Refine search Expand filter

Audit progress

- Any -

Sector

- Any -

Year

- Any -

Report type

- Any -

Topic

- Any -

Reports

Published

Property Asset Utilisation

Finance
Asset valuation
Infrastructure
Management and administration
Project management

Property NSW’s effectiveness in managing NSW Government owned and leased commercial office property is limited in three areas according to a report released today by the Auditor-General for New South Wales, Margaret Crawford.

At 30 June 2018, the NSW Government owned $160 billion worth of land and buildings. The NSW Treasury predicts this figure will rise over the coming years. Property NSW manages more than 900 leased office properties across the state. Approximately 250 of these are owned by Property NSW. Other NSW Government agencies maintain ownership and control of properties considered essential for service provision, such as schools, prisons and hospitals. Between 2012–13 and 2017–18 sales of property assets across the whole of the NSW Government have raised $10 billion, of which Property NSW has sold property assets of approximately $2 billion.

In September 2012, the Property Asset Utilisation Taskforce (the Taskforce) released its report on ‘real property asset management across government’ and concluded that the government has accumulated, over time, ‘a real property asset portfolio it cannot afford to maintain or protect’. The Taskforce noted that ‘a lack of centralised information seriously inhibits any whole-of-government strategic asset planning’ and that maintaining under-utilised or unnecessary properties diverted funds from areas where they might be better used. The Taskforce’s key findings included:

  • the NSW Government should own property only as a means to deliver or enhance services
  • many government properties were under-utilised, poorly maintained and inappropriate to support service delivery.

The Taskforce recommended the creation of Property NSW, as a replacement for the State Property Authority, to improve property asset utilisation and to drive efficiencies in the government’s owned and leased property portfolio. Property NSW was to achieve these goals by:

  • collating property information across the whole-of-government
  • working with agencies on longer-term strategic real property asset planning to:
    • provide services to agencies as customers
    • bring a whole-of-government perspective to real property asset planning.

In response to the Taskforce report, in December 2012, the Premier's Memorandum M2012-20 (the Memorandum) established Property NSW to improve the management of the NSW Government's owned and leased real property portfolio.

Under the Memorandum, Property NSW is responsible for:

  • management of all leased and owned commercial office accommodation
  • acting as the central acquisition and disposal agency 
  • providing advice to the government on property matters and developing property policy 
  • conducting regular and ongoing reviews of agencies portfolios, working with agencies to identify efficiencies to improve service delivery, in relation to the review of capital planning1
  • maintaining the register of all government owned property.

The Memorandum states that ownership of all commercial office property should be vested in Property NSW. 

This audit assessed whether Property NSW is effective in the management of NSW Government owned and leased commercial office property. To do this we assessed whether NSW Government leased commercial office space is being effectively utilised and whether the Government Property Register, a register of all government owned property, is accurate and up-to-date.

Conclusion
Property NSW’s effectiveness in managing NSW Government owned and leased commercial office property is limited in three areas.
First, Property NSW has not comprehensively reviewed many agency property portfolios to help agencies identify assets, including commercial office properties, that could be better utilised or recycled. Second, the Government Property Register is not being actively maintained and contains incomplete and inaccurate information, limiting Property NSW’s ability to use it to support strategic decisions about the use of government property assets. Third, Property NSW's decisions are not well documented and its processes to reach decisions are not transparent to stakeholders. That said, property utilisation has improved by about 14 per cent since 2012, and Property NSW is actively moving properties out of the Sydney CBD in line with the ‘Decade of Decentralisation’ policy.
Property NSW’s role is to provide a strategic approach to property asset management. Under the 2012 Premier’s Memorandum, this includes a requirement that Property NSW undertake regular reviews of agency property portfolios to identify efficiencies to improve service delivery. Property NSW completed one comprehensive review of an agency, limited reviews of four other agencies, and some reviews of government property in regional towns, prior to 2017.

