assessments and grant claims throughout most of the life of the program

As discussed above, and as shown in Exhibits 3 and 4, there was a steady flow of applications and claims throughout the program before a sharp increase prior to the program closing. Due to the number of applications and grant claims exceeding the original estimates for the program, the RAA was not adequately prepared for the volume of applications, and this resulted in long processing times for both assessments and grant claims.

As can be seen in Exhibit 5, the average number of days required to process a grant application increased from 19 days for applications lodged in November 2022, the first month of the program, to 118 days for applications lodged in June 2023, the final month that applications were open. This excludes time where the RAA was waiting for additional information from the applicant. The RAA’s target was to process 80% of applications within 20 days. However, only 13.5% of grant applications for the AGRN 1030 and 1034 program were assessed in this timeframe. The average processing time for applications across the course of the program was 73 days.

The Rural Assistance Authority developed performance measures but there were no indicators for program outcomes

The RAA describes its overall objective as ‘farming businesses and other rural industries are more innovative, productive and resilient due to efficient provision of well-targeted government assistance programs by the RAA’.

To support this, the RAA has developed the following three performance measures that apply across all of the grant programs it administers:

• timeframe to provide RAA assistance to the point of decision for grant applications – 80% of grant applications have a decision in 20 days
• level of RAA customer satisfaction at the point of application – 80% of customers report a positive point of application experience
• level of RAA customer satisfaction post-application – 80% of customers report a positive post-application experience.

The RAA aggregates performance across these indicators for all its grant programs, and the RAA also measures performance against these indicators for its programs individually. While these measures are all valuable in understanding the RAA’s grant administration performance, they do not allow for the outcomes of RAA programs to be evaluated. In particular, they do not consider a program’s impact on the RAA’s overall objective, such as the impact of the program on innovation, productivity and resilience. Measuring the outcomes of a program allows for an agency to determine whether the program has achieved its objective and was an effective use of money.

The timeliness indicator allows the RAA to measure one element of its efficiency by identifying the speed with which grant applications are assessed. However, there is no performance indicator in place to consider the timeliness of claim processing. Developing this performance indicator would allow the RAA to determine more clearly whether claims processing is occurring in a timely manner.

While customer satisfaction with the program was high, the Rural Assistance Authority did not meet its timeliness target

The RAA’s performance against its established targets for customer satisfaction at the point of application and post-application exceeded the targets of 80% of customers reporting a positive experience. To collect information about customer satisfaction, the RAA conducted an online customer survey with each applicant, where applicants were asked to rate their satisfaction with a variety of metrics, including satisfaction with program guidelines and ease of application.

The results of the RAA customer satisfaction surveys are shown in Table 3.

Note that satisfied includes both ‘satisfied’ and ‘very satisfied’ as a response, and ‘unsatisfied’ includes both ‘unsatisfied’ and ‘very unsatisfied’.
Source: RAA customer satisfaction surveys

The results demonstrate that customer satisfaction with the program was high. This includes satisfaction with the processing time of applications which, as noted in the previous chapter, consistently worsened throughout the course of the program.

The RAA also asked about the difficulty of applications and the contract approval process. The results of these surveys are shown in Table 4.

Note that ‘easy’ includes both ‘easy and ‘very easy’ as a response, and ‘difficult’ includes both ‘difficult’ and ‘very difficult’.
Source: RAA customer satisfaction surveys.

The RAA advised that it uses the difficulty of application and difficulty of contract approval results, shown in Table 4, to determine whether it has met its customer satisfaction results of 80% of customers having a positive experience. The RAA aggregates the easy and neutral results to determine whether the target has been met, meaning that even neutral results are considered positive experiences. Calculated this way, 93% of customers had a positive experience at point of application and 96% had a positive experience post application. This calculation means that the RAA exceeded its target of 80% of customers having a positive experience at the point of application and post approval. However, as shown in Table 4, if neutral responses are excluded from this analysis and only ‘easy’ or ‘very easy’ responses are included, the RAA did not meet this target.

The RAA had a target of 80% of grant applications having a decision in 20 days. The RAA advised that this only includes business days and does not include time that is spent waiting for applicants to provide additional information after RAA has requested it. With these rules applied, only 13.5% of grant applications for the AGRN 1030 and 1034 program were assessed within 20 days. It was important for RAA to assess applications in a timely way in order to fulfil the program purpose of providing a timely and proportionate response to the disaster event.

Program performance was regularly reported to the Rural Assistance Authority’s management, allowing it to provide oversight of the program

Each week, the performance of the RAA in the AGRN 1030 and 1034 program was reported to management as a high-level dashboard. This included a review of the number of applications per day, the number of applications completed each day, outstanding cases, customer satisfaction and total funding disbursed through the program. This allowed management to provide a degree of oversight of the program’s performance against its key performance indicators.

In addition, the RAA reported performance against all of its grant programs to its Audit and Risk Committee (ARC) on a quarterly basis. These reports contained an aggregation of the performance across all of the disaster grants being administered by the RAA, including the volume of applications, the completion rates of assessments and the amount of money disbursed. In addition, performance against the three performance indicators outlined above was also reported to the ARC. This reporting allowed the ARC to receive an agency-wide view of grant administration performance.

The Reconstruction Authority is planning to conduct an outcome evaluation for the program

While the GAG does not set out a mandatory requirement for officials to undertake an evaluation of the outcomes of a grant program, it does recommend that agencies make a decision on evaluating based on the value, risk and significance of the grant program. The GAG refers to the NSW Treasury policy TPG 22-22 Policy and Guidelines: Evaluation, which recommends an evaluation of programs valued at over $50 million. Given that the program disbursed $536.5 million, it is reasonable to expect an outcome evaluation to be undertaken as a matter of good practice.

As noted above, the MoU between the Reconstruction Authority and the RAA does not set out the responsibility for undertaking an outcome evaluation of the program. Similarly, there is no responsibility established in the MoU to determine the overall benefits delivered by the program as part of a CBA. Not outlining these responsibilities risks gaps in program evaluation for future grant programs. As a result of this gap, neither agency was assigned initial responsibility for planning an evaluation.

In December 2024, the Reconstruction Authority received approval to undertake an outcome evaluation that will allow it to determine the outcomes achieved by the program. This evaluation is also planned to include an evaluation of the overall benefits and outcomes of the program, an economic evaluation – which will fulfil the purpose of an ex ante CBA, discussed above – and a process evaluation, which will consider how the program has been delivered. In addition, the RAA conducted a process evaluation of the program in August 2023.

Appendix 1 – Responses from audited agencies

Appendix 2 – Program compliance with the Grants Administration Guide

Appendix 3 – About the audit

Appendix 4 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #405 released 20 May 2025.

About this report 

The Northern Beaches Hospital is a private hospital that also provides public hospital services. The hospital was built in 2018 and is operated by a private operator, Healthscope, in a public-private partnership with the NSW Government.

Healthscope is contracted to operate the public portion of the hospital until 2038. 

This audit assessed how effectively and efficiently the Northern Beaches Hospital public-private partnership delivers public hospital services.

Conclusion 

The Northern Beaches Hospital public-private partnership is not effectively delivering the best quality integrated health services and clinical outcomes to the Northern Beaches community and the State – the standard required under the arrangement and the key objective of the project deed. 

The partnership is at risk of failure, with Healthscope requesting in November 2023, and again in December 2023, that the return of the public portion of the Northern Beaches Hospital be brought forward by 14 years. In its requests, Healthscope noted the risk to the viability of the Northern Beaches Hospital, citing insufficient funding, a lack of integration into the wider health network, and strained stakeholder relationships. 

NSW Health effectively manages the contract with Healthscope day-to-day on behalf of the State, ensuring that public hospital activity at the Northern Beaches Hospital is provided at a lower cost than if the State operated the hospital. However, the public-private partnership structure creates tension between commercial imperatives and clinical outcomes. 

The Northern Beaches Hospital has recorded concerning results for some hospital-acquired complications and has not taken sufficient actions to address some identified clinical safety risks. 

The project deed, which governs the partnership, does not support the hospital’s integration into the local health district and broader health network. This has an impact on patient journeys and access to services for patients in the Northern Beaches. Additionally, Healthscope has no obligation or commitment to implement NSW Health initiatives – such as the Safe Staffing Levels initiative. 

The Northern Beaches Hospital has achieved accreditation to ensure it meets national quality standards for hospital care but some quality and safety concerns remain. 

Recommendations 

The report made three recommendations:  

1. The NSW Government and NSW Health note the findings of the report and consider whether the Northern Beaches Hospital public-private partnership is the appropriate model to deliver the best quality integrated health care in the Northern Beaches region
    
2. Healthscope should resolve:
   1. safety and quality issues
   2. system issues
   3. reporting issues
       
3. NSW Health should consider issues raised for this public-private partnership for any future arrangement.

This chapter reports on the performance of the Northern Beaches Hospital. The first section reviews the performance of the Northern Beaches Hospital in terms of safety and quality. The second and third sections review the operational performance of the emergency department and elective surgery (including general surgery). One of the features of the Northern Beaches Hospital public-private partnership is the requirements of demand and volume management placed on Healthscope, the operator of the hospital. How that interacts with the performance of the emergency department and admitted patient areas is examined here. The fourth section reports on patient experience and complaints.

A key objective of the project deed is for the Northern Beaches Hospital to provide the best quality care for people in the Northern Beaches catchment and the people of NSW. The best quality care is operationalised in the project deed by requiring the Northern Beaches Hospital to perform in the top quartile of comparator hospitals for many measures. Only one of these measures relates to the scope of this audit – patients who left the emergency department after triage without being seen. Comparator hospitals are drawn from national hospitals for these measures.

When comparing results with NSW hospitals, the Northern Beaches Hospital is within the B1 hospital grouping, which includes Blacktown, Sutherland, Hornsby Ku-ring-gai and Campbelltown in metropolitan Sydney, and Orange, Tamworth, Wagga Wagga, Tweed Valley, Coffs Harbour, Port Macquarie and Lismore hospitals in regional NSW.

This chapter focuses on the role of the Northern Sydney Local Health District and Ministry of Health in managing the Northern Beaches Hospital public-private partnership for the State. The first section reviews identification and management of risks arising from this arrangement, including clinical risks and how NSW Health intervenes to address issues. (Chapter 3 also considered this question in relation to results for hospital-acquired complications and for sepsis and deteriorating patients). The second section looks at integration, which is one of the key objectives of the public-private partnership. Integration is the way the hospital fits into the surrounding NSW Health network. The third section then considers the efficiency of this arrangement for NSW Health.

Appendix 1 – Response from entities

Appendix 2 – Northern Beaches Hospital services and role delineation

Appendix 3 – Hospital-acquired complication data

Appendix 4 – 2023–24 abatable key performance indicators

Appendix 5 – About the audit

Appendix 6 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #404 released 17 April 2025.

