What the report is about

This audit assessed the effectiveness of NSW Government agencies’ coordination of the response to COVID-19, with a focus on the Delta variant outbreak in the Dubbo and Fairfield Local Government Areas (LGA) between June and November 2021. We audited five agencies - the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service.

The audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

What we found

Prior to Delta, agencies developed capability to respond to COVID-19 related challenges.

However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

Gaps in emergency management plans affected agencies' ability to support individuals, families and businesses impacted by restrictions to movement and gathering such as stay-at-home orders. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

On 23 July 2021, the NSW Government established a cross-government coordinating approach, the Delta Microstrategy, which complemented existing emergency management arrangements, improved coordination between NSW Government agencies and led to more effective local responses.

Where possible, advice provided to government was supported by cross-government consultation, up-to-date evidence and insights. Public Health Orders were updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The NSW Government could provide greater transparency and accountability over decisions to apply Public Health Orders during a pandemic.

What we recommended

The audit made seven recommendations intended to improve transparency, accountability and preparedness for future emergency events.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (Fairfield City Council and Dubbo Regional Council) between June and November 2021.

As noted in this report, Resilience NSW was responsible for the coordination of welfare services as part of the emergency management arrangements. On 16 December 2022, the NSW Government abolished Resilience NSW.

During the audited period, Resilience NSW was tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions and it provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC was, and remains, responsible for the coordination and oversight of emergency management policy and preparedness.

Our work for this performance audit was completed on 15 November 2022, when we issued the final report to the five audited agencies. While the audit report does not make specific recommendations to Resilience NSW, it does include five recommendations to the State Emergency Management Committee. On 8 December 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

The community of New South Wales has experienced significant emergency events during the past three years. COVID-19 first emerged in New South Wales after bushfire and flooding emergencies in 2019–20. The pandemic is now into its third year, and there have been further extreme weather and flooding events during 2021 and 2022.

Lessons taken from the experience of these events are important to informing future responses and reducing future risks to the community from emergencies.

This audit focuses on the NSW Government's response to the COVID-19 pandemic, and in particular, the Delta variant (Delta) that occurred between June and November 2021. The response to the Delta represents six months of heightened challenges for the NSW Government.

Government responses to emergencies are guided by legislation. The State Emergency and Rescue Management Act 1989 (SERM Act) establishes emergency management arrangements in New South Wales and covers:

• coordination at state, regional and local levels through emergency management committees
• emergency management plans, supporting plans and functional areas including the State Emergency Management Plan (EMPLAN)
• operations centres and controllers at state, regional and local levels.

This audit focuses on the activities of five agencies during the audit period:

• The NSW Police Force led the emergency management response and was responsible for coordinating agencies across government in providing the tactical and operational elements that supported and enhanced the health response to the pandemic. The NSW Police Force also led the compliance response which enforced Public Health Orders and included household checks on those required to isolate at home after testing positive to COVID-19. In some parts of NSW, they were supported by the Australian Defence Force in this role.
• NSW Health was responsible for leading the health response which coordinated all parts of the health system, initially to prevent, and then to manage, the pandemic.
• Resilience NSW coordinated welfare services as part of the emergency management arrangements and provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC is responsible for the coordination and oversight of emergency management policy and preparedness. Resilience NSW was also tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions.
• The Department of Customer Service (DCS) was responsible for the statewide strategic communications response.
• The Department of Premier and Cabinet (DPC) held a key role in providing policy and legal services, as well as supporting the coordination of activity across a range of functional areas and decision-making by our State’s leaders.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (LGA) (Fairfield City Council and Dubbo Regional Council) after June 2021.

The audit investigated whether:

• government decisions to apply LGA-specific Public Health Orders were supported by effective crisis management governance and planning frameworks
• agencies effectively coordinated in the communication (and enforcement) of Public Health Orders.

While focusing on the coordination of NSW Government agencies’ response to the Delta variant in June through to November 2021, the audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

This audit does not assess the effectiveness of other specific COVID-19 responses such as business support. It refers to the preparedness, planning and delivery of these activities in the context of supporting communities in selected LGAs. NSW Health's contribution to the Australian COVID-19 vaccine rollout was also subject to a separate audit titled 'New South Wales COVID-19 vaccine rollout' tabled in NSW Parliament on 7 December 2022. 

This audit is part of a series of audits which have been completed, or are in progress, regarding the New South Wales COVID-19 emergency response. The Audit Office of New South Wales '2022–2025 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

In this document Aboriginal refers to the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.

The COVID-19 pandemic arrived in Australia in late January 2020 as the bushfire and localised flooding emergencies were in their final stages. Between 2020 and mid-2021, agencies responded to the initial variants of COVID-19, managed a border closure with Victoria that lasted nearly four months and dealt with localised ‘flare-ups’ that required postcode-based restrictions on mobility in northern parts of Sydney and regional New South Wales. During this period, New South Wales had the opportunity to learn from events in Victoria which imposed strict restrictions on mobility across the State and the growing emergence of the Delta variant (Delta) across the Asia Pacific.

This section of the report assesses how emergency management and public health responses adapted to these lessons and determined preparedness for, and responses to, widespread community transmission of Delta in New South Wales.

The previous chapter discusses how agencies had refined the existing emergency management arrangements to suit the needs of a pandemic and describes some gaps that were not addressed. This chapter explores the first month of Delta (mid-June to mid-July 2021). It explores the areas where agencies were prepared and responses in place for the outbreak. It also discusses the impact of the gaps that were not addressed in the period prior to Delta and other issues that emerged.

NSW Health provided advice on the removal of restrictions based on up-to-date advice

The NSW Government discussed the gradual process for removing restrictions using the Doherty Institute modelling provided to National Cabinet on 10 August 2021. NSW Health highlighted the importance of maintaining a level of public health and safety measure bundles to further suppress case numbers. This was based on additional modelling from the Doherty Institute.

The Department of Regional NSW led discussion and planning around reopening with a range of proposal through August and September 2021. The Department of Premier and Cabinet and NSW Health jointly developed a paper to provide options on the restrictions when the State reached a level of 70% double dose vaccinations.

The roadmap to reopening was originally published on 9 September 2021. However, by 11 October 2021, the restrictions were relaxed when the 70% double dose threshold was reached to allow:

• up to ten fully vaccinated visitors to a home (increased from five)
• up to 30 fully vaccinated people attending outdoor gatherings (increased from 20)
• weddings and funerals limits increased to 100 people (from 50)
• the reopening of indoor pools for training, exercise and learning purposes only.

On the same day, the NSW Government announced further relaxation of restrictions once the 80% double dose threshold was reached. These restrictions were further relaxed on 8 November 2021. This included the removal of capacity restrictions to the number of visitors to a private residence, indoor pools to reopen for all purposes and density limits of one person for every two square metres, dancing allowed in nightclubs and 100% capacity in major stadia.

The NSW Government allowed workers in regional areas who received one vaccination dose to return to their workplace from 11 October 2021.

The Premier extended the date of easing of restrictions for unvaccinated people aged over 16 from 1 December to 15 December 2021.

Many agencies have undertaken reviews of their response to the Delta outbreak but a whole-of-government review has yet to be conducted

Various agencies and entities associated with the response to the Delta outbreak conducted after-action review processes. These processes assessed the achievements delivered, lessons learned and opportunities for improvement. However, a whole-of-government level review has not been conducted. This limits the New South Wales public service's ability to improve how it coordinates responses in future emergencies.