In December 2017, Property NSW started working across the NSW Government to help agencies identify real property assets, including commercial office properties, that are under-utilised or surplus and that could be recycled, repurposed, or vested to Property NSW.
Following the Memorandum, agencies were directed to vest their commercial office properties to Property NSW. However, without more comprehensive reviews, Property NSW does not know how many commercial properties are yet to be vested. Agencies can approach Property NSW for assistance in managing their property portfolios, and Property NSW arranges the recycling of under utilised and surplus properties that are brought to its attention. Property NSW is improving utilisation of government office space, according to agency self-reported information which Property NSW uses to calculate utilisation rates. 
The Property Asset Utilisation Taskforce report (2012) recommended that the NSW Government needed a ‘single source of truth’ to inform asset retention and disposal decisions, leasing decisions and ongoing strategic property decisions. It concluded that the Government Property Register (GPR) could perform this function ‘if populated appropriately’. However, the GPR is not comprehensively performing this function because it is still incomplete and out of date. Property NSW manages the GPR and NSW Government agencies are required to supply ‘accurate, relevant and useful information’ to populate it. Agencies are not always doing so in a timely manner, limiting its usefulness to support strategic decision making. Property NSW supplements the GPR with information from multiple other sources to assist its decisions, however, there is still no single, complete and accurate picture of the NSW Government property portfolio. 
The work Property NSW does to identify, shortlist and propose new lease and agency relocation options is not well documented. Property NSW records the outcome of the process without detailing how and why decisions were made. There is limited transparency in this process for stakeholders. Record keeping is also inconsistent and many of Property NSW’s divisions do not have procedures or guidelines.

1 Capital Planning was previously referred to as Total Asset Management (TAM).

In December 2017, the NSW Government announced the Property Infrastructure Policy to create a more collaborative approach between Property NSW and NSW Government agencies to review and identify efficiencies in their property portfolios. Before this, Property NSW did not have a plan to assist agencies to identify under-utilised properties for recycling or repurposing. It still does not know how many under-utilised properties exist and will not know until it has completed all of the portfolio reviews it is currently carrying out under the Property Infrastructure Policy.
Between 2013 and 2017, Property NSW had only completed one comprehensive review of an agency, limited reviews of four other agencies, and some regional towns. Outside this process Property NSW chose to rely on other agencies to identify surplus property for recycling, repurposing or vesting ownership to Property NSW.
Property NSW has a role to provide a strategic approach to property asset management and is required to undertake regular reviews of agency property portfolios under the Premier's Memorandum. Property NSW only recently started working to assist agencies to identify under-utilised and surplus properties, or properties to be vested. These reviews should improve the identification of surplus and under-utilised real property assets and assist whole-of-government decisions on the recycling, repurposing of under-utilised assets and vesting of owned office accommodation to Property NSW.
Recommendations
By December 2019, Property NSW should:
  1. combine the results of property portfolio reviews to produce a whole-of-government picture of the NSW Government property portfolio 
  2. devise a strategy and plan to recycle or repurpose under-utilised properties using a whole-of-government picture of the NSW Government property portfolio
  3. develop and report on indicators for progress in reducing the number and value of under-utilised properties at the whole-of-government level, referencing progress against an accurate baseline stocktake.
Property NSW needs to be more proactive in its management of the GPR and in encouraging agencies to provide the information needed to improve this register. In 2012, the Property Asset Utilisation Taskforce report recommended there be a single source of truth on property assets owned by the NSW Government. The GPR is intended to fulfil this role but it is out of date and incomplete.
Without a complete and accurate central register of property, Property NSW cannot provide the NSW Government with a comprehensive picture of its property portfolio, or make whole-of-government decisions about the property portfolio. Property NSW currently supplements the GPR with information from other systems in order to make decisions about leasing, relocations, and property recycling and repurposing. Agencies are required to provide ‘accurate, relevant and useful information’ but are not consistently doing so.
Recommendations
By December 2019, Property NSW should:
4. improve the data held on government owned and leased properties by combining and automating data feeds to construct a single, consolidated and accurate whole-of-government property data set.
Property NSW documents the outcome of decisions about relocations, lease renewals, and utilisation but is unable to provide evidence of how these decisions are reached. Property NSW is also unable to provide evidence of documented guidance for its staff on how decisions should be made. Whilst some level of subjectivity will play a part in such decisions, the lack of documentation and guidance raises issues of consistency, accountability and transparency in decision-making. Property NSW states that it makes decisions based on whole-of-government outcomes rather than equitable and consistent outcomes for client agencies, which is inconsistent with the criteria it reports that it uses when making decisions about leases and relocations.
Recommendations
By December 2019, Property NSW should:
5. document and communicate to stakeholders how its assessment criteria inform key decisions including agency relocations, lease renewals and rectifying under-utilisation
6. include customer satisfaction measures in its annual reports and reviews, in accordance with the requirements set out in the Premier's Memorandum M2012-20
7. improve record-keeping and compliance with the State Records Act 1998 and the Department of Finance, Services and Innovation Records Management Policy.

