What this report is about 

This report assesses how effectively SafeWork NSW, a part of the Department of Customer Service (DCS), has performed its regulatory compliance functions for work health and safety in New South Wales. 

The report includes a case study examining SafeWork NSW's management of a project to develop a realtime monitoring device for airborne silica in workplaces. 

Findings 

There is limited transparency about SafeWork NSW's effectiveness as a regulator. The limited performance information that is available is either subsumed within DCS reporting (or other sources) and is focused on activity, not outcomes. 

As a work health and safety (WHS) regulator, SafeWork NSW lacks an effective strategic and data-driven approach to respond to emerging WHS risks. 

It was slow to respond to the risk of respirable crystalline silica in manufactured stone. 

SafeWork NSW is constrained by an information management system that is over 20 years old and has passed its effective useful life. 

While it has invested effort into ensuring consistent regulatory decisions, SafeWork NSW needs to maintain a focus on this objective, including by ensuring that there is a comprehensive approach to quality assurance. 

SafeWork NSW's engagement of a commercial partner to develop a real-time silica monitoring device did not comply with key procurement obligations. 

There was ineffective governance and process to address important concerns about the accuracy of the real-time silica monitoring device. 

As such, SafeWork NSW did not adequately manage potential WHS risks. 

Recommendations 

The report recommended that DCS should: 

• ensure there is an independent investigation into the procurement of the research partner for the real-time silica detector 
• embed a formal process to review and set its annual regulatory priorities 
• publish a consolidated performance report 
• set long-term priorities, including for workforce planning and technology uplift 
• improve its use of data, and start work to replace its existing complaints handling system 
• review its risk culture and its risk management framework 
• review the quality assurance measures that support consistent regulatory decisions

Read the PDF report.

Parliamentary reference - Report number #390 - released 27 February 2024
 

What this report is about

Transport for NSW (TfNSW) uses the Driver vehicle System (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.

DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.

DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.

This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.

Audit findings

TfNSW has not effectively planned the replacement of DRIVES.

It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.

In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.

TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.

TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.

TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.

Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.

Audit recommendations

TfNSW should:

• implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
• ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
• ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
• ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
• develop a clear statement of the future role in whole of government service delivery for the system
• resolve key issues currently faced by the DRIVES replacement program including by:
  • clearly setting out a strategy and design for the replacement
  • preparing a specific business case for replacement.

Read the PDF report

Parliamentary reference - Report number #388 - released 20 February 2024

What this report is about

The report assesses whether the Department of Customer Service (the department) complied with legislation and NSW government policy when it directly negotiated with Duncan Solutions to procure backend services relating to the Park'nPay app.

The Park'nPay app, developed by the department, enables users to locate and pay for parking remotely using their smart mobile device.

The audit found

The department failed to establish the grounds for entering a direct negotiation procurement strategy, without any competitive tendering, for services for the Park'nPay app. It rushed a decision to trial the app in The Rocks, without considering how this might affect its procurement obligations.

There is no evidence that the procurement achieved value for money. Despite being required by legislation, as well as mandatory NSW government policy, the department did not consider how it would ensure value for money, nor did it demonstrate an adequate understanding of what is meant by value for money on this occasion.

The department failed to implement key probity requirements. There was no effective management of conflicts of interest. Key decisions were not documented. There was a lack of clarity, transparency, and oversight of the relationship between the Minister's office and staff in the department.

The audit made recommendations about

1. making and retaining complete and accurate records, particularly on decisions to commit or expend public money
2. ensuring department staff understand how to exercise their financial delegations and procurement processes
3. ensuring that only staff with appropriate delegations are committing or approving the spending of public money
4. consistency with the contract extension provisions of the NSW Government Procurement Policy Framework, particularly regarding ensuring value for money
5. protocols to guide the interactions between department staff and Minister and Minister's staff
6. the need for proper management and oversight of contingent workers, such as contractors.

On 27 February 2019 the then Minister for Finance, Services and Property announced the commencement of a Park’nPay app trial in The Rocks precinct of Sydney.

The app was intended to enable users to locate and pay for parking remotely, using their smart mobile device such as a phone or tablet, rather than needing to physically be at a parking meter.

In July 2019, following a direct negotiation procurement conducted by the then Department of Finance, Services and Innovation, a contract was executed with Duncan Solutions for an estimated value of $1,260,600 over three-years, with three single-year options to extend. The contract required Duncan Solutions to provide development services to link the Park'nPay app to its Parking Enterprise Management System platform and to provide ongoing software support services.

This audit assessed whether the department complied with the procurement obligations that applied at the time it procured these services from Duncan Solutions.

This audit focussed on the department's processes and decision-making relating to:

• the direct negotiation with Duncan Solutions at the exclusion of any other potential supplier
• the negotiation, execution and management of the contract with Duncan Solutions.