About this report 

The land titles registry is a collection of registers established under the Real Property Act 1900 and related legislation. It is the source of truth for land and property ownership in NSW and underpins significant economic activity.

The registry is owned by the NSW Government. From 1 July 2017, a private operator has operated and maintained the registry under a 35-year concession granted by the NSW Government.

The Office of the Registrar General is the regulator of the private operator’s activity under the concession. It is a business unit in the Department of Customer Service.

This audit examined the effectiveness of the regulator in overseeing and monitoring the operation and maintenance of the registry to ensure its integrity and security.

Conclusion

The Office of the Registrar General has implemented an effective system and supporting processes to oversee and monitor the integrity and security of the land titles registry.

However, the audit found opportunities for the Office of the Registrar General to improve how it conducts its regulatory functions.

Recommendations

The audit recommended that the Office of the Registrar General should:

1. develop and publish its approach to exercising its regulatory functions and powers
2. publish a regulatory charter to ensure greater regulatory transparency
3. review the skills and capabilities required to regulate the land titles registry
4. ensure greater clarity on the rights to use data, and the application of privacy legislation
5. ensure compliance with the NSW Cyber Security Policy, including the requirements relating to third parties
6. perform an audit of the subscriber compliance process.

The land titles registry is a collection of registers that record property-related information

The registers collectively referred to in this report as the ‘land titles registry’ include the:

• Torrens Title Register – the primary register for land held in NSW under the Real Property Act 1900
• Register of Plans – comprises plans, that is a representation of a property’s boundary, submitted for registration by registered surveyors
• General Register of Deeds – established under the Registration of Deeds Act 1825, this was the first land register in NSW recording deeds in the system used prior to the introduction of the Torrens Title System, and includes the register of Causes Writs and Orders, Bills of Sale, Register of Resumptions, Powers of Attorney and other miscellaneous deeds
• Central Register of Restrictions – where participating organisations maintain up to date information about possible, or actual, interests they hold against NSW properties (for example for heritage or infrastructure reasons).

The 35-year concession for a private company to operate and maintain the land titles registry

In April 2017, the NSW Government granted a 35-year concession² to a private operator to operate and maintain the titling and registry services business area of NSW Land and Property Information (LPI). The private operator paid the State $2.6 billion for the concession, as well as committed to pay $8 million (indexed) annually in consideration for the ORG to perform the regulatory and enabling functions contemplated by the concession deed.

The private operator has the right to generate revenue by selling land information products and services, including through search and subscription fees, as well as by charging administrative fees, such as for registering land titles and other transactions. Each year, the operator facilitates over four million searches on titles and images, records 900,000 updates to land title records and creates 50,000 new titles.

NSW Treasury managed the bidding process for the concession and prepared the enabling legislation, the Land and Property Information NSW (Authorised Transaction) Act 2016. The concession deed was executed between the Minister for Finance, the Registrar General and the successful bidder.

The successful bidder was Australian Registry Investments (ARI), which in turn established NSW Land Registry Services (NSW LRS or ‘the private operator’) as a private, single purpose company to operate and maintain the land titles registry. ARI is a consortium of institutional investors and superannuation funds, which at the time of this audit included Aware Super, Macquarie Infrastructure Fund and UTA Registry Investments Trust.

The NSW Government retains ownership of the land titles registry, including the information it contains.

The land titles registry is a critical information asset for NSW as it is the basis of private ownership of property, which in turn supports property-related economic activity. In 2016, it was estimated that the land titles system underpinned over $130 billion dollars of economic activity in NSW each year. As of 2023, the total value of land in NSW was approximately $2.8 trillion.

The land titles registry is a ‘crown jewel’ IT asset under the NSW Government Cyber Security Policy. The land and titling information maintained by the private operator is provided to other government departments and agencies, such as Revenue NSW, Spatial Services and the Valuer General.

A key assurance provided by the NSW Government when granting the concession was that the ORG would be responsible for the regulation of the performance of the private operator under the concession deed. The ORG is a business unit in the Fair Trading and Regulatory Services division of the Department of Customer Service (‘the department’). The Registrar General is a statutory position and has a range of responsibilities, including under the Real Property Act 1900. The establishment of an ‘office’ to support the Registrar General accompanied the granting of the concession in 2017.

The ORG is not a separate auditable entity under the Government Sector Audit Act 1983. As such, the auditee for this performance audit is formally the Department of Customer Service.

NSW Treasury is also an auditee as it managed the scoping study, bidding process, legislation development process and the development of the concession arrangements. NSW Treasury does not have an ongoing role in the routine oversight and monitoring of the land titles registry. The audit has made no recommendations for NSW Treasury and the agency has elected not to provide a formal response to the audit.

Objectives of the concession

The concession deed includes a statement of the Government’s objectives for the concession. These objectives include achieving the following:

a) maintaining the security, integrity, performance and availability of the registers, core assets and core services

b) ensuring the registers are accurate and up-to-date, including that they accurately reflect all registered documents, plans and other matters that are required to be recorded in them

c) maintaining the confidence of the affected parties and the NSW public in the registers and the core services

d) promoting improvements, innovation and increased efficiency, and utilising greater expertise and investment in technology, in the delivery of the core services

e) minimising Torrens Assurance Fund Payments and

f) protecting current competition and the opportunities for future competition in the supply of downstream services by ensuring fair, transparent, predictable and non-discriminatory dealing by the operator with customers and prospective customers.

The deed also includes the private operator’s acknowledgment and agreement that its achievement of these objectives is of critical importance to NSW.

Regulation of the land titles system, including under the concession deed

The ORG has described its role as ‘... a regulator, advisor and litigator, working to ensure the integrity of NSW’s land title system’. While the ORG directly regulates the private operator of the land titles registry under the concession deed (as well as in accordance with any applicable legislation and delegations made by the Registrar General), the system of land titles is a complex one, with many different participants. These participants include:

• ELNOs – which provide the means for transacting parties to collaborate electronically on the preparation of registry instruments; there are currently two ELNOs operating in NSW, although PEXA is by far the dominant market participant compared to its competitor, Sympli
• subscribers – a person or business authorised to complete electronic conveyancing transactions using an ELNO, such as financial institutions, solicitors and licensed conveyancers
• government agencies – selected NSW government agencies and local governments are authorised to obtain information from the system, including Revenue NSW, Valuation NSW, the Surveyor General and local councils
• registered surveyors – who are responsible for conducting survey plans of property boundaries and lodging those plans for registration with the private operator
• information brokers – there are 12 wholesale information brokers with which the private operator has entered into agreements under the concession deed to provide access to NSW titling information held by the private operator
• users of the Central Register of Restrictions – including selected NSW government agencies and non-government entities, such as utility companies providing electricity, water and gas and the Commonwealth Department of Defence.

The data flows within the system are complex and interdependent. Many of the participants are critical to maintaining the integrity and security of the land titles registry. Each class of participant has different governance arrangements and controls for their participation. As shown in Figure 1, the ORG regulates and oversees, to varying degrees, this system of multi-layered rules, relationships and arrangements, with the concession deed between the NSW Government and private operator being at the core of the system.

In granting the concession, the government committed to a ‘robust regulatory regime’ and a ‘tight regulatory framework’ overseen by a ‘strong regulator’

In granting the 35-year concession to the private operator, the NSW Government committed to ensuring that the monopoly functions of providing titling and registry services would be ‘appropriately regulated’.

In commencing the process of granting the concession, the NSW Government set out what it described as a ‘robust regulatory regime’ that would apply to the concession. Of particular relevance to this audit, the government also established that:

• the Registrar General would monitor and enforce the operator’s compliance with regulatory requirements, including the terms of the concession deed
• the Registrar General would have a general power to direct the private operator to perform tasks ‘… in the public interest’.

In the September 2016 second reading speech accompanying the passage of the enabling legislation for the concession through NSW Parliament, the then Treasurer further highlighted that:

• the service standards defined in the concession would include ‘… a penalty regime should the private operator fail to comply’
• the Registrar General would have regulatory oversight of ensuring that the private operator adopted ‘appropriate data security and fraud detection practices’.

The second reading speech also highlighted the role of the Registrar General in overseeing how other participants in the land titling and registry system should perform. This included approving the standard terms on which the concession holder is to deal with its wholesale customers and intermediaries (including ‘subscribers’ to the operator’s services, such as banks, conveyancers and solicitors).

In January 2017, the then Registrar General explained his view that the arrangements for the concession would ensure that the ORG would be able to provide an ‘… independent, credible, stable and well mandated regulatory framework [that] will give confidence to customers and the business itself’. He further explained that:

On 6 April 2017, the then Registrar General further said that his office would follow a ‘modern regulatory approach’, which would include a ‘… focus on material things – where an operator’s actions are not in the spirit of the deed’s objectives’. The audit did not find evidence of how the ORG assesses deviation from the ‘spirit of the deed’s objectives’.

On 12 April 2017, the Premier and the Treasurer jointly announced the successful bidder for the concession. In doing so, their media release drew attention to the:

• ‘tight regulatory framework’
• ‘rigorous legislative and contractual safeguards around the concession to ensure the continued security of property rights and data’
• establishment of a ‘… new external regulator – the Registrar General – to enforce [the operator’s] performance during the concession, with power to monitor and audit performance, and even resume control of the LPI business if required’.

The Registrar General was not a newly established statutory position, although the role was provided with new regulatory functions and powers under the concession deed.

The task of overseeing and monitoring a private company operating and maintaining a monopoly service that uses government-owned systems (and where title is government-guaranteed) poses new and complex challenges for a regulator like the ORG, which previously performed stable and mature administrative and regulatory functions.

The ORG has made only limited use of the compliance and enforcement tools available to it under the concession deed

Seven years into the concession, the ORG is still in the relatively formative stages of settling its approach to the use of its regulatory powers under the concession deed.

The ORG has an experienced and highly qualified workforce, with substantial capability in areas such as property law, as well as a directorate focused on cadastral integrity. It has substantial capacity to administer its longstanding and relatively wide-ranging pre-concession responsibilities. This includes actioning matters under the Torrens Assurance Fund, conducting compliance audits of property plans prepared by registered surveyors and providing advice to government on relevant policy and reform.

In comparison to these longstanding, well-organised and well-understood responsibilities outlined above, the ORG is still forming its approach to exercising the full spectrum of its compliance and enforcement powers under the regulator–operator model. In some instances, this has limited its effectiveness in resolving regulatory issues raised later in this report.

The ORG has eight regulatory compliance and enforcement options available to it under the concession deed and the enabling legislation. The options are listed below, ranked according to their seriousness and frequency, with step-in and termination powers being both the most serious and least likely option to be applied:

• raise issues at governance forums
• informal letters escalating to formal letters
• approvals with conditions attached
• audit and review powers
• financial penalties for breach of service levels
• reserve power directions
• corrective action plans
• step-in and termination powers.