Appendix one - Response from agency

Appendix two - Audit Office response

Appendix three - About the audit

Appendix four - Performance auditing

 

Parliamentary reference - Report number #312 - released 18 December 2018

Published

Managing Antisocial behaviour in public housing

Community Services
Asset valuation
Infrastructure
Regulation
Service delivery
Workforce and capability

The Department of Family and Community Services (FACS) has not adequately supported or resourced its staff to manage antisocial behaviour in public housing according to a report released today by the Deputy Auditor-General for New South Wales, Ian Goodwin. 

In recent decades, policy makers and legislators in Australian states and territories have developed and implemented initiatives to manage antisocial behaviour in public housing environments. All jurisdictions now have some form of legislation or policy to encourage public housing tenants to comply with rules and obligations of ‘good neighbourliness’. In November 2015, the NSW Parliament changed legislation to introduce a new approach to manage antisocial behaviour in public housing. This approach is commonly described as the ‘strikes’ approach. 

When introduced in the NSW Parliament, the ‘strikes’ approach was described as a means to:

  • improve the behaviour of a minority of tenants engaging in antisocial behaviour 
  • create better, safer communities for law abiding tenants, including those who are ageing and vulnerable.

FACS has a number of tasks as a landlord, including a responsibility to collect rent and organise housing maintenance. FACS also has a role to support tenants with complex needs and manage antisocial behaviour. These roles have some inherent tensions. The FACS antisocial behaviour management policy aims are: 

to balance the responsibilities of tenants, the rights of their neighbours in social housing, private residents and the broader community with the need to support tenants to sustain their public housing tenancies.

This audit assessed the efficiency and effectiveness of the ‘strikes’ approach to managing antisocial behaviour in public housing environments.

We examined whether:

  • the approach is being implemented as intended and leading to improved safety and security in social housing environments
  • FACS and its partner agencies have the capability and capacity to implement the approach
  • there are effective mechanisms to monitor, report and progressively improve the approach.
Conclusion

FACS has not adequately supported or resourced its staff to implement the antisocial behaviour policy. FACS antisocial behaviour data is incomplete and unreliable. Accordingly, there is insufficient data to determine the nature and extent of the problem and whether the implementation of the policy is leading to improved safety and security

FACS management of minor and moderate incidents of antisocial behaviour is poor. FACS has not dedicated sufficient training to equip frontline housing staff with the relevant skills to apply the antisocial behaviour management policy. At more than half of the housing offices we visited, staff had not been trained to:

  • conduct effective interviews to determine whether an antisocial behaviour complaint can be substantiated

  • de escalate conflict and manage complex behaviours when required

  • properly manage the safety of staff and tenants

  • establish information sharing arrangements with police

  • collect evidence that meets requirements at the NSW Civil and Administrative Tribunal

  • record and manage antisocial behaviour incidents using the information management system HOMES ASB.

When frontline housing staff are informed about serious and severe illegal antisocial behaviour incidents, they generally refer them to the FACS Legal Division. Staff in the Legal Division are trained and proficient in managing antisocial behaviour in compliance with the policy and therefore, the more serious incidents are managed effectively using HOMES ASB. 


FACS provides housing services to most remote townships via outreach visits from the Dubbo office. In remote townships, the policy is not being fully implemented due to insufficient frontline housing staff. There is very limited knowledge of the policy in these areas and FACS data shows few recorded antisocial behaviour incidents in remote regions. 


The FACS information management system (HOMES ASB) is poorly designed and has significant functional limitations that impede the ability of staff to record and manage antisocial behaviour. Staff at most of the housing offices we visited were unable to accurately record antisocial behaviour matters in HOMES ASB, making the data incorrect and unreliable.