As this audit focusses on the department's procurement and contract management processes, it does not comment on the activities of Duncan Solutions. The detailed audit objective, criteria and audit approach are in Appendix three.

The auditee is the Department of Customer Service. As a result of machinery of government changes, the Department of Finance, Services, and Innovation became the Department of Customer Service from 1 July 2019. To avoid confusion, this report simply uses ‘the department’ to refer to either. Where the report refers to the Minister, it relates to the former Minister in office at the time.

Appendix one – Response from auditee

Appendix two – Key requirements of the department's procurement manual 

Appendix three – About the audit 

Appendix four– Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #387 - released 14 December 2023

What this report is about

Around one-third of the state’s population lives in regional NSW, but deaths on regional roads make up around two-thirds of the state’s road toll.

Transport for NSW (TfNSW) is responsible for managing road safety outcomes across the NSW road network. This audit assessed the effectiveness of TfNSW’s delivery of road safety strategies, plans and policies in regional areas.

The NSW Road Safety Action Plan 2022–2026 has the stated goal of ‘no death or serious injury occurring on the road transport network’ by 2050.

What we found

There is a disproportionate amount of trauma on regional roads, but there are no specific road safety plans or trauma reduction targets for regional NSW.

TfNSW advises that the setting of state-wide road safety targets is consistent with other jurisdictions and international best practice. However, the proportion of road fatalities and serious injuries in regional NSW is almost the same as ten years ago.

There is no regional implementation plan to assist TfNSW to target the Road Safety Action Plan 2026 to regional areas.

TfNSW considers that local road safety outcomes should be managed by councils, but only 52% of regional councils participated in its Local Government Road Safety Program (LGRSP) in 2022–23. This program has not been updated since 2014, despite commitments to do so in 2021 and 2022.

TfNSW has not undertaken a systematic and integrated analysis of the combined impact of its road safety strategies and plans in regional NSW since 2012.

TfNSW reports against the Community Road Safety Fund (CRSF) annually but there is no consolidated, public reporting on total road safety funding allocated to regional NSW. The Fund underspend increased from 12% in 2019–20 to 20% in 2022–23.

What we recommended

We recommended TfNSW:

• develop a regional implementation plan to support the NSW Road Safety Action Plan, including a framework to annually measure, analyse and publicly report on progress
• develop a plan to measure and mitigate risks causing underspend in the CRSF
• expedite the review of the LGRSP including recommendations to increase involvement of regional councils.

Disclosure of confidential information

Under the Government Sector Audit Act 1983 (the Act), the Auditor-General may disclose confidential information if, in the Auditor-General’s opinion, the disclosure is in the public interest, and that disclosure is necessary for the exercise of the Auditor-General’s functions.

Confidential information in the Act means Cabinet information or information subject to legal privilege. This performance audit report contained confidential information.

The NSW Premier has certified that in his opinion the disclosure of the confidential information was not in the public interest.

The confidential information has been redacted from this report.

Under section 36A(2) of the Government Sector Audit Act 1983, the Auditor-General may authorise the disclosure of confidential information if, in the Auditor-General’s opinion, the disclosure is in the public interest and necessary for the exercise of the Auditor-General’s functions. Confidential information under the Government Sector Audit Act 1983 means Cabinet information, or information that could be subject to a claim of privilege by the State or a public official in a court of law. This performance audit report contained confidential information which, in the opinion of the Auditor-General, is in the public interest to disclose and that disclosure is necessary for the exercise of the Auditor-General’s functions.

On 26 October 2023, pursuant to section 36A(2)(b) of the Government Sector Audit Act 1983, the Auditor-General notified the NSW Premier of the intention to include this information in the published report, having formed the opinion that its disclosure is in the public interest and is necessary for the exercise of the Auditor-General’s functions.

On 23 November 2023, pursuant to section 36A(2)(c) of the Government Sector Audit Act 1983, the NSW Premier certified that, in his opinion, the proposed disclosure of the confidential information contained in this report was not in the public interest. The Premier’s certificate follows. Section 36A(4) states that a certificate of the Premier that it is not in the public interest to disclose confidential information is conclusive evidence of that fact.

The issuance of the certificate by the NSW Premier prevents the publication of this information. The relevant sections of the report containing confidential information have been redacted.

One-third of the New South Wales population resides in regional areas, but two-thirds of the state’s road crash fatalities take place on regional roads.

Between 2017 and 2021, the average number of fatalities for every 100,000 of the population living in regional New South Wales was 8.33 — approximately four times higher than the equivalent measure for Greater Sydney. Similarly, the average number of serious injuries in regional New South Wales over the same period was 75.24 per 100,000 of the population, compared with 50.53 in Greater Sydney. Further, more than 70% of people who lose their lives in accidents on regional roads are residents of regional areas.