The agencies/entities that conducted reviews included:

• South West Metropolitan region, Western NSW region, Fairfield Local Emergency Management Committee (LEMC), Dubbo Local Emergency Operations Controller (LEOCON), which were collated centrally by the State Emergency Operations Centre (SEOC)
• Aboriginal Affairs NSW assessed representation and relevance of the emergency management arrangements for Aboriginal communities following the 2019 bushfires
• Resilience NSW developed case studies to capture improved practice with regard to food security and supply chains
• a community support and empowerment-focused after-action review undertaken by the Pillar 5 workstream of the Microstrategy.

Key lessons collated from the after-action reviews include:

• the impact of variation in capability across agencies on the management of key aspects of the response including welfare support and logistics
• issues with boundary differences between NSW Police Force regions, local government areas (LGA and local health districts (LHD) caused issues in delivering and coordinating services in an emergency situation 
• the need to improve relationships between state and local Government outside of acute emergency responses to improve service delivery 
• issues arising from impediments to information sharing between agencies and jurisdictions, such as:
  • timeliness and accuracy of data used to direct compliance activities
  • the impact of insufficient advance notice on changes to Public Health Orders
  • timely access to data across public sector agencies and other jurisdictions to inform decision-making, analysis and communications
  • gaps in data around ethnicity, geolocation of recent positive cases and infection/vaccination rates in Aboriginal communities.
• the lack of Aboriginal community representation on many LEMCs
• compared with the response to COVID-19 in 2020, improved coordination of communications with Culturally and Linguistically Diverse (CALD) populations with a reduction in overlapping messages and over-communication
• improved attendance from agency representatives in LEMCs, and regional emergency operations centres (REOC) to improve interagency communications, planning, capability development and community engagement issues
• deficiencies in succession planning and fatigue management practices
• the potential for REOC Welfare/Well-being subgroups to be included as part of the wider efforts to community needs during emergencies.

NSW Health commenced a whole of system review of its COVID-19 response in May 2022. At the time of writing, the completion due date for the debrief is 7 November 2022. This debrief is expected to explore:

• governance
• engagement 
• innovation and technology 
• community impact 
• workforce impact
• system impact and performance.

NSW Health is also undertaking a parallel Intra-Action Review that is focused on the public health aspects of the response with finalisation estimated for the end of November 2022. At the time of completing this performance audit report, NSW Health had not finalised these reviews and, as a result, we cannot validate their findings against our own observations.

Recent inquiries are likely to impact the governance of emergency management in New South Wales

In March 2022, the NSW Government established an independent inquiry to examine and report on the causes of, preparedness for, response to and recovery from the 2022 floods. The Flood Inquiry report made 28 recommendations, which the NSW Government supported in full or in principle. Some of the recommendations relate directly to the governance and leadership of emergency management arrangements in New South Wales. 

The State Emergency Management Committee (SEMC) will likely be involved in, and impacted by, the recommendations arising from the Flood Inquiry with potential changes to its membership and reshaping of functional areas and agencies. At the same time, the SEMC may have a role in overseeing the changes that emerge from the SEOC consolidated after-action reviews. This can also extend to ensuring local and regional bodies have incorporated the required actions. There is a risk that the recommendations from the pandemic-based after-action reviews may not be considered due to the priority of action resulting from the Flood Inquiry.

Furthermore, there is potential for the SEMC to work with NSW Health during its system-wide review. Such an approach is likely to improve preparedness for future events.

Appendix one – Response from agencies

Appendix two – Chronology 2020–2021

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #371 - released 20 December 2022

What the report is about

The Australian Government led and implemented the Australian COVID-19 vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

This audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine roll out in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over.

What we found

On 16 October 2021, NSW Health, in partnership with the Australian Government's vaccination program, achieved its first objective to fully vaccinate 80% of people in NSW aged 16 and over. Demand for the vaccine reduced in December 2021, and NSW Health did not reach its target of 95% fully vaccinated for people aged 16 and over until June 2022.

Despite challenges such as uncertain supply and changes to clinical advice affecting vaccine eligibility, NSW Health's overall delivery of vaccination services was effective and efficient.

During the audit period, NSW Health implemented effective strategies to allocate vaccines and reduce wastage to optimise the number of vaccines available.

NSW Health implemented its own booking system after it identified that the Australian Government's system would not manage bookings. There were problems with NSW Health's interim vaccine booking system, and NSW Health fully resolved these issues by September 2021.

As at 19 October 2022, vaccination rates for Aboriginal peoples and culturally and linguistically diverse people remained below the 95% target.

What we recommended

By June 2023, NSW Health should conduct a comprehensive review of the COVID-19 vaccine rollout and incorporate lessons learned into pandemic response plans.

The first three cases of COVID-19 in New South Wales were diagnosed in January 2020. By 30 June 2021, 128 people were being treated in hospital and one person was in intensive care. By the end of December 2021, 187,504 total cases and 663 deaths were reported in New South Wales. As at 27 October 2022, NSW Health reported more than three million total cases and 5,430 deaths.

The COVID-19 pandemic continues to have a significant impact on the people and the health sector of New South Wales. The Australian, state, territory, and local governments have directed significant resources towards health responses and economic recovery.

On 13 November 2020, National Cabinet (comprised of the Australian, state, and territory governments) endorsed the Australian COVID-19 Vaccination Policy. Australia's vaccination program was launched on 21 February 2021 with the goal of providing safe and effective vaccines to the people who most needed them as quickly as possible, to support the physical, mental and economic wellbeing of the nation.

The Australian Government led and implemented the Australian vaccine rollout, with the support of state and territory governments. As part of the Australian Government's vaccine rollout, NSW Health launched its vaccination program on 22 February 2021, with responsibility for distributing and administering COVID-19 vaccine stock provided by the Australian Government.

The overall objective of this audit was to assess the effectiveness and efficiency of NSW Health’s contribution to the Australian COVID-19 vaccine rollout. It is important to note that in New South Wales, primary care providers (GPs and pharmacies) and aged care providers administered the majority of vaccines. Primary care providers and aged care providers are the responsibility of the Australian Government.

The audit had a particular focus on whether NSW Health:

• set clear vaccination targets underpinned and/or guided by evidence
• managed the rollout of the vaccination program effectively and efficiently
• managed demand of vaccines effectively and efficiently.

The audit examined the period 1 January 2021 to 31 December 2021 and focused on NSW Health's contribution to the Australian Government led vaccine rollout in four Local Health Districts (LHDs), in particular the administration of two doses of vaccine to people aged 16 and over. We did not audit the subsequent rollout for ages five to 15, or the booster rollout (third and fourth doses) as these activities mostly occurred outside the date of our review.

This audit also did not assess the Australian Government’s allocation of vaccine supplies to New South Wales because we do not audit the Australian Government's activities. On 17 August 2022, the Australian National Audit Office completed a performance audit which assessed the Australian Department of Health and Aged Care's effectiveness in the planning and implementation of Australia's COVID-19 vaccine rollout.

This audit is one of a series of audits that have been completed or are in progress regarding the New South Wales COVID-19 emergency response. This includes the planned performance audit ‘Coordination of the response to COVID-19 (June to November 2021)’, and financial audit assurance activities focusing on Local Health District processes and controls to manage the receipt, distribution and inventory management of vaccine stock. The Audit Office New South Wales '2022–25 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

Appendix one – Response from agency

Appendix two – Australian audits on the vaccine rollouts

Appendix three – Committee members 

Appendix four – About the audit 

Appendix five – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #369 - released 7 December 2022

What the report is about

Poor attendance at school is related to poor student outcomes, particularly once patterns of non-attendance have been established.

This report examined how the NSW Department of Education (the department) is managing student attendance in NSW government schools.