Appendix one: Response from agency

Appendix two: Managing antisocial behaviour in other jurisdictions

Appendix three: About the audit

Appendix four: Survey questions

Appendix five: Performance auditing

 

Parliamentary reference - Report number #306 - released 10 August 2018

Published

HealthRoster benefits realisation

Health
Compliance
Information technology
Management and administration
Project management
Workforce and capability

The HealthRoster system is delivering some business benefits but Local Health Districts are yet to use all of its features, according to a report released today by the Auditor-General for New South Wales,  Margaret Crawford. HealthRoster is an IT system designed to more effectively roster staff to meet the needs of Local Health Districts and other NSW health agencies.

The NSW public health system employs over 100,000 people in clinical and non-clinical roles across the state. With increasing demand for services, it is vital that NSW Health effectively rosters staff to ensure high quality and efficient patient care, while maintaining good workplace practices to support staff in demanding roles.

NSW Health is implementing HealthRoster as its single state-wide rostering system to more effectively roster staff according to the demands of each location. Between 2013–14 and 2016–17, our financial audits of individual LHDs had reported issues with rostering and payroll processes and systems.

NSW Health grouped all Local Health Districts (LHDs), and other NSW Health organisations, into four clusters to manage the implementation of HealthRoster over four years. Refer to Exhibit 4 for a list of the NSW Health entities in each cluster.

  • Cluster 1 implementation commenced in 2014–15 and was completed in 2015–16.
  • Cluster 2 implementation commenced in 2015–16 and was completed in 2016–17.
  • Cluster 3 began implementation in 2016–17 and was underway during the conduct of the audit.
  • Cluster 4 began planning for implementation in 2017–18.

Full implementation, including capability for centralised data and reporting, is planned for completion in 2019.

This audit assessed the effectiveness of the HealthRoster system in delivering business benefits. In making this assessment, we examined whether:

  • expected business benefits of HealthRoster were well-defined
  • HealthRoster is achieving business benefits where implemented.

The HealthRoster project has a timespan from 2009 to 2019. We examined the HealthRoster implementation in LHDs, and other NSW Health organisations, focusing on the period from 2014, when eHealth assumed responsibility for project implementation, to early 2018.

Conclusion
The HealthRoster system is realising functional business benefits in the LHDs where it has been implemented. In these LHDs, financial control of payroll expenditure and rostering compliance with employment award conditions has improved. However, these LHDs are not measuring the value of broader benefits such as better management of staff leave and overtime.
NSW Health has addressed the lessons learned from earlier implementations to improve later implementations. Business benefits identified in the business case were well defined and are consistent with business needs identified by NSW Health. Three of four cluster 1 LHDs have been able to reduce the number of issues with rostering and payroll processes. LHDs in earlier implementations need to use HealthRoster more effectively to ensure they are getting all available benefits from it.
HealthRoster is taking six years longer, and costing $37.2 million more, to fully implement than originally planned. NSW Health attributes the increased cost and extended timeframe to the large scale and complexity of the full implementation of HealthRoster.

Business benefits identified for HealthRoster accurately reflect business needs.

NSW Health has a good understanding of the issues in previous rostering systems and has designed HealthRoster to adequately address these issues. Interviews with frontline staff indicate that HealthRoster facilitates rostering which complies with industrial awards. This is a key business benefit that supports the provision of quality patient care. We saw no evidence that any major business needs or issues with the previous rostering systems are not being addressed by HealthRoster.

In the period examined in this audit since 2015, NSW Health has applied appropriate project management and governance structures to ensure that risks and issues are well managed during HealthRoster implementation.

HealthRoster has had two changes to its budget and timeline. Overall, the capital cost for the project has increased from $88.6 million to $125.6 million (42 per cent) and has delayed expected project completion by four years from 2015 to 2019. NSW Health attributes the increased cost and extended time frame to the large scale and complexity of the full implementation of HealthRoster.

NSW Health has established appropriate governance arrangements to ensure that HealthRoster is successfully implemented and that it will achieve business benefits in the long term. During implementation, local steering committees monitor risks and resolve implementation issues. Risks or issues that cannot be resolved locally are escalated to the state-wide steering committee.