These options can be specific to circumstances and not all are available for all matters. For example, the ORG does have not a broad-based power to issue financial penalties for performance gaps except where specified in the concession deed.

Since the commencement of the concession, most issues with the private operator’s performance have been addressed without escalation beyond the exchange of formal letters. However, this approach has not always led to adequate or timely resolution.

A number of longstanding issues have been raised by the ORG regarding plan examination and subscriber compliance audits, as set out in section 5 of this report. Despite their significant importance to the integrity of the land titles registry and the potential for errors with financial and personal impacts on customers, these matters have not generally been escalated beyond discussions or letters.

The ORG does not have a formalised approach to how it will routinely and effectively exercise its compliance and enforcement functions and powers

The audit assessed whether the ORG has a clear statement of its regulatory posture or its approach to regulation on which to base its regulatory decision making. In its ‘Regulation insights’ report (March 2024), the Audit Office of NSW highlighted that regulators need clear escalation thresholds and enforcement policies to promote credible and proportionate regulatory actions. The concession deed sets out that the materiality of service level breaches is determined based on the operator’s culpability, the impact on the customer and whether the breach has occurred previously.

The ORG lacks a clear approach to how it would effectively exercise the regulatory tools available to it under the concession, such as:

• requiring ad hoc reports that are prepared in a timely manner and to an adequate standard
• issuing penalties for non-compliance
• conducting its own audits
• conducting a major review of the concession (the prospect of which was raised by the ORG with the private operator in 2022 but has not proceeded).

This is despite assurances (as described earlier) from the NSW Government at the commencement of the concession that these tools would be available and used by the regulator.

In September 2023, the ORG developed an initial approach to the use of concession deed levers to provide a ‘practical and proportionate approach’ to exercising its monitoring and oversight functions for the concession. However, neither these principles, nor any alternative, have been drawn upon to inform a codified regulatory or enforcement policy. The ORG advised that it is developing an approach to escalating matters through the hierarchy of available regulatory and enforcement tools.

The ORG is spending less on its regulatory functions than the fee paid by the private operator to support those functions

Under the concession, the private operator provides an annual indexed fee to fund the services delivered by the regulator. The concession deed says that this fee is paid ‘… in consideration for the [Registrar General] performing the regulatory and enabling functions contemplated by this Deed’.

In 2017–18, $8 million was allocated in the NSW Budget ‘… to be spent on regulating the operator of the NSW land title and registry system, ensuring its security and stability while enhancing service levels’.

In 2023–24, the department requested from NSW Treasury a budget of $8.26 million for the ORG, ($260,000 more than the 2017–18 allocation). This was also around 25% less than the mandatory fee paid by the private operator under the concession deed, which was $10.49 million. The balance of the fee paid by the private operator is retained by the NSW Government in the Consolidated Fund for general purposes.

The ORG undertakes a range of policy and reform projects that it tracks separately from its ‘business as usual’ activities. Not all these projects were envisaged when the concession was granted. For example, the interoperability project to support the introduction of national competition in the electronic lodgment network (ELN) is a substantial and complex national reform that has been led by the ORG on behalf of NSW.

NSW’s contribution to this project-based work is undertaken effectively within the same budget parameters and staffing as established when the concession was granted. At the time of the audit, the ORG’s project workplan includes 32 distinct projects, with one additional recent project being reclassified as ‘business as usual’ and two previous projects put on hold. The project plan includes activities relating to significant government reforms such as interoperability and digital survey plans reform, as well as matters that are regulatory in nature or which support regulatory priorities.

The audit heard from some stakeholders that the ORG’s focus on project-based work, including government reform initiatives, risks reducing resources available for its functions to monitor and oversee participants in the land titles registry system to the degree anticipated by government when the concession was granted.

As discussed in sections 6 and 9 of this report, this audit found that the ORG has capability and capacity gaps in specialist skills, particularly in strategic IT and regulatory policy and implementation. It is beyond the scope of this audit to consider whether these gaps could be addressed within the existing funding or whether the ORG required a revised budget that more closely aligns with the fee paid by the private operator.

The complexity of the land titles system limits the extent to which the ORG can oversee potential integrity and security risks on a whole of system basis

The ORG has varying approaches, powers and functions to regulate different participants in the land titles system, the complexity of which is increased by various third-party users and reseller arrangements that apply to land titles data. As discussed later, this complexity limits the ORG’s direct monitoring and oversight of potential risks or non-performance by system participants other than the private operator.

Table 1 provides further information on the regulatory arrangements for stakeholders accessing and informing the land titles registry.

Source: Audit Office analysis.

The ORG does not have a longer-term strategic plan for proactive compliance activities

Since December 2018, the ORG has issued the private operator an annual letter setting out ‘joint priorities’ for the forward year. While each letter is signed and issued by the Registrar General, the private operator has the opportunity to comment on proposed ‘joint’ priorities.

The annual priority letters are not issued under the terms of the concession deed and are statements of the regulator’s expectations, rather than binding obligations on the operator. The priorities are derived primarily from internal staff consultation, but also consider external stakeholders, existing or emerging reform topics, and progress achieved in meeting previous priorities. While the letters set out annual priorities, they are also intended to ‘… track progress on long-term objectives’.

These annual priority letters are effective in demonstrating a considered approach to articulating the regulator’s expectations of the private operator for that period. The ORG sets out specific ‘success measures’ (usually in the form of milestone progress or completion dates) for how priorities will be assessed.

The priorities set out in the annual letters are subsequently discussed and tracked at various governance meetings, as required under the concession deed. However, there have been few consequences if the private operator does not meet its priorities. Over the course of the concession, a number of reoccurring priorities point to intractable issues, about which the ORG has been dissatisfied. This has included matters that go directly to the integrity of the registers, such as the examination of submitted plans and subscriber compliance (particularly as assessed by the subscriber compliance examination process).

Until recently, the ORG did not include its own annual priorities in these letters. Rather, yearly priority letters to the private operator referenced government or joint priorities. In comparison, the most recent priority letter for 2025 provided a clearer articulation of the rationale between the annual priorities and the intended outcomes of the concession deed. The audit did not source evidence that the ORG set longer-term or strategic priorities for how it will proactively exercise its regulatory functions, such as a forward program of compliance activity, ad hoc reviews or audits.

The ORG ensures that the private operator meets its obligations to provide service level performance reporting

The concession deed provides for extensive performance reporting by the private operator against defined service levels or KPIs. While government statements at the commencement of the concession suggested there were 55 KPIs, this is inaccurate as it includes numerous sub-measures. Currently, 14 service level KPIs are reported quarterly on the ORG’s website. The publishing of service level performance has been explained by the ORG as bringing ‘… a new level of transparency to the NSW’s land titles registry’ to better hold to account the private operator and be a feature of the new regulator–operator model.

The private operator exceeded all published services for each of 24 consecutive quarters from the start of the concession until January–March 2024. This may suggest that the existing published service levels are not sufficiently challenging to support continuous improvement in the future. In addition, as discussed below, not all service level KPIs are published.

The ORG has proposed a review of service levels to identify those no longer relevant. This considers the substantial reforms to the land titles registry system have occurred since the concession commenced, including the move to 100% electronic conveyancing. Stakeholders also expressed a view to the audit that the existing published service levels are too focused on time measures, and do not sufficiently address quality and client satisfaction. It was also understood between the regulator and private operator early in the concession that ‘… as we move forward, customer behaviour will change, along with what is important to customers’.

The ORG has granted penalty relief for service level breaches, although there has been no public transparency about these decisions

There have been instances where the ORG has elected not to issue financial penalties where the private operator breached required service levels. While this discretion is a matter for the regulator to exercise, public transparency is lacking as to the underlying breach or the penalty decision. Service levels not achieved are not included among those published on the ORG’s website.

For example, from October 2020 to September 2023, the ORG granted penalty relief for 33 breaches of the private operator’s obligation to ensure specific data feeds to NSW Government agencies and local councils occurred within specified timeframes.³ A series of data feed failures in a legacy IT system was the catalyst for the private operator’s failure to meet the service level. The audit notes that the private operator’s interpretation of the relevant service level varied from the ORG’s interpretation, and suggested a smaller number of breaches than the 33 assessed by the regulator.

This penalty relief was initially granted in October 2020, then extended in May 2022 until September 2023. The ORG granted the penalty relief:

• in recognition of the private operator’s commitment to upgrade the legacy IT system causing the data feed failures
• because the ORG considered the impact on affected customers to be negligible.

As early as December 2019, the ORG had identified to the private operator that upgrading the legacy IT system was a priority. In August 2020, the ORG described the upgrade as ‘… critical to ensure accurate and complete data is provided to customers’ and asked the private operator to ensure that it is completed ‘… without further delay’.

The ORG did not extend its penalty relief beyond 30 September 2023. No breaches were reported to have occurred after this time. The upgrade to the legacy IT system is expected to be completed no earlier than January 2025.

The service level that was not met on up to 33 occasions is not included among the 14 service levels reported publicly on the ORG’s website. There was no public transparency about the operator’s non-compliance, or the ORG’s decision to provide penalty relief to the operator. The ORG did not publish a notice that it had afforded penalty relief to the operator, nor was this mentioned in the department’s annual report. The ORG’s view is that publication of these service level breaches was not required as they only affected government agencies.

This audit has not assessed the merits of the ORG’s evaluation of the service level breaches or its decision to extend penalty relief for non-compliance. The concession deed allows the ORG to make these types of decisions. However, when the concession commenced, the NSW Government stated that a consumer benefit of the concession would be ‘increased transparency’ due to the regulator being able to:

Prior to the concession, it was already the Registrar General’s practice to publish statistics about claims and payments under the Torrens Assurance Fund in the department’s annual reports. Since the concession, the only opportunity for increased transparency is through reporting on service levels and breaches, including about how the ORG responds to breaches, such as by extending penalty relief over extended periods of time.

When the concession commenced, the NSW Government also highlighted that, as the regulator, the ORG would have a range of regulatory options including ‘… a penalty regime should the private operator fail to comply’. The community and stakeholders were not told that the ORG could choose to waive penalties in response to breaches. Nor were the community and stakeholders told the circumstances in which such relief might be extended. This underscores the importance of the ORG being publicly transparent when it makes these decisions, including to explain their justification, so as to ensure that community trust and confidence in the regulator is maintained.

The ORG’s monitoring and oversight of how the private operator manages legacy IT systems is discussed further in section 6.

The detailed terms of the concession are not publicly available and there is a statutory presumption against their disclosure under the Government Information (Public Access) Act 2009

Much of the substantive detail about the regulatory requirements for granting the concession is contained in the concession deed document that was executed between the NSW Government and the private operator. This document is not public. Moreover, the enabling legislation for the concession included an amendment to the Government Information (Public Access) Act 2009. This amendment established that it is to be conclusively presumed that there is an overriding public interest against disclosure of information contained in any document ‒ including the concession deed ‒ prepared for the purposes of, or in connection with, the authorised transaction unless approved by the NSW Treasurer. NSW Treasury was not able to provide an explicit reason why this provision was included in the enabling legislation, other than to note that a similar provision was included in the 2015 electricity network transaction enabling legislation.