What we found

Around a third of students in Years 1–10 attended school less than 90% of the time in semester one, 2021. Missing more than 10% of school may put a student's educational outcomes at risk.

Since 2018, the department has improved the quality of student attendance data, analysis and reporting. However, there are still gaps in understanding the reasons for absence at a system level.

The department set state-wide and school-level targets to increase the proportion of students attending school at least 90% of the time. This emphasis risks diverting attention away from students with very low attendance rates.

There are gaps in central programs to support schools in lifting student attendance. Schools are taking a variety of approaches to this work.

There is a large gap in attendance between Aboriginal and non-Aboriginal students, which has increased since 2018.

What we recommended

The Department of Education should:

• set new state-wide and school level attendance targets
• evaluate its attendance support programs
• update its attendance strategies and programs
• publish the attendance level for each school in their annual reports
• improve internal analysis and reporting of attendance data
• finalise the review of the attendance policy, procedure and codes
• review programs supporting Aboriginal student attendance and address any gaps
• review the approach to enforcing compulsory school attendance.

Regular attendance at school is important for academic and other long-term outcomes. Students who do not attend regularly are less likely to complete school and more likely to experience poorer long-term health and social outcomes. A range of factors influence student attendance including student engagement and wellbeing, family and community factors and the school environment.

The NSW Department of Education's (the department's) Strategic Plan for 2018–2022 identifies improving student attendance as a priority. It has identified 95% as its expected level of attendance. It set targets to increase the proportion of students attending school at least 90% of the time, from 79.4% to 82% in primary schools and 64.5% to 70% for secondary schools.

This report focuses on attendance data for semester one of 2018, 2019 and 2021. Unless otherwise noted, attendance data refers to Years 1–10 in alignment with national reporting conventions. Changes in recording systems and definitions mean attendance data prior to 2018 is not comparable. Attendance data for semester one of 2020 and 2022 was significantly affected by COVID-related disruptions, which prevented many students across the State from attending school. Data for semester one of 2021 is considered relatively less affected by COVID-related disruptions.

The Education Act 1990 (the Act) sets out the responsibilities of students, parents and the department for ensuring students receive compulsory schooling. The department has developed policies, procedures and guidance to assist schools in managing their responsibilities to promote regular attendance. In this report, we define 'regular' attendance as at least 90% of the time. This is equivalent to missing one day of school each fortnight or four weeks of school across a school year.

The objective of this audit was to assess whether student attendance is effectively managed in NSW government schools for students from kindergarten to Year 10. In making this assessment, the audit examined whether:

• there are effective systems and policies for managing student attendance
• the department effectively supports schools to manage student attendance
• schools are effectively managing student attendance.

This chapter considers the effectiveness of systems to accurately collect, analyse and report student attendance data. It also considers the effectiveness of policies and procedures to support attendance and central oversight of attendance issues.

This chapter considers the effectiveness of the department's strategies to improve student attendance and the support it provides to schools to achieve this. It also considers the effectiveness of school-level strategies and actions for students with low attendance.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #368 - released 27 September 2022

What the report is about

The Aboriginal Land Rights Act 1983 (NSW) (the Act) provides land rights over certain Crown land for Aboriginal Land Councils in NSW.

If a claim is made over Crown land (land owned and managed by government) and meets other criteria under the Act, ownership of that land is to be transferred to the Aboriginal Land Council.

This process is intended to provide compensation for the dispossession of land from Aboriginal people in NSW. It is a different process to the recognition of native title rights under Commonwealth law.

We examined whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. The relevant agencies are:

• Department of Premier and Cabinet (DPC)
• Department of Planning and Environment (DPE)
• NSW Aboriginal Land Council (NSWALC).

We consulted with Local Aboriginal Land Councils (LALCs) and other Aboriginal community representative groups to hear about their experiences.

What we found

Neither DPC nor DPE have established the resources required for the NSW Government to deliver Aboriginal land claim processes in a coordinated way, and which transparently commits to the requirements and intent of the Act.

Delays in determining land claims result in Aboriginal Land Councils being denied the opportunity to realise their statutory right to certain Crown land. Delays also create risks due to uncertainty around the ownership, use and development of Crown land.

DPC has not established governance arrangements to ensure accountability for outcomes under the Act, and effective risk management.

DPE lacks clear performance measures for the timely and transparent delivery of its claim assessment functions. DPE also lacks a well-defined framework for prioritising assessments.

LALCs have concerns about delays, and lack of transparency in the process.

Reviews since at least 2014 have recommended actions to address numerous issues and improve outcomes, but limited progress has been made.

The database used by DPC (Office of the Registrar) for the statutory register of land claims has not been upgraded or fully validated since the 1990s.

In 2020, DPE identified the transfer of claimable Crown land to LALCs to enable economic and cultural outcomes as a strategic priority. DPE has some activities underway to do this, and to improve how it engages with Aboriginal Land Councils – but DPE still lacks a clear, resourced strategy to process over 38,000 undetermined claims within a reasonable time.

What we recommended

In summary:

• DPC should lead strategic governance to oversee a resourced, coordinated program that is accountable for delivering Aboriginal land claim processes
• DPE should implement a resourced, ten-year plan that increases the rate of claim processing, and includes an initial focus on land grants
• DPE and DPC should jointly establish operational arrangements to deliver a coordinated interagency program for land claim processes
• DPC should plan an interagency, land claim spatial information system, and the Office of the Registrar should remediate and upgrade the statutory land claims register
• DPC and NSWALC should implement an education program (for state agencies and the local government sector) about the Act and its operations
• DPE should implement a five-year workforce development strategy for its land claim assessment function
• DPE should finalise updates to its land claim assessment procedures
• DPE should enhance information sharing with Aboriginal Land Councils to inform their claim making
• NSWALC should enhance information sharing and other supports to LALCs to inform their claim making and build capacity.

The return of land under the Aboriginal Land Rights Act 1983 (NSW) (the Act) is intended to provide compensation for the dispossession of land from Aboriginal people in New South Wales. A claim on Crown land¹ made by an Aboriginal Land Council that meets criteria under the Act is to be transferred to the claimant council as freehold title. The 2021 statutory review of the Act recognises the spiritual, social, cultural and economic importance of land to Aboriginal people.

The Minister for Aboriginal Affairs administers the Act, with support from Aboriginal Affairs NSW (AANSW) in the Department of Premier and Cabinet (DPC). AANSW also leads the delivery of Opportunity, Choice, Healing, Responsibility and Empowerment (OCHRE), the NSW Government's plan for Aboriginal affairs, and assists the Minister to implement the National Agreement on Closing the Gap – which includes a target for increasing the area of land covered by Aboriginal and Torres Strait Islander people's legal rights or interests.

The Act gives responsibility for registering land claims to an independent statutory officer, the Registrar of the Aboriginal Land Rights Act (the Registrar), whose functions are supported by the Office of the Registrar (ORALRA) which is resourced by AANSW.²

The Land and Environment Court of New South Wales has stated that there is an implied obligation for land claims to be determined within a reasonable time. The Minister administering the Crown Land Management Act 2016 (NSW) is responsible for determining land claims. This function is supported by the Department of Planning and Environment (DPE),³ whose staff assess and recommend claims for determination based on the criteria under section 36(1) of the Act. There is also a mechanism under the Act for land claims to be negotiated in good faith through an Aboriginal Land Agreement.

The NSW Aboriginal Land Council (NSWALC) is a statutory corporation constituted under the Act with a mandate to provide for the development of land rights for Aboriginal people in NSW, in conjunction with the network of 120 Local Aboriginal Land Councils (LALCs). LALCs are constituted over specific areas to represent Aboriginal communities across NSW. Both NSWALC and LALCs can make land claims.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities that are required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties need to be engaged so that these processes are coordinated effectively and managed in a way that is consistent with the intent of the Act, and other legislative requirements.