NSW Health has grouped local health districts, and other NSW Health organisations, into four clusters for implementation. This has enabled NSW Health to apply lessons learnt from each implementation to improve future implementations.

NSW Health has a benefits realisation framework, but it is not fully applied to HealthRoster.

NSW Health can demonstrate that HealthRoster has delivered some functional business benefits, including rosters that comply with a wide variety of employment awards.

NSW Health is not yet measuring and tracking the value of business benefits achieved. NSW Health did not have benefits realisation plans with baseline measures defined for LHDs in cluster 1 and 2 before implementation. Without baseline measures NSW Health is unable to quantify business benefits achieved. However, analysis of post-implementation reviews and interviews with frontline staff indicate that benefits are being achieved. As a result, NSW Health now includes defining baseline measures and setting targets as part of LHD implementation planning. It has created a benefits realisation toolkit to assist this process from cluster 3 implementations onwards.

NSW Health conducted post-implementation reviews for clusters 1 and 2 and found that LHDs in these clusters were not using HealthRoster to realise all the benefits that HealthRoster could deliver.

By September 2018, NSW Health should:

  1. Ensure that Local Health Districts undertake benefits realisation planning according to the NSW Health benefits realisation framework
  2. Regularly measure benefits realised, at state and local health district levels, from the statewide implementation of HealthRoster
  3. Review the use of HealthRoster in Local Health Districts in clusters 1 and 2 and assist them to improve their HealthRoster related processes and practices.

By June 2019, NSW Health should:

  1. Ensure that all Local Health Districts are effectively using demand based rostering.

Appendix one - Response from agency

Appendix two - About the audit

Appendix three - Performance auditing

 

Parliamentary reference - Report number #301 - released 7 June 2018

Published

Detecting and responding to cyber security incidents

Finance
Cyber security
Information technology
Internal controls and governance
Management and administration
Workforce and capability

A report released today by the Auditor-General for New South Wales, Margaret Crawford, found there is no whole-of-government capability to detect and respond effectively to cyber security incidents. There is very limited sharing of information on incidents amongst agencies, and some agencies have poor detection and response practices and procedures.

The NSW Government relies on digital technology to deliver services, organise and store information, manage business processes, and control critical infrastructure. The increasing global interconnectivity between computer networks has dramatically increased the risk of cyber security incidents. Such incidents can harm government service delivery and may include the theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.

This audit examined cyber security incident detection and response in the NSW public sector. It focused on the role of the Department of Finance, Services and Innovation (DFSI), which oversees the Information Security Community of Practice, the Information Security Event Reporting Protocol, and the Digital Information Security Policy (the Policy).

The audit also examined ten case study agencies to develop a perspective on how they detect and respond to incidents. We chose agencies that are collectively responsible for personal data, critical infrastructure, financial information and intellectual property.

Conclusion
There is no whole‑of‑government capability to detect and respond effectively to cyber security incidents. There is limited sharing of information on incidents amongst agencies, and some of the agencies we reviewed have poor detection and response practices and procedures. There is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost.
Given current weaknesses, the NSW public sector’s ability to detect and respond to incidents needs to improve significantly and quickly. DFSI has started to address this by appointing a Government Chief Information Security Officer (GCISO) to improve cyber security capability across the public sector. Her role includes coordinating efforts to increase the NSW Government’s ability to respond to and recover from whole‑of‑government threats and attacks.

Some of our case study agencies had strong processes for detection and response to cyber security incidents but others had a low capability to detect and respond in a timely way.

Most agencies have access to an automated tool for analysing logs generated by their IT systems. However, coverage of these tools varies. Some agencies do not have an automated tool and only review logs periodically or on an ad hoc basis, meaning they are less likely to detect incidents.

Few agencies have contractual arrangements in place for IT service providers to report incidents to them. If a service provider elects to not report an incident, it will delay the agency’s response and may result in increased damage.

Most case study agencies had procedures for responding to incidents, although some lack guidance on who to notify and when. Some agencies do not have response procedures, limiting their ability to minimise the business damage that may flow from a cyber security incident. Few agencies could demonstrate that they have trained their staff on either incident detection or response procedures and could provide little information on the role requirements and responsibilities of their staff in doing so.