Key elements of the concession deed were modelled on the arrangements for the franchising of the Sydney ferries service, including:

• the model for service levels and penalties
• the transfer of administrative powers and functions to the operator
• the approach of adopting minimalist legislation supported by a detailed contract.

This framework is also similar to that adopted for the Greater Sydney Bus Contract. Both contracts (ferries and buses) are publicly available on Transport for NSW’s website (with redactions where necessary to maintain commercial confidentiality).

During consultation on the enabling legislation for the concession, external stakeholders noted that the delegation of key provisions to a confidential document detracts from promoting transparency and community confidence in the regulatory arrangements for the concession.

The ORG has not published a ‘regulatory charter’ as provided for under the concession deed

Clause 29.1(b) of the concession deed provides that the ORG may publish a ‘regulatory charter’ that contains:

• the division of responsibilities between the ORG and the private operator
• ring fencing and non-discrimination requirements
• dispute resolution processes
• the ORG’s rights in relation to reserve power directions
• the ‘customer terms’
• obligations in respect of ELNOs
• complaint handling arrangements.

The ORG has not published a regulatory charter, although some of the content envisaged by clause 29.1(b) is available across the ORG’s website. For example, the ORG’s website provides information about how individuals may apply to have a decision of the private operator reviewed by the ORG.

The ORG reviews an annual customer satisfaction survey conducted by the private operator, which has reported increased rates of satisfaction over the term of the concession

Regarding other measures of performance, the concession deed requires the private operator to conduct an annual customer satisfaction survey. The private operator has reported to the ORG improved levels of customer satisfaction with its services. While the audit has not assessed the survey data, the private operator has reported in its most recent survey that 71% of respondents were satisfied, up from around 50% at the start of the concession. Over the duration of the concession to date, these surveys have been run both internally by the private operator, and more recently by an external survey provider commissioned by the operator.

The private operator is also required to submit at regular intervals (annually or up to 18 months) updates to its technology roadmap and business plan. These documents are assessed by relevant subject matter experts within the ORG or the wider department and feedback is provided to the private operator on their adequacy. For example, a range of annual reporting requirements for FY23 relating to fraud and crime prevention, error reports, business continuity and incident management, and the technology roadmap were provided to Department of Customer Service IT for review.

The ORG has implemented an effective governance structure to support its regulation of the land titles registry system

The ORG has implemented a series of forums with the private operator to discuss strategic and operational matters. As required by the concession deed, these are:

• a Joint Consultation Committee (JCC)
• an Operations and Performance Committee (OPC)
• an Information Technology sub-committee (ITC).

The concession deed specifies that this governance framework is intended to:

• guide and monitor the performance of the concession
• oversee compliance with specified service levels
• resolve issues as required
• establish a framework to maintain an effective relationship between key personnel of the ORG and the operator.

These committees have clear terms of reference, which have been subject to review. The ORG has demonstrated, through meeting papers and minutes, that these committees meet regularly, consider substantive matters as envisaged by the concession deed, and are effectively administered and recorded.

The ORG has also established a stakeholder forum that includes senior representatives of key stakeholder groups. This forum is intended to foster multilateral communication between the regulator, operator and stakeholders. Some stakeholders expressed the view to the audit that the focus of this forum has evolved to facilitate feedback and updates from the regulator and operator, rather than provide opportunities for industry stakeholders to ask questions or raise issues. Notwithstanding, the ORG did provide evidence that issues raised by stakeholders at this forum were subsequently escalated to JCC or OPC meetings.

The ORG also has a series of bilateral regular engagements with key stakeholders, as well as specialist or project based working groups with the private operator and other system participants.

The ORG appropriately manages potential conflicts of interest

The ORG has recognised that the separation of the former Land and Property Information unit of the Department of Customer Service into separate regulator and operator entities meant that staff working in each entity may have close pre-existing professional and personal relationships. This heightens the need to identify and manage potential conflicts of interest to ensure credible and transparent regulation.

The ORG manages conflicts of interest by following applicable department policies. The audit reviewed conflict of interest declarations made by all ORG managers at NSW public service clerk levels 11/12 and above for the past three years. The audit found that declarations had been submitted and any conflicts addressed.
 

³ The breaches were of the ‘Core Data for Government Agencies Service Level’, which measures the number and availability of Core Data supplied to certain Government agencies that the operator successfully provides within required timeframes and hours of availability.

The land titles registry system is multi-party, with different powers and tools available to the ORG for each party. In summary, the ORG can address non-performance to varying degrees over:

• the private operator, through the multi-tiered framework described under section one of this report
• the ELNOs, which may be subject to suspension or termination (neither of which are practical options if the system is to function), as well as compliance examinations, remedial directions and application to the NSW Supreme Court for financial penalties
• authorised subscribers, who may have their access to the ELN suspended or cancelled (this regime is currently under review to broaden the Registrar General’s enforcement options)
• registered surveyors, who may be referred to the Board of Surveying and Spatial Information (BOSSI) for professional disciplinary action.

The number of claims and the total annual payments under the Torrens Assurance Fund have declined since 2014–15

The Torrens Assurance Fund (TAF) is a statutory compensation scheme designed to compensate people who, through no fault of their own, suffer loss or damage as a result of the operation of the Real Property Act 1900. This loss or damage can be a result of an error, misdescription or omission in the register. When granting the concession to the private operator, the government gave the assurance that the TAF would continue to operate and be administered by the ORG. The ORG has a longstanding function to receive and determine claims made under the TAF.

Relative to the number and value of matters addressed by the land titles system, the number of claims and total payments paid under the TAF is relatively small. As shown in Figure 2, between 2014–15 and 2022–23, the number of claims varied between seven and 40, while the payments paid under the TAF varied between $93,032.21 and $3,168,143.

This audit has focused on two primary processes when considering how the ORG obtains reasonable assurance about the quality of information held on the registers maintained by the private operator. These are:

• the examination and registration of plans by the private operator
• the registration of dealings by the private operator.

The concession deed requires that the private operator, in undertaking these functions, must, among other things, act in good faith, as well as act reasonably and on reasonable grounds. In each case, plans and documents must be entered promptly and accurately onto the relevant register.

These two processes and their role in supporting the integrity of the land titles registry are discussed in turn below.

The land titles registry is one of the department’s IT ‘crown jewels’

As the principal department for the ORG, the Department of Customer Service has identified the IT system supporting the land titles registry as a ‘crown jewel’ under the NSW Government Cyber Security Policy. Classification as a crown jewel provides the land titles registry with priority within the department when investment, fixes, patching and resource allocation are considered.

The ORG receives dedicated cyber security support from the department’s Office of the Chief Information Security Officer in the form of an identified business support officer. During the audit there did not appear to be a similar dedicated resource from the department’s general ICT division. The ORG has stated that the lack of dedicated support in this area risks that ‘institutional technology expertise is not built up or retained within Government to effectively monitor the [operator’s] management of this asset’.

However, from October 2024, DCS ICT has provided the ORG with a dedicated business partner who attends monthly meetings to discuss ICT matters and attends ICT Committee meetings on an as-needed basis.

While the IT system supporting the land titles registry is a critical IT asset, it is unclear how roles and responsibility are assigned for ensuring compliance with the NSW Government Cyber Security Policy

The NSW Cyber Security Policy provides guidance and mandatory requirements for agencies relating to cyber security. The ORG could not clarify whether it, or the department more widely, is responsible for ensuring compliance with the NSW Cyber Security Policy, as well as the role expected by the private operator. This creates a potential risk that protections contained in the policy will not be extended to the land titles registry and that there may be gaps in accountability.

The 2023–24 version of the policy contains three requirements relating specifically to crown jewels:

• agencies to identify and document external upstream and downstream dependencies of enterprise ICT (including cloud), operational technology and Internet of Things assets (specific requirement 1.6.4)
• agencies must assess and identify crown jewels and classify systems (mandatory requirement 1.7)
• agencies must conduct periodic reconciliation of data assets against data retention requirements (specific requirement 1.8.2).

The department appears to have complied with mandatory requirement 1.7, in that it has identified the land titles registry as a crown jewel. However, it explained that it did not have visibility or control over the upstream and downstream systems used by the private operator. Accordingly, to the extent that it may be responsible, the department acknowledged that it does not comply with specific requirement 1.6.4. While it was not specifically examined, the audit did not receive any evidence that the department complied with specific requirement 1.8.2.

While the department is not fully compliant with the requirements of the NSW Cyber Security Policy, its view is that:

• the concession deed requires the private operator to maintain technical and organisational measures that are no less rigorous than those that applied prior to the concession
• the cyber security measures taken surpass those that would apply under Department of Customer Service policies
• the regulator retains oversight of the private operator’s compliance with its requirements under the concession.

Notwithstanding these assurances, neither the department, nor the ORG itself, provided any evidence demonstrating that the protections provided by the private operator have been reconciled against all the requirements of the NSW Cyber Security Policy, including the specific clauses that apply to crown jewels. As discussed below, neither the department nor the ORG have considered the implications of the private operator being deemed a ‘third-party service provider’ under the NSW Cyber Security Policy.

The NSW Cyber Security Policy allows that not all its requirements must be uniformly implemented across the agency. However, where an agency seeks an exception to the policy, it should ensure that the exception is ‘… documented and approved by an appropriate authority through a formal process’. The ORG did not provide evidence that any exception to the requirements of the Cyber Security Policy (such as non-compliance with specific requirement 1.6.4) had been documented and approved.

The ORG has determined that the private operator is a third-party service provider under the NSW Cyber Security Policy, although the implications of this have not been fully examined by the ORG or the department

During this audit, in November 2024, the ORG obtained advice from Cyber Security NSW that the private operator is a ‘third-party service provider’ under the NSW Cyber Security Policy. The policy has a number of specific requirements relating to third-parties.

Mandatory requirement 1.10 of the NSW Cyber Security Policy requires agencies to ‘identify and manage third-party service provider risks, including shared ICT services supplied by other NSW Government agencies’.

Section 6.12 of the Cyber Security Policy provides agencies with guidance on their responsibilities for managing the cyber security requirements and risks posed by third-party providers to assist agencies implement mandatory requirement 1.10. This section includes responsibilities such as:

• ensuring third-party risks are considered in enterprise risk management processes
• conducting regular management of third-party risks through ongoing risk-based reviews to verify compliance with contractual agreements and security measures.

The designation of the operator as a third-party service provider to the ORG is a recent classification and the implications of this have not been fully considered by the ORG or the department.