The first land claim was lodged in 1983. The number of undetermined land claims has increased over time, and at 31 December 2021 DPE data shows 38,257 undetermined claims.

The issue of undetermined land claims has been publicly reported by the Audit Office since 2007. Recommendations to agencies to better facilitate processes and improve how functions are administered have been made in multiple reviews, including two Parliamentary inquiries in 2016.

The objective of this audit was to assess whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. In making this assessment, we considered whether:

• agencies (DPE, DPC (AANSW and ORALRA) and NSWALC) coordinate information and activities to effectively facilitate Aboriginal land claim processes
• agencies (DPE and DPC (ORALRA)) are effectively administering their roles in the Aboriginal land claim process.

We consulted with LALCs to hear about their experiences and priorities with respect to Aboriginal land claim processes and related outcomes. We have aimed to incorporate their insights into our understanding of their expectations of government with respect to delivering requirements, facilitating processes, and identifying opportunities for improved outcomes. 

Since 1983, 53,861 Aboriginal land claims have been lodged with the Registrar.²⁵

The Land and Environment Court of New South Wales has stated there is an implied obligation on the Crown Lands Minister to determine land claims within a reasonable time.²⁶

As at 31 December 2021, DPE has processed less than a third (31 per cent) of these land claims: 14,273 were determined by the Crown Lands Minister (that is, granted or refused, in whole or part) and 2,562 were withdrawn. This amounts to 16,835 claims processed, including the negotiated settlement of 15 claims through three Aboriginal Land Agreements. As a result, DPE reports that approximately 163,900 hectares of Crown land has been granted to Aboriginal Land Councils since 1983 up to 31 December 2021.

There are 38,257 land claims awaiting determination, which cover about 1.12 million hectares of Crown land.

The 2017 report on the statutory review of the Act noted that the land claims ‘backlog’ was one of the ‘Top 5’ priorities identified by LALCs during consultations. The importance of this issue is consistent with findings from our consultations with LALCs in 2021 (see Exhibit 7).

Delays in delivering on the statutory requirement to determine land claims, and limited use of other mechanisms to process claims in consultation or agreement with NSWALC and LALCs, undermines the beneficial and remedial intent of Aboriginal land rights under the Act. It also:

• impacts negatively on DPE’s ability to comply with the statutory requirement to determine land claims, because often the older a claim becomes the more difficult it can be to gather the evidence required to assess it
• creates uncertainty around the ownership, use and development of Crown land, which can have financial impacts on Aboriginal Land Councils, government agencies, local councils and developers.

Risks that arise in the context of undetermined claims are discussed further in section 3.3.

NSW Treasury describes public sector governance as providing strategic direction, ensuring objectives are achieved, and managing risks and the use of resources responsibly with accountability.

Consistent with the NSW Treasury’s Risk Management Toolkit (TPP-12-03b), governance arrangements for Aboriginal land claim processes should ensure their effective facilitation and administration. That is, arrangements are expected to contribute to and oversee the performance of administrative processes and service delivery towards outcomes, and ensure that legal and policy compliance obligations are met consistent with community expectations of accountability and transparency.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties (such as native title groups and those with an interest in development on Crown land) need to be engaged so that these processes are coordinated effectively with risks managed – consistent with the intent of the Act, and other legislative requirements.

Policy commitments to Aboriginal people and communities made by the NSW Government in the OCHRE Plan and Closing the Gap priority reforms establish an expectation for culturally informed governance.

The Crown Lands Minister, supported by DPE, is required to determine whether Aboriginal land claims meet the criteria to be ‘claimable Crown lands’ under section 36(1) of the Act. DPE staff within its Crown Lands division are responsible for assessing land claims and preparing recommendation briefs to the Crown Lands Minister, or their delegate, on determination outcomes. That is, on whether to grant or refuse the claim.³⁸ DPE staff also make decisions about which land claims within the large number of undetermined claims should be processed first.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Banner image used with permission.
Title: Forces of Nature
Artist: Lee Hampton – Koori Kicks Art

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #365 - released 28 April 2022.

What the report is about

The report focuses on how effectively the Department of Customer Service (DCS) and Department of Planning and Environment (DPE) led reforms addressing the unsafe use of combustible external cladding on existing residential and public buildings.

Nine local councils were included in the audit because they have responsibilities and powers needed to implement the NSW Government’s reforms.

What we found

After the June 2017 Grenfell Tower fire in London, the NSW Government committed to a ten-point action plan, which included establishing the NSW Cladding Taskforce, chaired by DCS, and with DPE as a key member. The Taskforce co-ordinates and oversees the implementation of the plan.

Depending on the original source of development approval, either individual local councils or DPE are responsible for ensuring that buildings are identified, assessed, and remediated. NSW Government-owned buildings are the responsibility of each department.

Identifying buildings potentially at risk was complex and resource intensive. However, on balance, it is likely that most affected buildings have now been identified.

By October 2021, around 40 per cent of assessed high-risk buildings that are the responsibility of local councils had either been remediated or found not to pose an unacceptable fire risk.

By February 2022, almost 50 per cent of affected NSW Government-owned buildings, and 90 per cent of buildings that are the responsibility of DPE, have either been cleared or are in the process of being remediated.

Earlier guidance on some key issues could have been provided by DCS and DPE in the two years after the Grenfell Tower fire. This may have reduced confusion and inconsistency across local councils we audited, and in some NSW Government departments. This especially relates to the application of the Fair Trading Commissioner's product use ban.

Given the inherent risks posed by combustible external cladding, buildings initially assessed as low-risk may also still warrant further action.

While most high-risk buildings have likely been identified, poor information handling makes it difficult to keep track of all buildings from identification, through to risk assessment and remediation.

What we recommended

DCS and DPE should:

1. address the confusion surrounding the application of the Commissioner for Fair Trading's product use ban for aluminium composite panels with polyethylene content greater than 30 per cent
2. develop an action plan to address buildings assessed as low-risk
3. improve information systems to track all buildings from identification through to remediation.

NSW Government's response to the risks posed by combustible external cladding

The NSW Government first became aware of the potential heightened risks posed by combustible external cladding on building exteriors after the 2014 Lacrosse Tower fire in Melbourne. However, it was the tragic loss of life from the Grenfell Tower fire in London, in June 2017, that gave added urgency to the need to address these risks.

Within six weeks of the London fire, the NSW Government committed to a ten-point plan of action for NSW to:

• identify and remediate any buildings with combustible external cladding
• ensure that regulation prevented the unsafe use of such cladding
• ensure that experts involved in providing advice and certifying fire safety measures had the necessary skills and experience.

One of the actions in the ten-point plan was the creation of the NSW Government's Fire Safety and External Wall Cladding Taskforce (the Cladding Taskforce) chaired by the Department of Customer Service (DCS) and with the Department of Planning and Environment (DPE) as a key member.

The ten-point plan also specified that NSW Government departments would be responsible, in regard to buildings they owned to '…audit their buildings and determine if they have aluminium cladding'.

Local councils play a key role in implementing the Government's reforms, given their responsibilities and powers under the Environmental Planning and Assessment Act 1979 (EPA Act) and Local Government Act 1993 (Local Government Act) to approve building works (as 'consent authorities'), as well as to ensure fire safety standards are met. DPE plays an equivalent role for a smaller number of 'State Significant Developments' for which it is the consent authority under delegation from the Minister for Planning.