Most agencies’ incident procedures contain limited information on how to report an incident, who to report it to, when this should occur and what information should be provided. None of our case study agencies’ procedures mentioned reporting to DFSI, highlighting that even though reporting is mandatory for most agencies their procedures do not require it.

Case study agencies provided little evidence to indicate they are learning from incidents, meaning that opportunities to better manage future incidents may be lost.

Recommendations

The Department of Finance, Services and Innovation should:

  • assist agencies by providing:
    • better practice guidelines for incident detection, response and reporting to help agencies develop their own practices and procedures
    • training and awareness programs, including tailored programs for a range of audiences such as cyber professionals, finance staff, and audit and risk committees
    • role requirements and responsibilities for cyber security across government, relevant to size and complexity of each agency
    • a support model for agencies that have limited detection and response capabilities
       
  • revise the Digital Information Security Policy and Information Security Event Reporting Protocol by
    • clarifying what security incidents must be reported to DFSI and when
    • extending mandatory reporting requirements to those NSW Government agencies not currently covered by the policy and protocol, including State owned corporations.

DFSI lacks a clear mandate or capability to provide effective detection and response support to agencies, and there is limited sharing of information on cyber security incidents.

DFSI does not currently have a clear mandate and the necessary resources and systems to detect, receive, share and respond to cyber security incidents across the NSW public sector. It does not have a clear mandate to assess whether agencies have an acceptable detection and response capability. It is aware of deficiencies in agencies and across whole‑of‑government, and has begun to conduct research into this capability.

Intelligence gathering across the public sector is also limited, meaning agencies may not respond to threats in a timely manner. DFSI has not allocated resources for gathering of threat intelligence and communicating it across government, although it has begun to build this capacity.

Incident reporting to DFSI is mandatory for most agencies, however, most of our case study agencies do not report incidents to DFSI, reducing the likelihood of containing an incident if it spreads to other agencies. When incidents have been reported, DFSI has not provided dedicated resources to assess them and coordinate the public sector’s response. There are currently no formal requirements for DFSI to respond to incidents and no guidance on what it is meant to do if an incident is reported. The lack of central coordination in incident response risks delays and increased damage to multiple agencies.

DFSI's reporting protocol is weak and does not clearly specify what agencies should report and when. This makes agencies less likely to report incidents. The lack of a standard format for incident reporting and a consistent method for assessing an incident, including the level of risk associated with it, also make it difficult for DFSI to determine an appropriate response.

There are limited avenues for sharing information amongst agencies after incidents have been resolved, meaning the public sector may be losing valuable opportunities to improve its protection and response.

Recommendations

The Department of Finance, Services and Innovation should:

  • develop whole‑of‑government procedure, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including follow-up and communicating lessons learnt
  • develop a means by which agencies can report incidents in a more effective manner, such as a secure online template, that allows for early warnings and standardised details of incidents and remedial advice
  • enhance NSW public sector threat intelligence gathering and sharing including formal links with Australian Government security agencies, other states and the private sector
  • direct agencies to include standard clauses in contracts requiring IT service providers report all cyber security incidents within a reasonable timeframe
  • provide assurance that agencies have appropriate reporting procedures and report to DFSI as required by the policy and protocol by:
    • extending the attestation requirement within the DISP to cover procedures and reporting
    • reviewing a sample of agencies' incident reporting procedures each year.

Appendix one - Response from agency

Appendix two - ISMS maturity model

Appendix three - About the audit

Appendix four - Performance auditing

 

Parliamentary reference - Report number #297 - released 2 March 2018

Published

Managing IT Services Contracts

Finance
Health
Justice
Compliance
Information technology
Internal controls and governance
Procurement
Project management
Risk

Neither agency (NSW Ministry of Health and NSW Police Force) demonstrated that they continued to get value for money over the life of these long term contracts or that they had effectively managed all critical elements of the three contracts we reviewed post award. This is because both agencies treated contract extensions or renewals as simply continuing previous contractual arrangements, rather than as establishing a new contract and financial commitment. Consequently, there was not a robust analysis of the continuing need for the mix and quantity of services being provided or an assessment of value for money in terms of the prices being paid.

 

Parliamentary reference - Report number #220 - released 1 February 2012

View our audit program
View audit program
EXPLORE
upcoming audits
Have your say
CONTRIBUTE