The ORG has ensured that cyber security obligations are included in the private operator’s arrangements with its own contractors

The audit also considered what assurance the department or the ORG has obtained regarding the adequacy of cyber security provided by contractors to the private operator. Clause 39 of the concession deed establishes that:

• the private operator must ensure that its third-party service providers and subcontractors comply with all terms of the deed relevant to the operator’s obligations, including to maintain adequate cyber security
• the private operator is liable for all acts and omissions of its subcontractors.

The ORG and the private operator have agreed to a process whereby the latter notifies the regulator when new subcontractors are engaged and provides assurance that subcontractors comply with the requirements of clause 39.

The ORG has also approved a table of clauses that must be included in any subcontracting agreements that the private operator makes with its own third parties. These clauses include obligations for adequate cyber security.

The ORG has ensured security testing is conducted on the core systems and services of the land titles registry

The concession deed imposes requirements on the private operator relating to the security of the land titles registry, including that the private operator must:

• ‘… establish, maintain, enforce and continuously improve reasonable technical and organisational measures’ across a range of specific areas aimed at protecting data and preventing unauthorised access and use
• maintain technical and organisational measures that are no less rigorous than those the land registry was subject to prior to the concession
• engage in third-party audits in relation to its compliance with the applicable information security standard (ISO 27001), and provide these reports to the ORG.

The ORG has relied on subject matter expert advice from within the wider department to determine that the private operator is satisfying these requirements, including by providing third-party certification of its compliance with ISO 27001. The ORG provided evidence of this certification.

Clause 25.1 of the concession deed requires that the private operator must, to the extent reasonably requested by the ORG, test and evaluate the performance of core systems and services, which may include security testing such as ‘… vulnerability testing, penetration testing, manual configuration tests and reviews, self-assurance testing and other vulnerability and threat assessment testing’. This testing and evaluation has included assessment of the operator’s controls relevant to the System and Organisation Control 2 (SOC 2) Security and Availability Trust Services Criteria.

The ORG has ensured that the private operator has completed ISO2001 certification and has conducted SOC 2 assessments. Relevant materials are reviewed by subject matter experts from both the ORG and broader department and discussed at ITC meetings. This audit reviewed a sample of SOC 2 documents and found no significant weaknesses.

Consistent with clause 25.1 of the concession deed, the ORG has also required the private operator to conduct a program of penetration tests on its systems. Penetration testing is a useful mechanism for assessing the potential vulnerabilities of an IT system. However, penetration testing does not offer assurance of the security of a system. Reasonable assurance can only be derived by the effectiveness of security controls, including those implemented to address any vulnerabilities identified by penetration testing.

The ORG assesses and monitors how the private operator responds to vulnerabilities identified by its penetration testing program. The ORG reviewed test reports and discussed these with the private operator during ITC meetings. However, the effectiveness of this monitoring has been hampered by the ORG’s lack of a central registry of issues or vulnerabilities. This limits the ability of the regulator to easily monitor trends and risks or review historic issues.

The concession deed does not specify minimum acceptable standards for the conduct of penetration testing or other forms of system test. Moreover, it is the private operator that is responsible for conducting the testing. When the ORG reviews the results of the operator’s security testing, it also has the opportunity to assess the adequacy of the design and conduct of the tests (including to ensure that the scope and timing of each test provides adequate assurance that vulnerabilities have been identified).

However, as security testing is a requirement of the concession deed, the ORG – as the regulator and consistent with regulatory good practice – should be clear about its expectations for what constitutes appropriately rigorous test methods. These expectations should be effectively and proactively communicated to the private operator, and not left to be raised in retrospective review comments.

The ORG has become increasingly focused on potential risks posed by aging legacy IT systems and how any risks should be mitigated

When granting the concession, the NSW Government’s stated expectation was that the private sector would ‘… have strong incentives to invest in new technology, resulting in significant improvements to the system, and benefits for consumers’. There was an expectation at the outset of the transaction that the successful bidder would, at some time, ‘refresh’ the existing legacy IT systems on which the land titles system operates. While unspecific at the time, a system refresh could include either upgrade or replacement.

However, it was not clear in the bidding documents exactly when and how a successful bidder would be required to address the risks from legacy IT systems. The Information Memorandum provided by NSW Treasury to potential bidders noted that the expected response of the successful bidder:

Commitments to replace legacy systems were included in the private operator’s business plan and technology roadmap submitted as part of its bid, with the business plan committing to the ‘decommissioning of legacy systems by the end of 2019’.

The private operator has ‘de-risked’ some parts of the legacy environment, including the Historical Land Records Viewer and its website, and is currently working (albeit to a delayed schedule) to upgrade a key system, the Integrated Property Warehouse (IPW). However, the replacement of legacy systems ITS (Integrated Titling System) and DIIMS (Document and Integrated Imaging Management System) was removed from the operator’s 2023–24 technology roadmap. An external strategic technology review commissioned by the ORG in 2023 recommended to the regulator that the operator should be asked to re-include this work in future roadmaps. This was so that a ‘complete risk assessment and project complexity, cost and delivery schedule’ could be understood.

While the matter had been raised previously, it appears that since 2023, the ORG has become increasingly concerned about the private operator’s management of legacy IT systems. The ORG has noted that the private operator has not conducted discovery work or risk assessments on these systems. In 2023, the ORG assessed the removal of ITS discovery work from the 2023–24 technology roadmap as ‘highly concerning’ and noted that it would, in response, ‘… consider the full range of levers under the Concession Deed’.

In July 2024, after considering an ‘escalated regulatory response’ to the operator’s perceived reluctance to conduct its own risk assessment, the ORG determined to initiate its own risk-based review of the longevity of the legacy core systems in conjunction with Department of Customer Service ICT personnel.

This performance audit has not assessed the risks posed by legacy IT systems and notes that such questions can raise complex technical issues. It is not necessarily the case that a legacy system is inherently insecure and there is evidence that the private operator has conducted work to insulate the core legacy systems from potential risks. Accordingly, the audit has made no finding about any level of risk posed by the legacy systems underpinning the land titles registry.

The approach taken by the ORG from July 2024 seems consistent with guidance published by the Australian Signals Directorate and the Australian Cyber Security Centre. This guidance highlights the need for agencies to implement a sound strategy to manage legacy IT, starting with developing an understanding of the business and security risks posed by such systems.

The ORG has recognised the importance of privacy to retaining confidence in the land titles system and actively addresses privacy issues with the private operator

The registers operated and maintained under the concession deed are public registers. That is, they can be accessed by anyone (in some circumstances, after the payment of a fee). While there are public interest reasons for this information to be publicly available, public registers can create a tension with individual privacy, where the information held in a register is personal identifiable information about an individual.

This tension can be exacerbated when it is compulsory to record information in a public register, thereby reducing the individual’s choice and control over their personal information. In some circumstances, it has been found that community concerns are exacerbated where public registers are operated and maintained by the private sector, for example, when the UK Government considered privatising its land titles registry.

In its privacy policy, the private operator of the NSW land titles system explains that the personal information that it may collect can include:

• name, address, age or date of birth, contact details
• information collected in connection with maintaining the various registers, including information about an individual’s property dealings, such as transfer and leasehold documents
• information related to the operator’s products or services, such as credit card or bank account details
• verification of identity information, such as passport information, rates notices, Medicare card details and drivers licence details.

In recognition of the privacy risks inherent to public registers, and the potential volume of personal information collected, privacy issues are recognised and discussed between the ORG and the private operator, including at JCC meetings between the Registrar General and the chief executive officer of the private operator.

For example, the ORG recognised a potential privacy risk in how the private operator was collecting information for its subscriber compliance audit process. This resulted in the ORG requiring the private operator to put in place a more secure method for collecting this information. Similarly, the private operator itself identified a potential privacy issue regarding the length of time it retained personal information for the same process.

As discussed below, privacy is also considered by the ORG in regard to new non-core service proposals from the private operator.

New services proposed by the private operator are subject to approval by the Registrar General and have been subject to privacy impact assessments

Privacy risks inherent to public registers can become greater where there are pressures to use that information for purposes unrelated to the original purpose of the public register (‘function creep’).

It was explicit in the NSW Government’s announcement regarding the granting of the concession that it was expected, not just permitted, that the private operator would identify, develop and deliver additional services using information collected for the purposes of the registry, while ensuring appropriate recognition of potential privacy concerns.

The concession deed has a mechanism requiring ORG approval of proposed new ‘non-core services’ by the operator. Since the concession was made, there have been four additional non-core services approved. These have each been accompanied by a privacy impact assessment prepared by the private operator and at the instigation of the operator. The ORG does not have standards for an acceptable privacy impact assessment other than the assessment should be prepared by a ‘reputable organisation’. Guidance published by the NSW Privacy Commissioner is that, where possible, privacy impact assessments should be published, which has not been the case for those assessed by the ORG (although commercial and competition issues around potential new information products could offer a justification for not publishing).

The audit assessed a sample of privacy impact assessments submitted to the ORG by the private operator. Consistent with the NSW Privacy Commissioner’s guidance, the assessments were found to be fit for purpose, in that their size and scope appeared consistent with the inherent assessed risk. The same guidance highlights that privacy impact assessments should be more than just compliance checks. This good practice advice is similar to that published by the Australian Office of the Information Commissioner.

The ORG has developed a template for assessing new non-core services. The template requires ORG staff to consider a range of issues, including privacy, when new non-core services are proposed by the private operator.

The ORG has limited visibility of how effectively other system participants ensure privacy of personal information

The ORG maintains a regulatory role over the operator. However, there are numerous other system participants who could adversely impact the integrity and security of the registry, including by impacting the privacy of personal information (whether deliberately or incidentally). The extent of the ORG’s regulatory oversight and powers varies according to the type of system participant.

For example, the ORG has powers under the concession deed to regulate the private operator directly, although it relies on the private operator to conduct compliance activities for subscribers. Its range of regulatory enforcement options also vary between system participants. Similarly, the concession deed provides for the ORG to issue penalties against the private operator, although not against subscribers or surveyors for non-compliance with their respective obligations.

In December 2018, the then Registrar General nominated a ‘joint comprehensive review of all potential privacy risks to LRS’ as a priority for the coming year to be completed by December 2019. By July 2019, minutes of the JCC record this priority as ‘deferred’. Subsequently, a comprehensive review of privacy risks has not been conducted. Such a review may assist in better understanding any potential system-wide privacy risks to the land titles system.

The ORG and NSW Treasury offered strong public assurance at the start of the concession that statutory privacy protections would apply to the land titles registry

The handling of personal information by NSW Government agencies is regulated by the Privacy and Personal Information Protection Act 1988 (PPIP Act). As well as setting out privacy principles with which NSW government agencies are required to comply, the PPIP Act also provides a statutory right for individuals to take complaints about the handling of their personal information to the NSW Privacy Commissioner, who may make binding decisions on agencies. The PPIP Act does not generally extend to private sector companies.