Commissioner for Fair Trading's building product use ban

On 18 December 2017, the Building Products (Safety) Act 2017 (BPS Act) came into effect in NSW, introducing new laws to prevent the use of unsafe building products. Notably, the BPS Act gave the Secretary of DCS and the Commissioner for Fair Trading the power to ban unsafe uses of building products.

After an extensive consultative process, the Commissioner for Fair Trading used these powers to issue a product use ban on 15 August 2018. This banned the use of external wall cladding of aluminium composite panels with a core comprised of more than 30 per cent polyethylene by mass on new buildings, unless the proposed use was subject to independent fire propagation testing of the specific product and method of application to a building in accordance with relevant Australian Standards.

Buildings occupied before the product use ban came into force are not automatically required to have the banned product removed. Under the BPS Act, consent authorities may determine necessary actions to eliminate or minimise the risk posed by the banned material on existing buildings.

Project Remediate

Project Remediate is a three-year NSW Government program announced in November 2020. The program was designed by the NSW Government to assist building owners of multi-storey apartments (two storeys or more) with high-risk combustible cladding to remediate their building to a high standard and for a fair price.

The scheme is voluntary and includes government paying for the interest on ten-year loans, as well as incorporating assurance and project management services to provide technical and practical support to owners’ corporations and strata managing agents. Building remediations under the program are expected to commence in 2022.

About this audit

This audit assessed whether DCS and DPE effectively led reforms to manage the fire safety risk of combustible external cladding on existing residential and public buildings.

In making this assessment, we considered whether the expressed policy intent of the NSW Government's ten-point plan for fire safety reform had been achieved by asking:

• are the fire safety risks of combustible external cladding on existing buildings identified and remediated?
• is there a comprehensive building product safety scheme that prevents the dangerous use of combustible external cladding products on existing buildings?
• is fire safety certification for combustible external cladding on existing buildings carried out impartially, ethically and in the public interest by qualified experts?

Consistent with the focus of the Cladding Taskforce on multi-storey residential buildings and public buildings, the scope of our audit is limited to buildings categorised under the Building Code of Australia (BCA) as class 2, 3 and 9. These classes are defined in detail in section 1.2, but include: multi-unit residential apartments, hotels, motels, hostels, back-packers, and buildings of a public nature, including health care buildings, schools, and aged care buildings. The scope was also limited to existing buildings, which is defined as buildings occupied by 22 October 2018.

Auditees

The Department of Customer Service chairs the NSW Government's Cladding Taskforce, which is responsible for coordinating the combustible external cladding reforms. The Commissioner of Fair Trading sits within DCS and DCS regulates the industry accreditation scheme for fire safety practitioners, as well as administering the BPS Act.

The Department of Planning and Environment administers the EPA Act and the Environmental Planning and Assessment Regulation 2000 (EPA Regulation), which regulate the building development process. As well as being the delegated consent authority for State Significant Developments, DPE is also responsible for maintaining the mandatory cladding register requiring building owners of multi-storey (BCA class 2, 3 or 9) buildings to register buildings with combustible external cladding on an online portal.

Functions and responsibilities between DCS and DPE varied over time. For example, in October 2019, the DPE building policy team responsible for co-ordinating the DPE response to the combustible cladding issue was transferred to DCS, following changes to agency responsibilities resulting from machinery of government changes. DPE advised this resulted in a lessening of DPE's subsequent policy work on combustible cladding and its involvement in the Cladding Taskforce.

While the focus of the audit was on the oversight and coordination provided by DCS and DPE, nine councils were also auditees for this performance audit. Councils play an essential part as consent authorities for building development approvals in NSW, as well as having responsibilities and powers to ensure fire safety standards. To fully understand how well their activities were overseen and coordinated, a sample of councils was included as auditees.

Nine councils were selected to represent both metropolitan and regional areas, noting that there are very few in-scope buildings in rural areas. The audited councils were:

• Bayside Council
• City of Canterbury Bankstown Council
• Cumberland City Council
• Liverpool City Council
• City of Newcastle Council
• City of Parramatta Council
• City of Ryde Council
• City of Sydney Council
• Wollongong City Council.

Terminology

The two NSW Government department auditees have, over time, been subject to machinery of government changes, which have changed some of their functions and what the departments are called.

Relevant to this audit, the effect of these changes has been:

• the Department of Finance, Services, and Innovation (DFSI) became the Department of Customer Services (DCS) on 1 July 2019
• on 1 July 2019, the Department of Planning and Environment became the Department of Planning, Industry, and Environment (DPIE)
• on 21 December 2021, DPIE became the Department of Planning and Environment (DPE).

To avoid confusion, we use the titles by which these departments are known at the date of this report: the Department of Customer Service and the Department of Planning and Environment.

This chapter considers the part played by DCS and DPE as key members of the Cladding Taskforce in ensuring that buildings with combustible external cladding were effectively identified and remediated through processes implemented by:

• local councils or DPE, where those bodies were consent authorities under the EPA Act for the relevant buildings
• in the case of NSW Government buildings, the departments that owned those buildings.

This chapter considers what has been done to deliver a comprehensive building product safety scheme that prevents the dangerous use of combustible external cladding products.

This chapter considers whether reforms have ensured that only people with the necessary skills and experience are certifying buildings and signing off on fire-safety.

Inspections of existing buildings and development of any subsequent action plans to address combustible external cladding are not activities covered by accreditation or registration schemes for building certifiers

Almost all the risk assessment and remediation work done on buildings in the scope of this audit have been undertaken under fire safety orders issued by consent authorities using their powers under the EPA Act. This has been the recommended approach by DPE and DCS since at least 2016 (that is, before the Grenfell Tower fire in London).

While there have been reforms to certifier registrations scheme, these were not intended to ensure that combustible cladding-remediation on existing buildings is supported by people with the necessary skills and experience in fire safety under the fire safety order process. Instead, they are focused on offering better assurance for work done in respect to new building projects where accredited experts certify that building work is carried out in accordance with BCA under the DCS managed certifier registration schemes.

No steps have been taken to ensure the quality of the work done by experts inspecting, assessing the fire risk and developing action plans to address combustible external cladding on existing buildings, other than where consent authorities have chosen to exercise their discretion. This includes requiring fire safety experts to be appropriately qualified and requiring peer review of some cladding risk assessments and remediation plans.

Consent authorities determine whether individuals with accreditation are required for combustible cladding inspection, risk assessments and remediation on existing buildings

Whether an individual with certifier accreditation participates in a cladding inspection, risk assessment, or remediation for an existing building will be determined by what councils as consent authorities specify in their fire safety orders unless building owners opt to use such experts without being directed to do so by the consent authority.

As discussed earlier, councils acting as consent authorities vary in whether they require building owners to engage individuals with certifier accreditation. In most of the councils we audited, A1 or C10 accredited experts were either required, or recommended, to perform functions such as auditing suspected combustible cladding, or conducting fire safety risk assessments and developing plans to rectify combustible cladding.

However, these types of work are not functions covered by the accreditation or registration schemes that apply to building and development certifiers.

Certifier accreditation schemes do not cover cladding remediation work done under fire safety orders

While councils may require or recommend that independent accredited A1 or C10 certifiers be engaged by building owners for cladding risk assessment and remediation, they are not performing those functions as certifiers — they are, in effect, more akin to expert consultants. Accordingly, how they perform their functions and duties is not covered by the legislation supporting the accreditation scheme for certifiers that was operated until July 2020 by the Building Professional Board.

Instead, their use in this process is a convenient and practical way for consent authorities to ensure that building owners use appropriate experts who have the qualifications, skills and experience needed to investigate and identify combustible cladding, and then to formulate appropriate action to deal with such cladding. However, these individuals are not performing regulated or accredited work, are not subject to regulatory oversight, and are not accountable to any accreditation body for the quality of the work they perform.