While NSW government agencies are covered by the PPIP Act, most private sector companies in Australia (as well as most Commonwealth government agencies) are covered by the Commonwealth Privacy Act 1988 (Privacy Act). The Privacy Act contains similar protections to the PPIP Act, although the regulator and dispute handler is the Australian Privacy Commissioner. Unlike the NSW Privacy Commissioner, the Australian Privacy Commissioner may make an enforceable determination requiring that a complainant be paid compensation for financial or non-financial loss. Section 39 of the enabling legislation for the transaction that underpinned the concession established that:

This was made clear in the second reading speech to the bill for the enabling legislation, which stated that the PPIP Act ‘… applies to the private operator as if it were a public sector agency in the same way that it currently applies to LPI titling and registry Services’.

In April 2017, NSW Treasury published a fact sheet offering ‘consumer assurance’ that:

Similarly, in March and April 2017, the then Registrar General made public presentations highlighting that the private operator was subject to statutory privacy obligations:

Accordingly, there appears to have been clear intention to offer assurance to the community that statutory privacy protections would apply to the land titles registry once the concession was made.

The ORG has not obtained assurance whether the private operator is covered by the Commonwealth Privacy Act

Despite the strong public assurances outlined above, there was uncertainty when the concession was granted about whether and how the Commonwealth Privacy Act applied to the operator.

As outlined above, the Commonwealth Privacy Act does not cover NSW government agencies. While it does generally cover private sector businesses (such as the private operator), there is an exemption for private sector contract service providers to NSW Government agencies for the purpose of providing services under their contract. Specifically, s. 7B(5) provides that the ‘acts or practices’ of private sector organisation are exempt where:

• the organisation is a contracted service provider for a state contract
• the act is done, or the practice is engaged in for the purposes of meeting (directly or indirectly) an obligation under the contract.

This was recognised in an information memorandum provided to bidders during the bid process for the concession. The information memorandum explained that the successful bidder may be subject to the Commonwealth Privacy Act, including to the exemption available ‘… as a provider of services to State Government’. The information memorandum concluded that ‘Compliance with the Commonwealth Privacy Act will be a matter for the private operator to assess’.

Accordingly, notwithstanding the confidence inherent in government public statements around the time that the concession was made, it appears unclear whether (and to what extent) Commonwealth privacy legislation applies to the land titles registry operator.

The ORG has not clarified whether an individual would complain about a privacy breach to the NSW or Australian Privacy Commissioner

Part 6 of the PPIP Act provides specific provisions for ‘public registers’ operated and maintained by NSW government agencies (noting that the private operator is deemed to be a NSW government agency by s. 39 of the enabling legislation for the transaction).

Part 6 of the PPIP Act sets out two specific protections for public registers held by NSW government agencies, these being:

• an agency keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept
• an individual may request that their personal information be suppressed from a public register if they can establish that its open inclusion would affect their safety or well-being.

However, clause 7 of the Privacy and Personal Information Protection Regulation 2019 exempts public sector agencies responsible for keeping certain prescribed public registers from the requirements set out in Part 6 of the PPIP Act. The registers operated and maintained under the land titles registry are included in the list of the public registers that are exempt from Part 6.

Accordingly, the two statutory protections specifically focused on public registers in the PPIP Act do not apply to the land titles registry.

While there are equivalent contractual restrictions in the concession deed, these measures are not accompanied by a statutory right for individuals to complain to the NSW Privacy Commissioner if their personal information is handled in a manner that would otherwise breach Part 6. In these same circumstances, for the reasons discussed above, it is also unclear whether an individual could complain to the Australian Privacy Commissioner if the potential breach relates to the private operator performing functions as a contract service provider to the NSW Government.

This jurisdictional complexity is further complicated by the private operator collecting different types of personal information, namely:

• personal information that must be collected onto registers to meet titling and registry legal requirements, such as the name of the title owner or mortgage information
• personal information that is collected by the private operator to support the operation and maintenance of the register and other products offered by the operator, such as payment and identity verification information.

The private operator publishes a detailed privacy policy on its website. This policy states that the private operator is required to comply with both the PIPP Act and Privacy Act, and to the extent of any inconsistency, it would comply with the latter. While this demonstrates a clear intention to ensure compliance with legislative privacy obligations, further clarity is required as to how this intention can be reconciled with the issues outlined above.

As the lead agency in managing the transaction and overseeing the preparation of its enabling legislation and concession arrangements, NSW Treasury could not provide evidence that the NSW Privacy Commissioner had been consulted during the drafting of either the enabling legislation for the concession transaction or the concession deed document.

The ORG has detailed policy and procedures for ordering the suppression of personal information on the land titles registry, although third-party information reseller arrangements mean that the ORG cannot ensure that personal information will be fully suppressed

The ORG may direct the private operator, as well as other parties, such as specific government agencies that use land registry information, to suppress personal information held on the land titles registry. Information about this option is provided on the ORG website. A suppression may be ordered in response to a request from a member of the public advising that their well-being or safety is at risk because the register may disclose their whereabouts.

In the 12 months to July 2024:

• 107 applications to suppress personal information were assessed
• 60 were accepted
• 47 were declined.

Due to the critical nature of name suppressions and the potential danger to the individual, it is a requirement that a suppression application be actioned on the day it is received by the private operator (when received during business hours).

The ORG has detailed policy and process documents for the suppression of personal information. These documents detail the information that is required to be provided by an applicant, as well as describing the decision-making process and how an accepted application will be actioned. The Suppression Policy requires the private operator and a specific government agency that uses and distributes land registry information to complete the suppression request within one business day.

Analysis performed by the ORG in September and October 2019 found that action in response to at least six suppression applications had been delayed by periods between three and six days. The ORG’s policy on the suppression of personal information now specifies that its privacy contact officer will actively monitor the action time of a suppression direction to ensure that the private operator actions any suppression order within one working day. For a sample period of January to June (inclusive) 2024, the ORG reported that the performance measure was met for each month. However, the complex flows of land titles information, and the multiple parties who may handle it, mean that it could reasonably be expected to take up to two weeks for suppression orders to be given full effect.

The audit reviewed a small sample of successful and unsuccessful suppression applications that had been received and determined during 2023–24. These are discussed below.

A sample of five successful applications highlighted the difficulties that the complexity of the land titles system poses in managing data. From the sample, it was found that the private operator actioned suppression orders in a timely manner. However, the time taken to action suppression orders was longer in the case of the government user.

When the government user receives a suppression notice from the ORG, it informs its seven data customers that they (and in turn their own unknown number of customers or resellers) have seven days to ‘remove all elements of personal information including the property sales information from any record held’. As the ORG is not a party to this data sharing arrangement and has no visibility of the agreements between the various parties, it has no mechanism to offer assurance about the effectiveness of the suppression process.

The ORG was able to demonstrate that the sample of unsuccessful suppression applications had been handled in accordance with its policy, including by explaining the process to the unsuccessful applicant and affording them the opportunity to provide further information.

The ORG is preparing a policy to explain the rights of the private operator, government agencies and other third parties to use land titles registry data for new services and products

The concession deed sets out a number of clearly defined ‘core services’ that the private operator is required to provide. In addition, the private operator may apply to the ORG for permission to use land titles registry data for other ‘non-core’ services. These non-core services can generate revenue for the private operator.

The NSW Government made clear when granting the concession that a policy objective was to promote innovation and improved customer service, including by permitting the private operator to develop new services, while also ensuring that the principles of the NSW Government Open Data policy were maintained. An objective of the Open Data policy is to promote the release of government data ‘… for use by the community, research, business and industry’ and to ‘inform the design of policy, programs and procurement’. The Open Data Policy is not a ‘free data’ policy but is based on the principle of ‘free, where appropriate’.

Under the concession deed, the private operator is entitled to claim compensation for prescribed ‘compensation events’. In broad terms, compensation events include where the private operator loses its exclusive right to maintain and operate the NSW land titles registry, including to facilitate authoritative searches of titles.

On 28 September 2021, the private operator submitted a claim for compensation under the concession deed. This claim concerned the use of data by the Spatial Services business unit of the department to create the NSW Spatial Digital Twin (‘Spatial Digital Twin’).

The Spatial Digital Twin is described by the department as ‘… a cross-sector, collaborative digital workbench for whole-of-government use, that will visualise location information, in a 4D model of the real world (3D plus time)’. It brings together many data elements from multiple sources across government, including information from strata plans registered in the land titles registry.

On 23 October 2021, the NSW Government rejected the private operator’s compensation claim. However, while rejected, the claim has not been withdrawn. The department has assessed the claim as being unfounded and, consistent with financial audit standards, it is not recorded as a liability in the department’s financial accounts. However, the department does include the claim in its ‘emerging issues return’ that agencies are required to provide to NSW Treasury.

It was beyond the scope of this audit to assess the merits of this specific claim. However, at a general level, the matter highlights that there may be different interpretations of the concession deed in regard to the permitted uses of land titles registry data and the related compensation provisions. This includes NSW Government agencies that had existing pre-concession rights to obtain data for specific purposes, as well as other system participants that obtain land titles data, such as ELNOs. If a common understanding is not established, then there are dual risks that:

• the potential for compensation claims may mute innovation in how NSW government agencies, and potentially others, use land titles registry data
• current or further claims for compensation by the private operator for uses of data by third parties may create financial liabilities for the State.

The concession deed includes provisions that permit certain government agencies to obtain land registry data. Those agencies may also enter into individual memoranda of understanding (MOU) with the ORG. These MOUs set out details about how and for what purposes each agency may obtain data. Consistent with the deed, the MOUs also permit agencies to use land titles registry data for ‘similar governmental purposes’ to those purposes specified in the concession deed. There is no guidance on the interpretation of ‘similar governmental purposes’.

The ORG first formally proposed an approach to resolve this matter in August 2021. However, it remains a live issue. The ORG’s annual priorities letter to the private operator for 2023–24 identified the need to achieve ‘clarity around the use of land registry data’, explaining that:

Achieving greater clarity in this matter remains one of the ORG’s annual priorities for both itself and the private operator for 2024–25. The ORG is developing a data use policy intended to assist in addressing risks around data use by clearly communicating to stakeholders the ORG's position on the use of data from the various registers operated under the concession. This policy was still in draft form during this audit.

The ORG has ensured that business continuity and recovery planning has been prepared for the land titles registry

The private operator is required by the concession deed to develop, submit and test a business continuity plan. During the concession, the private operator has met this requirement by providing the ORG with required and related documents, including its Business Continuity Plan, Business Continuity Management System and Disaster Recovery Strategy, as well as a third-party assessment of the adequacy of the planning.

The private operator is required to annually test its continuity planning. The audit team sighted evidence of third-party testing of the business continuity plan, as well as ORG feedback on the adequacy of business continuity plans and engagement with tests.

The audit team assessed a sample of business continuity plans provided by the private operator to the ORG against the applicable international standard (ISO 22332). In addition, a sample of incident management and recovery plans were assessed against both ISO 22332: 2022 and ISO 27035.1:2017.

The audit team found that while the plans did not expressly claim to be prepared in accordance with any formal standard, they were broadly consistent with the requirements of the standards. For example:

• there was evidence that sampled plans had been reviewed annually or as required as a result of organisational changes or post incident review
• assumptions for the operation of the plan, and intersections with other key documents were clear
• specific roles and team members, including alternates where available, were identified with defined roles and responsibilities
• where scenarios were detailed, there were specific steps and tasks clearly outlined
• plans contained rating frameworks that defined the criticality of events, and the subsequent recovery objectives.

The private operator also has a business continuity management framework that sits across business continuity plans for specific functions, as well as a disaster recovery strategy. These higher-level documents also provide detail on the operator’s requirements for more specific plans and processes to be tested. The business continuity management framework, for example, requires annual business continuity exercises to take place.

The ORG has a local business unit continuity plan, although this has not been tested

As part of Department of Customer Service business continuity planning, the ORG has a local business continuity plan for its own business unit. This plan addresses three specific critical business functions:

• managing the concession
• administering the TAF
• regulating ELNOs.

Each of these critical business functions has a maximum acceptable outage time of one day, with a recovery time objective of three days. The ORG has not tested these recovery time objectives, or the operation of continuity plans for critical business functions.

The alignment of regulator and operator response and recovery plans is a recent improvement that has been identified through joint scenario testing

A joint exercise was conducted in November 2023. An external cyber security consultant was commissioned to design and deliver a cyber incident response exercise between the department, the ORG and the private operator.

The consultant produced a report that identified strengths across the engaged stakeholders, including the collaborative culture with clear decision-making protocols, awareness of the current threat landscape, and active involvement and identification of areas of improvement.

The report broadly identified the need for interconnected communication plans, harmonised incident response plans and pre-defined authority to act as key opportunities for improvement. This was due to uncertainty regarding who should initiate contact with different parties, the need for enhanced coordination and uncertainty during the exercise about who had the authority to engage with the threat actor.

This seems to be the only joint exercise that has been conducted between the regulator and operator to date. No further joint exercises are currently planned.

The ORG has not tested whether it could use back-up data to operationally manage the land titles registry

The concession deed requires the private operator to provide the ORG with a daily back-up of the ‘core data’ contained in the land titles registry (except for core imaging repository data, which is subject to weekly back-up). This is consistent with pre-concession disaster recovery arrangements where core databases and transaction logs were replicated to an off-site disaster recovery centre daily.

The ORG has taken steps to ensure that the back-up data provided by the operator is reliable. The content of the back-ups provided by the private operator was validated by Department of Customer Service ICT in August 2024, with a regular automated testing protocol now in place. This was not always the case, as ORG audits of back-up data had identified deficiencies earlier in the concession.

While the ORG has access to accurate back-up data, the value of the back-ups and whether the ORG can effectively restore the state back-up (for example, if it is ever required to exercise its step-in powers) has not been determined. The audit was told ‘there is no guarantee’ that existing back-ups could be used to restore the system.

The appropriate use, utility and purpose of the state back-up is a current issue for the ORG. This issue was also identified in the 2023 strategic technology review, which noted the potential for developing a real time replica of the land titles registry data. As a result of this review, the ORG is reviewing best practice for the use of the state back-up, including analysing its purpose, situational need and methods to audit and assess back-ups in the future. These findings are due in mid-2025. Any changes to state back-up arrangements will likely require changes to the concession deed.

If future circumstances require the ORG to rely on the state back-up of the registry data, the ability of the ORG to use the state back-up would be critical, including if there was a technical or operational failure with the private operator. The ORG has commenced initial analysis on the required documentation, procedures and scenarios required to exercise its step-in powers. However, the ORG has not tested how effectively it could restore the state back-up, or how it would use the back-up data in practice, if it was needed.

There is evidence that the ORG has taken steps to identify regulatory weaknesses and areas for improvement

The ORG has several internal processes to identify and review issues around its own performance. These include weekly and fortnightly team meetings at various levels, quarterly executive meetings, and an annual team development day. The ORG also notes that a weekly email identifies good regulatory practice, however there is no formalised approach in terms of a framework that benchmarks the ORG’s performance in comparison to similar regulators or guides its continuous improvement processes.

The ORG has identified several internal improvement areas. These include workforce capability or capacity gaps and managing the risk of regulatory capture.

• Workforce capability: while the ORG has a small IT team, it does not have senior or strategic IT expertise. Workforce capability in this area is a key risk to the long-term regulation of the land titles registry. It was raised by several stakeholders in interviews with the audit team and identified as a risk in both the Strategic Technology Review, and the ORG’s 2023 annual team development day.
• Regulatory capture: ORG staff should refrain from becoming involved in discussions with the private operator and surveyors about plan issues, due to its role as the decision-making authority in administrative reviews.

The ORG is addressing a gap in strategic technology and regulatory practice capability to ensure it can effectively regulate the land titles registry in the long term

The land titles registry is an increasingly technology-focused system, having transitioned since the early 1980s from a paper-based system, where documents were submitted or searched for in-person, to a digital system with remote online access. This means that the ORG is increasingly regulating technology solutions and operations.

While the ORG has identified strategic technology expertise as a gap, it does not yet have a long-term capability development and retention plan. It has also not mapped its existing skills base to ongoing requirements of overseeing the concession deed and regulating the land titles registry. Its existing workforce plans respond to workforce survey findings and focus on developing and retaining its current workforce.

To address this capability gap in the immediate term, the ORG has engaged an external consultant to address strategic technology skills, reallocated its spending on consultancies to fund ongoing roles and requested support from Department of Customer Service ICT.

In 2024, as part of Fair Trading and Regulatory Services, the ORG was provided with a dedicated business information support officer from the department’s cyber security area who supports it with advice related to cyber security. Prior to this the ORG was also able to receive advice from the department’s Chief Information Security Officer. Advice has included risk assessments, responses to ad hoc requests and formal advice on reporting required from the operator. There is a potential risk in relation to this key role being outside the ORG’s structure and therefore not able to be fully managed by the ORG.

Broader Department of Customer Service ICT support has been more limited outside of cyber security. Leadership meetings have occurred inconsistently, for example, limiting ORG’s ability to influence the department’s ICT support.

The NSW Public Service Commission (now located within the Premier’s Department) has published a Strategic Workforce Planning Framework that provides guidance for agencies to understand and prepare for their future workforce needs. This framework identifies three levels of workforce planning.

• Strategic workforce planning: identifies actions and addresses challenges, risks and opportunities, entailing longer term planning covering a 3–5 year period. The framework notes that strategic planning is not ‘resource management to fill immediate operational needs’.
• Tactical workforce planning: specifies how work should be done in a specific area to efficiently achieve goals outlined in the strategic workforce plan.
• Operational workforce planning: Ensures daily work is done effectively.

ORG activity to address this capability gap is mainly tactical and operational. Quarterly executive meetings review resourcing needs with an 18-month time horizon, while the Strategic Workforce Planning Framework recommends a longer time horizon. Executive review assesses anticipated workload and, in addition to specific technological capability, has identified the need for additional capacity across the ORG in the areas of policy, regulation and cadastral integrity.

The ORG advises that it is currently reviewing the most effective approach to engaging strategic technology expertise and relies on expertise from within the Department of Customer Service for guidance on workforce planning.

The ORG’s wider regulatory context also creates capability needs in regulatory policy and practice. The ORG performs regulatory functions over a complex and multi-participant system. Its primary regulated entity, the private operator, has unique characteristics, being a monopoly exercising important titling functions using an asset that remains the property of the NSW Government.

At the same time, there are a range of other system participants, such as lawyers, conveyancers, surveyors and banks, who are primarily regulated by other bodies. The other main group of participants, the ELNOs, are themselves subject to new and dynamic market pressures as the industry evolves from a monopoly to a competitive market. The Australian Registrars' National Electronic Conveyancing Council has described a future-state in which multiple ELNOs inter-operate, resulting in a ‘growing compliance burden for government’ within ten years.

The concession deed contains mechanisms to support continuous improvement in the operation of the concession, including an optional five-year major review clause that has not yet been exercised

The concession deed provides for the ORG to conduct:

• ‘annual reviews’ of the operator’s performance, including its achievement of service levels and a review of its latest business plan, as well as a broad range of other matters
• ‘ad hoc and other reviews’, whereby the ORG may review or ‘spot check’ the operator’s performance of any core service provided under the concession
• a ‘major review’ of the operator’s performance under the deed no more than once every five years, including the extent to which the operator is acting consistently with the objectives of the concession and a broad range of other matters – a major review may also consider whether any changes are required under the concession deed.

The ORG conducts annual reviews of the private operator’s performance, including by reviewing and providing feedback on iterations of the private operator’s business plan. As discussed earlier, the ORG has also required the private operator to provide ad hoc reports on two occasions relating to the quality of the private operator’s plan examinations. While the annual priority letters described earlier in this report (see section 3) also encompass an element of performance review, that process is not a function of the concession deed.

To date, the ORG has not exercised its option to conduct a major review of the concession. The ORG did consider conducting a major review in 2022, but it was determined at the time that progressively evolving the concession using iterative contract variations agreed with the private operator was an adequate course of action.

The range of matters anticipated by the major review mechanism is substantial and would prompt consideration of matters that may not emerge iteratively or ad hoc, including matters that are more than simply routine or operational. For example, the major review mechanism provides for the review of significant and strategic matters, including those ‘… that were not anticipated as at the execution date, but which ought to be addressed having regard to the objectives’. Notwithstanding the long duration of the concession, and the complex and evolving environment in which it operates, the ORG has not commenced preparatory work to scope when, or in what circumstances, a major review would be appropriate.

Appendix 1 – Response from Department of Customer Service

Appendix 2 – Glossary

Appendix 3 – About the audit

Appendix 4 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #403 released 12 February 2025.

About this report

Bus services in metropolitan Sydney are provided by private operators under contract to the NSW government. Transport for NSW (TfNSW) determines bus timetables, routes, stops, and frequency, while the operators deliver the specified bus services.

This audit assessed the effectiveness of TfNSW’s design and management of metropolitan Sydney bus service contracts. The audit focused on the nine regions where services are provided under the Greater Sydney Bus Contract (GSBC).

Conclusion

TfNSW is not effectively managing bus contracts to ensure that operators are meeting contracted obligations and customer needs. It has not responded strategically to major changes in commuter, work and travel patterns on metropolitan bus services.

TfNSW identified significant gaps in its strategic contract management capacity since 2022 but has not sufficiently addressed these. As a result, it has not undertaken essential medium to long term strategic activities required to effectively manage the GSBCs. It has not conducted a holistic, systematic review of service levels across all regions to fully address the impacts of the post-COVID-19 period, and other changes such as new infrastructure and travel options like the Sydney Metro M1 line.