While councils could (and sometimes do) choose to decline poor quality or incomplete cladding-related work prepared by A1 or C10 certifiers, the burden of resolving poor quality would fall on the building owner, who would have to seek amended or additional risk assessments or rectification plans.

In the absence of regulatory oversight, disincentives for poor quality cladding-related work, may include litigation being commenced by the property owner, harm to the expert's reputation in a small and competitive market, and the potential impact on whether the individual could retain their professional indemnity insurance at a reasonable cost (especially in an environment when many insurance providers withdrew coverage for cladding related work).

Reforms impact on regulated experts doing work on new buildings

The reforms that commenced on 1 July 2020, replaced categories of accreditation with classes of registration, and varied the classes such that:

• accredited building surveyor category A1 became registered building surveyor-unrestricted
• accredited certifier—fire safety engineer category C10 became registered certifiers-fire safety.

The legislation that introduced these reforms, the Building and Development Certifiers Act 2018, also repealed the pre-existing Building Professionals Act 2005 and abolished the Building Professionals Board. The new Act was accompanied by the Building and Development Certifiers Regulation 2020.

While the scope of this audit is limited to existing buildings, we note that there are buildings with combustible external cladding that are yet to be remediated. Just as these processes previously drew on the expertise of A1 and C10 category certifiers, it seems inevitable that the remediation of existing buildings will continue to draw on the expertise of the equivalent new classes of registered building surveyor-unrestricted and registered certifier-fire safety.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #364 - released 13 April 2022.

What the report is about

This report assessed the integrity of the assessment and approval processes for two grant programs:

• Stronger Communities Fund Round 2 (tied grants round), which was administered by the former Office of Local Government (OLG) and provided $252 million to newly amalgamated councils and other councils that had been subject to a merger proposal during 2017–18 and 2018–19.
• Regional Cultural Fund, which was administered by Create NSW (now within the Department of Premier and Cabinet) and awarded $100 million for cultural projects in regional NSW.

What we found

The assessment and approval process for Round 2 of the Stronger Communities Fund lacked integrity. The government decided to prioritise funds for councils that had worked constructively with the government through the 2016 merger process. 

However, this information was not included in the program guidelines. The program guidelines were not published and did not contain details of selection and assessment processes. Councils and projects were instead identified by the former Premier, Deputy Premier and Minister for Local Government and communicated to OLG with little or no information about the basis for the council or project selection. There was no merit assessment of identified projects. This process resulted in 96 per cent of funds allocated to coalition state seats.

The assessment process that Create NSW used for the Regional Cultural Fund was robust and produced transparent and defensible recommendations to the minister. However, the former Minister for the Arts, in consultation with the former Deputy Premier, did not follow the recommendations of the independent assessment panel in 22 per cent of cases. Reasons for these changes were not documented by Create NSW.

What we recommended

The Department of Premier and Cabinet should develop a model for grant administration that must be used for all grant programs administered in NSW that:

• is based on ethical principles such as impartiality, equity and transparency 
• ensures assessments and decisions can be made against clear eligibility criteria
• ensures accountability for decisions and actions of all those who are involved in the program 
• includes minimum mandatory administration and documentation standards
• requires any ministerial override of recommendations to be documented. 

The Department of Planning and Environment should ensure that guidelines prepared for all grant programs are published and include a governance framework that includes accountabilities and key assessment steps.

Grants are frequently used by the state government to deliver funds to councils and community organisations to provide infrastructure and services important to their local communities. Grant programs are administered by NSW Government agencies in line with priorities and objectives set by the government.

Guidance for agencies administering grant programs is available in the Good Practice Guide to Grants Administration (the 'DPC Guide') which is maintained by the Department of Premier and Cabinet (DPC). In addition to this guide, some agencies maintain their own grant program policies and guidelines. More broadly, public servants are required to comply with financial legislation and the Government Sector Employment Act 2013 which include requirements to be transparent, fiscally responsible and focus on the efficient, effective and prudent use of resources.

The objective of this performance audit is to assess the integrity of the assessment and approval processes for NSW Government grant programs.

The audit focuses on two grant programs, both administered during the 2017–18 and 2018–19 financial years. The Stronger Communities Fund (round two tied grants round) was administered by the former Office of Local Government (OLG), now referred to as the Local Government Group within the Department of Planning and Environment (DPE). The fund awarded $252 million to 24 councils that had amalgamated in 2016 or which had been the subject of a merger proposal. The Regional Cultural Fund was administered by Create NSW, now within the Department of Premier and Cabinet (DPC). The fund awarded $100 million to organisations in regional New South Wales to support the development of cultural infrastructure in regional areas.

The audit comments upon the role played by the then Premier, Deputy Premier, ministers and their staff in the audited grant programs to provide context. The Audit Office of NSW cannot compel those individuals to participate in the audit or provide documents. In all cases, reference to the Premier, Deputy Premier, ministers, MPs and their staff refers to the individuals who were in those roles at the time the grant programs were administered unless otherwise noted.

Appendix one – Response from agencies

Appendix two – List of funded projects - Stronger Communities Fund Round 2

Appendix three – List of funded projects - Regional Cultural Fund

Appendix four – About the audit

Appendix five – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #361 - released 8 February 2022.

What the report is about

The Government Advertising Act 2011 requires the Auditor General to conduct a performance audit on government advertising activities each financial year.

This audit looked at whether three campaigns run by Destination NSW (DNSW) during 2020–21 were carried out in an effective, economical and efficient manner:

• Love Sydney (comprising two sub campaigns being ‘Sydney - Love It Like You Mean It’ and ‘Get Your Sydney On’)
• Love NSW
• Road Trips. 

What we found

DNSW complied with section 6 of the Government Advertising Act 2011 (the Act), prohibiting political content.

The Act requires the head of an agency to sign a compliance certificate that certifies that the campaign complies with the Act and is an efficient and cost effective means of achieving its public purpose. 

When the Acting Chief Executive of DNSW signed DNSW’s compliance certificate, evidence to support this certification was not available.

The Act requires a peer review and cost benefit analysis for campaigns over $1.0 million. DNSW did not complete the peer review or cost-benefit analysis for the audited advertising campaigns before they had concluded. 

The Department of Customer Service (DCS), which manages the peer review process, did not escalate the issue of the outstanding peer review documentation to senior DNSW staff. 

DNSW did not set targets for all measures established for the campaigns. This limits the ability to assess their effectiveness.

The impact of the COVID-19 pandemic likely contributed to the campaigns not meeting a substantial proportion of established outcome and impact targets.

None of the audited campaigns met the minimum requirement of 7.5 per cent for the allocation of the media budget for communications with Culturally and Linguistically Diverse and Aboriginal audiences.

What we recommended

DNSW should:

• implement processes for planning and delivering advertising campaigns delivered in urgent circumstances to bring them in line with NSW Government practice
• ensure that it establishes measurements and targets for outcomes and impacts of its advertising campaigns consistent with NSW Government evaluation frameworks and guidance.

The Department of Customer Service should:

• establish a policy and procedure for ensuring that campaign documentation is completed in a timely manner in the case of urgent campaigns, including establishing expectations around timeframes for the completion of peer review
• establish a procedure for escalating issues of outstanding documentation to ensure that the peer review is completed in line with reasonable expectations and timeframes.