First stop on time running has stabilised since January 2023. However, operators are not consistently meeting their performance obligations for on time running, cancelled trips and customer complaints.

There are gaps in TfNSW’s contract management specific procedures and delegations. These gaps mean that the risks of inappropriate exercise of delegations, non compliance with contractual requirements and/or inappropriate use of public funds are not fully addressed.

Recommendations

The audit recommends that TfNSW improve the capacity of its bus contracts management team. It should also close the gaps in its contract management specific procedures and delegations, and start regularly auditing operator responses to customer complaints.

TfNSW should implement strategic planning, including enhanced data analytics, aimed at improving bus operator performance.

On time running (OTR), customer complaints, tracking rates, and cancelled and incomplete trips are important key performance indicators (KPIs) as they represent significant facets of the customer experience.⁷ This chapter considers OTR KPIs in detail, since the start of the Greater Sydney Bus Contract (GSBCs).

OTR is defined in Schedule 4 of the GSBC with three KPIs – first, mid and last stop OTR. All three are measured as the percentage of timetabled bus trips that are on time at the specified location. GSBC operators are required to report to Transport for NSW (TfNSW) on these three KPIs every month.

For the first and mid stops ‘on time’ is defined as between 59 seconds early and five minutes and 59 seconds late compared to the timetable.

TfNSW has advised that mid transit stop OTR has been incorrectly calculated for multiple GSBC regions and that it was in the process of re-calculating this KPI for the operators that were affected. As a result, we do not report mid transit stop OTR numbers here or draw any conclusions about them.

OTR for the last transit stop on a route is measured as a percentage of bus trips arriving on time, where ‘on time’ is defined as no later than five minutes and 59 seconds after the timetable arrival time.

First stop OTR has decreased over the duration of the GSBCs, but it has stabilised in the period from January 2023 to May 2024

Figure 8 shows the aggregated first stop OTR performance data across metropolitan Sydney as a whole (excluding region 6) for the duration of the GSBCs. It also reflects advice received from TfNSW that there is a change in bus operator performance in January 2023 and splits the time period accordingly (April 2022 to December 2023 and January 2023 to May 2024).

During the audit, TfNSW emphasised the impact of the bus driver shortage on bus service performance against KPIs, as well as seasonal effects in OTR performance. Therefore, Figure 8 also shows the reported driver shortages for each month from June 2022, as well as the January and February seasonal effects.

Figure 8 shows that, while there is an overall downward trend in performance, first stop OTR becomes stable after January 2023. Prior to that point in time, performance was declining.⁸

This chapter considers operator performance against key performance indicators (KPIs) for bus tracking rates and cancelled and incomplete trips. From the perspective of bus passengers, tracking is important to ensure timetables and real-time data are accurate and reflects the reality of the services they are receiving. Tracking is also essential for the measurement of on time running (OTR) and cancelled and incomplete trips.

This chapter considers operator performance based on customer complaints received. Customer complaints are defined in Schedule 4 of the Greater Sydney Bus Contract (GSBC) as any report of a negative experience in relation to a bus service in the categories of ‘complaint’ and ‘feedback’. This excludes vexatious complaints, and any complaints about issues that are within Transport for NSW’s (TfNSW) control and not the operators.

Customer complaints have increased since the start of the GSBC

The number of customer complaints about bus services over the entire GSBC area has increased over time. The number of complaints per 100,000 boardings in May 2024 is approximately double that in April 2022 (28.9 complaints per 100,000 boarding compared to 14.4), reflecting increasing customer dissatisfaction with the services delivered.

Complaints are measured using several key performance indicators (KPIs) that represent factors such as the number of complaints per 100,000 boardings and the time it takes operators to respond to complaints. Figure 12 represents the number of customer complaints per 100,000 boardings across the GSBC operators over the GSBC period.

Appendix 1 – Response from Transport for NSW

Appendix 2 – The evolution of bus contracting in NSW from 2003

Appendix 3 – About the audit

Appendix 4 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #402 - released 29 January 2025.

What this report is about

This report focuses on the 2023–24 Consolidated State Financial Statements of the New South Wales General Government Sector (GGS) and Total State Sector (TSS), which comprise the Total State Sector Accounts.

It comments on the key matters and highlights significant factors that have contributed to the State’s financial outcomes for the year ended 30 June 2024.

Observations

The audit opinion on the Total State Sector Accounts for the year ended 30 June 2024 was unqualified.

The GGS’s net operating balance for the 2023–24 financial year was a deficit of $10.7 billion. This was $2.9 billion more than the original budgeted deficit of $7.8 billion, and $1.1 billion more than the revised budget deficit of $9.6 billion estimated during the 2023–24 half yearly review.

Revenue growth exceeded expense growth in 2022–23 and 2023–24, after several years when expenses increased in excess of revenue as the government responded to COVID-19 and natural disasters.

The State recorded $769 million in write offs of infrastructure and other assets in 2023–24, largely from transport projects including the Great Western Highway upgrade, the Beaches Link project and the Fast Rail program.

The State also wrote off $334 million of inventories including expired rapid antigen test kits and personal protective equipment.

The GGS’s net debt to gross state product increased from -0.3% in 2019 to 11.4% in 2024. It is predicted to reach 14.2% of gross state product by 2028.

The State maintained its triple-A and AA+ credit ratings.

Recommendations

Seven of nine 2023 report recommendations have been addressed.

NSW Treasury is working to address the two open recommendations relating to reviewing the financial reporting exemption framework.

The Audit Office’s annual work program

The Annual Work Program 2024–27 was published in August 2024

Each year, the Audit Office’s Annual Work Program reflects an ongoing strategic assessment of the risks and challenges facing government. It outlines subsequent focus areas for financial audits, as well as planned performance audit topics published as a three-year rolling program. We aim to inform NSW Parliament, the public sector and the community about key risks we identify, as well as our priorities and expected timeframes for delivering our work. This helps to give our stakeholders the best opportunity to prepare for, and engage with, our audits.

Our financial audit program this year included a consolidated report on the audit results of NSW Government agencies’ financial statements. The State agencies 2024 report highlighted the issues that had the most significant impact across the whole sector.

There are five key focus areas in our performance audit program:

• effective advice and decision making
• First Nations people in NSW
• environment and sustainability
• efficient and responsible use of public resources
• cyber security.

A sharper focus on information technology risks and data

The NSW public sector is increasingly reliant on information technology to improve service delivery. The Systems Assurance, Cyber and Data Branch within the Audit Office seeks to respond to the pervasive risks and opportunities associated with information technology, and the growing availability of large amounts of data. The creation of this branch reflects the prominence of data and cyber issues within our Corporate Strategy and Annual Work Program, and the importance of our information systems assurance work. The work of the branch supports our financial and performance audits, with insights reflected in our financial and performance audit reports.

The outcome we seek is a sharper focus on information technology risks within the public sector, particularly cyber security risks, to be highlighted in our performance and financial audits. Our increasing use of data for more effective audits aims to further enhance our audit reports.

The Systems Assurance, Cyber and Data Branch also plays a role in thought leadership about artificial intelligence and its impacts on the way we work and the work of the agencies we audit. This plan includes commencing our first audit focused on artificial intelligence.

Digital audit transformation

The Audit Office is embarking on a digital audit transformation which is looking at how we can better use data and technology to enhance our audits.

This transformation looks to re-imagine how we plan for, complete and report on our financial and performance audits incorporating data analytic solutions, automation and predictive analytics, leading to more efficient, effective and timely audits.

An initial key focus is on standardising and automating data requests from agencies, which will streamline processes, save time, automate some audit procedures and improve audit risk assessment and benchmarking.

We understand that there are some key enablers required to achieve this outcome and acknowledge that there are some key risks that we need to manage. Ensuring that we have a workforce that is digitally capable, and technological solutions that are fit-for-purpose, while continuing to maintain high levels of security and privacy over information is essential.

While this transformation will be staged, the support of the sector will be crucial to ensure speedy and consistent implementation across the entire sector.

Audits will target the efficient and responsible use of public resources

The Government Sector Employment Act 2013 establishes the core values of the public sector in NSW. One of these core values is that public servants should be fiscally responsible and focus on the efficient, effective and prudent use of resources.

The Government Sector Audit Act 1983 provides that the Auditor-General may have regard to the wastage of public resources and may deal with reports about the serious and substantial waste of public money. Serious and substantial waste involves the uneconomical, inefficient or ineffective use of resources, whether authorised or unauthorised, and which could result in a loss of public funds or resources.

Waste can result in an opportunity cost for government where money could have been used for a better purpose, or better spent on achieving the same purpose. Waste can also lead to higher costs being incurred to address earlier failings in program design, budgeting and management.

The Audit Office’s work program for 2024–27 includes audits that focus on identifying whether the planning and management of key programs and services has been efficient and financially responsible, and whether opportunities to avoid and reduce waste have been identified early.

Climate-related financial reporting in NSW

The NSW Government has announced the introduction of mandatory climate-related financial disclosures as part of agencies’ annual reporting.

The release of climate-related financial disclosures by government entities is intended to provide transparency on the NSW Government’s exposure to the impacts of climate change and enhance accountability over strategies to respond to risks and capitalise on opportunities.

NSW Treasury recently issued its framework for first year climate-related financial disclosures

In October 2024, NSW Treasury issued TPG24-33 ‘Reporting Framework for First Year Climate-related Financial Disclosures’ (the Framework). The Framework sets out mandatory reporting requirements, including key guiding principles and disclosure content.

The Framework is closely informed by the Australian Accounting Standards Board’s (AASBs) Australian sustainability reporting standard, AASB S2 ‘Climate-related Disclosures’. It has been tailored by NSW Treasury to reflect NSW Government circumstances and reporting entity capability and capacity.

Entity level climate-related financial disclosures will commence in stages from 1 July 2024

The disclosure obligations will commence in 2024–25 for the largest entities or those entities likely to be most exposed to material climate-related risks. Based on NSW Treasury’s assessment, 29 ‘phase 1 entities’ will apply the Framework for their 2024–25 climate disclosures.

Other entities will apply the Framework when they make their first climate-related financial disclosures in subsequent phases.

The assurance regime over climate-related financial disclosures is being developed

The Audit Office has been engaging with NSW Treasury to determine the nature and scope of independent public sector assurance over future climate-related disclosures at both a whole-of-government and agency level. Assurance requirements are expected to be staged, with NSW Treasury recently seeking expressions of interest for some phase 1 entities to have their 2024–25 climate disclosures assured by the Audit Office. Mandatory assurance for all phase 1 entities will commence in 2025–26.

Appendix 1 – Key audit matters

Appendix 2 – Prescribed entities

Appendix 3 – Controlled entities of the State

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.