The Government Advertising Act 2011 (the Act) requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit assesses whether a government agency or agencies have carried out activities in relation to government advertising in an effective, economical and efficient manner and in compliance with the Act, the regulations, other laws and the Government Advertising Guidelines (the Guidelines). This audit examined three campaigns run by Destination NSW during the 2020–21 financial year:

• Love Sydney (comprising two sub-campaigns being ‘Sydney - Love It Like You Mean It’ and ‘Get Your Sydney On’), focussing on increasing visitor activity in Sydney
• Love NSW, focussing on increasing visitor activity in regional New South Wales
• Road Trips, focussing on encouraging visitor activity on iconic road trips in regional New South Wales.

Section 6 of the Act prohibits political advertising. Under this section, material that is part of a government advertising campaign must not contain the name, voice or image of a minister, member of Parliament or a candidate nominated for election to Parliament or the name, logo or any slogan of a political party. Further, a campaign must not be designed to influence (directly or indirectly) support for a political party.

The Act and associated regulations and the Guidelines also establish an accountability and compliance framework around the investment in advertising by NSW Government agencies.

The government's operating circumstances at the commencement of the 2020–21 financial year were highly challenging, with the 2019–20 bushfires being followed by the COVID-19 pandemic. This created new demands across a range of government services, and without any clear view on the severity of the pandemic and when it would end. This was the case for Destination NSW, which had to plan for its advertising activities in the context of an uncertain future for national border closures (impacting international in-bound travel) and lockdowns across Australia, including in New South Wales (impacting domestic travel). Further, the sudden nature of outbreaks and lockdowns meant that Destination NSW often was required to change the targeting of its campaigns and, in some situations, had to cease particular advertising activities until specific lockdowns had ended.

Campaign materials we reviewed did not contain political content

The audit team reviewed campaign materials developed as part of each of the paid advertising campaigns including radio transcripts, digital videos and display. See Appendix two for examples of campaign materials for this campaign.

Section 6 of the Act prohibits political advertising as part of a government advertising campaign. A government advertising campaign must not:

• be designed to influence (directly or indirectly) support for a political party
• contain the name, voice or image of a minister, a member of parliament or a candidate nominated for election to parliament
• contain the name, logo, slogan or any other reference to a political party.

The audit found no breaches of section 6 of the Act in the campaign material reviewed.

All reviewed campaigns were for purposes permitted by section 1.2 of the Guidelines

Section 4 of the Act states that government advertising campaigns are 'the dissemination to members of the public of information about a government program, policy or initiative, or about any public health or safety or other matter'. To support this, section 1.2 of the NSW Government Advertising Guidelines states that government advertising campaigns may only be used to achieve certain objectives. One of these objectives is to encourage changed behaviours or attitudes that will lead to improved public health and safety or quality of life.

The audit team considers that each of the reviewed advertising campaigns was consistent with this objective. This reflects the intent of each of the campaigns to increase economic activity driven by tourism activity in New South Wales, that contributes to improved quality of life for New South Wales residents.

The Acting Chief Executive signed Destination NSW's compliance certificate without supporting evidence

The Acting Chief Executive of Destination NSW signed a single compliance certificate for all Destination NSW campaigns for 2020–21 (including the three campaigns that are considered by this audit) on 28 February 2020. Evidence was not available at this date to support the statements included in the compliance certificate for the campaigns that were considered by this audit.

The compliance certificate is required by section 8 of the Act and states that the head of the agency confirms that a proposed government advertising campaign:

• complies with the Act, the regulations and the Guidelines, and
• contains accurate information, and
• is necessary to achieve a public purpose and is supported by analysis and research, and
• is an efficient and cost-effective means of achieving that public purpose.

At the time of signing the certificate in February 2020, Destination NSW had not conceived, designed or planned any of the campaigns that are considered by this audit, nor had it developed the relevant supporting information that would enable the agency to support these statements. As noted above, peer review had not commenced prior to this date. Further, Destination NSW had not completed a cost-benefit analysis or equivalent analysis.

Without any form of cost-benefit analysis or other evaluation for any of the campaigns prior to the date of signing of the compliance certificate, the Acting Chief Executive had no evidence that could support the certification that the campaigns were 'an efficient and effective means of achieving the public purpose'. The absence of peer review or a cost-benefit analysis also means that the Acting Chief Executive could not certify that the campaigns complied with the Act, the regulations or the Guidelines, nor that the campaign was supported by analysis and research.

Destination NSW did not complete peer reviews for the advertising campaigns before they ended, limiting assurance over campaign effectiveness, efficiency and economy

As all the campaigns subject to this audit were valued at over $250,000, each campaign was required to undergo peer review. The peer review is an independent review of the need for the proposed advertising campaign, the creative and media strategy (including objectives and target audiences) and how the agency will manage the campaign. Ordinarily, a peer review would be completed prior to a campaign commencing, however section 7(4) of the Act permits agencies to carry out a peer review after the advertising campaign commences 'if the head of the government agency concerned is satisfied that the campaign relates to an urgent public health or safety matter or is required in other urgent circumstances'.

DCS supported Destination NSW's assessment that these were urgent campaigns and that it would accept consideration of peer review components in parallel with the roll-out of the advertising campaigns, given the urgency of the need to generate economic activity, initially after the 2019–20 bushfires and then after the challenging circumstances brought on by the COVID-19 pandemic. This is in line with section 7(4) of the Act.

Destination NSW presented and obtained clearance on creative materials and media planning on a timely basis for two of the three campaigns (but not for the Road Trips campaign), which would ordinarily form part of peer review. However, for all campaigns, the peer reviews were not completed or signed off by DCS prior to the completion of advertising campaigns. In particular, Destination NSW did not submit material related to the accountability for campaign effectiveness, including the campaign objectives and measures before the end of the campaigns.

The absence of peer review of much of the material prior to completion of the campaigns reduces the ability of the agency and government to be confident that the advertising expenditure was consistent with NSW Government requirements, or represented efficient, effective and economical use of funds.

Destination NSW noted that section 7(4) of the Act allows the peer review to be completed after the commencement of a campaign in urgent circumstances but places no requirement on it to be completed before the end of the campaign. The audit has determined that for the peer review to meet its intended purpose, being to inform the design and delivery of the advertising campaign, it needs to be completed prior to the end of the campaign, even in urgent circumstances. DCS has supported this intent of the framework.

By the end of September 2021, DCS advised Destination NSW that it would not consider any further material for peer review related to the 2020–21 advertising campaigns. At this time, DCS closed the peer review for the Love NSW and Road Trips campaigns and assessed them as incomplete. DCS assessed the Love Sydney peer review as complete, despite noting that the campaign evaluation was not complete and with no details or confirmation of meeting culturally and linguistically diverse (CALD) advertising requirements, including for Aboriginal communities.

DCS did not escalate the issue of outstanding peer review materials

DCS worked at officer level to remind Destination NSW that peer review material was outstanding during the year. While this is appropriate as an initial point of escalation, at no time was the issue of non-compliance escalated to higher levels of management. DCS also never sent formal correspondence requesting the materials needed to ensure the completion of peer review.

DCS does not have a process for ensuring the timely completion of peer review in situations where urgency exemptions are used. There is an opportunity to formalise this process to ensure that there are appropriate escalation points and to ensure that compliance obligations are fulfilled in future.

Destination NSW did not meet the minimum requirement for allocation of the media budget for communications with CALD and Aboriginal audiences

The NSW Government 'CALD and Aboriginal Advertising Policy' stipulates that at least 7.5 per cent of an advertising campaign media budget is to be spent on direct communications to multicultural and Aboriginal audiences. Spend may be on media or non-media communication activities (e.g. events, participation at cultural festivals, direct mail, competitions and websites).

Destination NSW spent only 1.6 per cent of its media spend on culturally and linguistically diverse specific media placement on the 'Sydney - Love It Like You Mean It' campaign and none of its media placement for the other audited campaigns. This level of expenditure is substantially below the requirement.

Destination NSW could not demonstrate how its campaign designs or media placements effectively supported the cultural needs and issues of culturally and linguistically diverse populations. In connection with the 'Sydney - Love It Like You Mean It' campaign, it was noted that timeframes and production issues limited the ability to incorporate culturally diverse individuals in imagery.

Destination NSW advised that it believes the application of a 7.5 per cent threshold for specific audiences is not an effective way to reach these audiences. Destination NSW advised that its advertising was targeted at audiences with a propensity to travel, which did not necessarily include culturally diverse audiences, and its media channel research influenced its decision not to target specific CALD-focussed media channels.

None of the above factors negate Destination NSW's responsibility to ensure that the 'CALD and Aboriginal Advertising Policy' requirements are met.

In addition, Destination NSW also noted a number of non-media activities that supported culturally and linguistically diverse audiences, including translations on the sydney.com website, capturing of culturally and linguistically diverse audiences in production shooting and the production of a range of other collateral for culturally and linguistically diverse audiences. Despite these non-media activities, which Destination NSW did not quantify, the requirement for minimum expenditure in the reviewed campaigns for CALD audiences was not met by Destination NSW.

Destination NSW advised that it believes that the 7.5 per cent requirement does not apply to advertising outside of New South Wales, which the 'Get Your Sydney On', Love NSW and Road Trips campaigns targeted in whole or in part. The 'CALD and Aboriginal Advertising Policy' does not specifically limit its application to advertising for New South Wales residents.

Appendix one – Response to Destination NSW

Appendix two – Response from agencies

Appendix three – About the campaigns

Appendix four – About the audit

Appendix five – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #360 - released (23 December 2021).

What the report is about

The term ‘machinery of government’ refers to the way government functions and responsibilities are organised.

The decision to make machinery of government changes is made by the Premier. Changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day.

Larger machinery of government changes typically occur after an election or a change of Premier.

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet (DPC) and NSW Treasury in overseeing machinery of government changes.

What we found

The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of benefits has not been monitored. The costs of the changes were not tracked or reported.

DPC and NSW Treasury provided principles to guide implementation but did not require departments to collect or report information about the benefits or costs of the changes.

The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled.

Major implementation challenges included negotiation about the allocation of corporate support staff and the integration of complex corporate and ICT systems.

What we recommended

DPC and NSW Treasury should:

• consolidate existing guidance on machinery of government changes into a single document that is available to all departments and agencies
• provide guidance for departments and agencies to use when negotiating corporate services staff transfers as a part of machinery of government changes, including a standard rate for calculating corporate services requirements
• progress work to develop and implement common processes and systems for corporate services in order to support more efficient movement of staff between departments and agencies.

The term ‘machinery of government’ refers to the way government functions and responsibilities are allocated and structured across government departments and agencies. A machinery of government change is the reorganisation of these structures. This can involve establishing, merging or abolishing departments and agencies and transferring functions and responsibilities from one department or agency to another.

The decision to make machinery of government changes is made by the Premier. These changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day. Machinery of government changes are formally set out in Administrative Arrangements Orders, which are prepared by the Department of Premier and Cabinet, as instructed by the Premier, and issued as legislative instruments under the Constitution Act 1902.

The heads of agencies subject to machinery of government changes are responsible for implementing them. For more complex changes, central agencies are also involved in providing guidance and monitoring progress.

The NSW Government announced major machinery of government changes after the 2019 state government election. These changes took place between April and June 2019 and involved abolishing five departments (Industry; Planning and Environment; Family and Community Services; Justice; and Finance, Services and Innovation) and creating three new departments (Planning, Industry and Environment; Communities and Justice; and Customer Service). This also resulted in changes to the 'clusters' associated with departments. The NSW Government uses clusters to group certain agencies and entities with related departments for administrative and financial management. Clusters do not have legal status. Most other departments that were not abolished had some functions added or removed as a part of these machinery of government changes. For example, the functions relating to regional policy and service delivery in the Department of Premier and Cabinet were moved to the new Department of Planning, Industry and Environment.

Our Report on State Finances 2019, tabled in October 2019, outlined these changes and identified several issues that can arise from machinery of government changes if risks are not identified early and properly managed. These include: challenges measuring the costs and benefits of machinery of government changes; disruption to services due to unclear roles and responsibilities; and disruption to control environments due to staff, system and process changes.

In April 2020, the Department of Regional NSW was created in a separate machinery of government change. This involved moving functions and agencies related to regional policy and service delivery from the Department of Planning, Industry and Environment into a standalone department.

This audit assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet and NSW Treasury in overseeing machinery of government changes. The audit investigated whether:

• DPIE and DRNSW have integrated new responsibilities and functions in an effective and timely manner
• DPIE and DRNSW can demonstrate the costs of the machinery of government changes
• The machinery of government changes have achieved or are achieving intended outcomes and benefits.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #359 - released (17 December 2021).

What the report is about

This audit examined a state-wide program to provide small-group tuition to students disadvantaged by the move to learning from home during 2020.

The audit assessed the design and implementation of the program.

What we found

The program design was based on research and data showing learning loss during 2020. 

The department rapidly planned and developed the policy design and guidelines for schools. 

Governance arrangements matured during program delivery.

The department changed the models for funding schools but did not clearly explain the reasons for doing so.

Government schools with over 900 students were disadvantaged by the funding model compared to smaller schools. 

Guidelines, resources and professional learning helped schools implement the program.

Staff eligibility for the program was expanded after reported difficulties in recruiting qualified teachers in some areas. 

Online tuition and third-party provider options were developed throughout the program.

There were issues with the quality and timeliness of data used to monitor school progress. 

Evaluation arrangements were developed early in the program.

Data limitations mean the evaluation will not be able to fully assess all program objectives.

What we recommended

1. Distributing funds between schools more equitably and improving communication of the funding methods. 
2. Clearer communication about the intended targeted group of students.
3. Reviewing the time needed to administer the program.
4. Improve support for educators other than qualified teachers.
5. Offer the online tuition program to more schools.
6. Analysis of the effects of learning from home during 2021 across equity groups and geographic areas.
7. Working with universities to increase use of pre-service teachers in the program.

The report also identifies lessons learned for future programs.
 

The NSW Government announced the COVID Intensive Learning Support Program on 10 November 2020, as part of the 2020–21 NSW Budget. The primary goal of the $337 million program was to deliver intensive small group tuition for students who were disadvantaged by the move to remote and/or flexible learning, helping to close the equity gap. It included:

• $306 million to provide small-group tuition for eligible students across every NSW Government primary, secondary and special purpose school
• $31.0 million for around 400 non-government schools to provide small-group tuition to students with the greatest levels of need.

The objective of this audit was to assess the effectiveness of the design and implementation of the COVID Intensive Learning Support Program (the program). To address this objective, the audit assessed whether the Department of Education (the department):

• effectively designed the program and supporting governance arrangements
• is effectively implementing the program.

This audit focuses on activities between October 2020 and August 2021, which aimed to address the first session of learning from home in New South Wales. From August to October 2021, students in many areas of New South Wales were learning from home again, but this second period has not been a focus of this audit. On 18 October 2021, the NSW Government announced the program would be extended into 2022.

This chapter considers how effectively the COVID Intensive Learning Support Program (the program) was designed and planned for implementation.

This chapter considers how effectively the COVID Intensive Learning Support Program was implemented over our period of review (Terms 1 and 2, 2021).

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #358 - released (15 December 2021).

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.