Residents of regional areas face particular transport challenges. They often need to travel longer distances for work, health care, or recreation purposes, yet their public transport options are more limited than metropolitan residents. Vehicle safety is also an issue. According to the NSW Road Safety Progress Report 2021, of the light vehicles registered in New South Wales that were manufactured in or after 2000, 48.4% of light vehicles in regional areas had a five-star Australasian New Car Assessment Program (ANCAP) rating, compared to 54.8% in metropolitan areas. Road conditions in regional areas can also be more challenging for drivers.

Regional New South Wales covers 98.5% of the total area of the state. The road network in New South Wales is vast — spanning approximately 200,000 kilometres.

The road network includes major highways, state roads and local roads. Speed limits range from 10 km/hr in high pedestrian shared zones, up to 110 km/hr on high volume and critical road corridors. Eighty per cent of the network has a 100 km/h speed limit, which is mostly applied as a default speed limit, regardless of the presence of safety features and treatments.

Speed is the primary causal factor in more crashes in New South Wales than any other factor, and car crashes in regional areas are more likely to be fatal because of the higher average speeds involved.

The responsibility for managing road safety outcomes across the entire New South Wales road network lies with Transport for NSW (TfNSW), pursuant to Schedule 1 of the Transport Administration Act 1988.

While its safety responsibilities are state-wide, TfNSW does not own or directly manage all of the road network in regional New South Wales, which spans approximately 200,000 kilometres. Approximately 80% of the roads are classified as Local Roads and are administered and managed by local councils. Local councils also maintain Regional Roads that run through their local government areas. TfNSW is responsible for managing State Roads (approximately 20% of roads), which are major arterial roads. It also provides funding for councils to manage over 18,000 km (approximately 10%) of state-significant Regional Roads.

According to TfNSW, between 2016 and 2020, there were 9,776 people killed or seriously injured on roads in regional New South Wales. Adding to the tragic loss of life, according to TfNSW, the estimated cost to the community between 2016 and 2020 resulting from regional road trauma and fatalities was around $13.7 billion.

TfNSW also noted that the ‘risk of road trauma is pervasive, and a combination of effective road safety measures is required to systematically reduce this risk’.

TfNSW released its first long-term road-safety strategy in December 2012, which introduced the goal of ‘Vision Zero’ — a long-term goal of zero deaths or serious injuries on NSW roads. The terminology was changed to ‘Towards Zero’ in the 2021 Road Safety Plan and has been retained in the NSW Road Safety Action Plan 2022–2026. Towards Zero has the stated goal of ‘no death or serious injury occurring on the road transport network’ by 2050.

The objective of this audit is to assess the effectiveness of TfNSW’s delivery of ‘Towards Zero’ in regional areas.

In making this assessment, the audit examined whether TfNSW:

• is effectively reducing the number of fatalities and serious injuries on regional roads
• has an effective framework, including governance arrangements, for designing and refreshing the NSW Road Safety Strategy 2012–2021 and the NSW Road Safety Action Plan 2022–2026
• effectively makes use of whole-of-government and other relevant sources of data to support decision-making, and to evaluate progress and outcomes
• effectively manages accountabilities, including roles and responsibilities, with respect to road safety outcomes and the use of data.

This audit focused on the policies and strategies used by TfNSW for managing road safety outcomes in regional areas. We did not evaluate individual road safety projects, programs and initiatives as part of this audit.

Whilst Regional Roads and Local Roads (as defined by the Road Network Classifications) are owned and maintained by local councils, we included these roads in this audit as TfNSW may advise and assist councils to promote and improve road safety, as well as manage grant programs that focus on improving road safety outcomes on these roads. Hereafter, unless otherwise stated, references to ‘regional roads’ refer to all classifications of roads in the state which are in regional New South Wales, irrespective of their ownership.

Local councils in regional areas are key stakeholders for the purposes of this audit, and we interviewed eight as part of the audit process (noting that this was not intended to be a representative sample). Road asset management by local councils is also out of scope for this audit as it is the focus of a subsequent performance audit by the Audit Office of New South Wales.b

The Audit Office of New South Wales has undertaken several performance audits relating to road safety since 2009 and these have been referenced while undertaking this audit. They include:

• Condition of State Roads (August 2006)
• Improving Road Safety: Heavy Vehicles (May 2009)
• Improving Road Safety: School Zones (March 2010)
• Improving Road Safety: Speed Cameras (July 2011)
• Regional Assistance Programs (May 2018)
• Mobile speed cameras (October 2018)
• Rail freight and Greater Sydney (October 2021).

Appendix one – Response from Transport for NSW

Appendix two – The Safe Systems framework and NSW road safety strategies and plans

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #386 - released 30 November 2023

What this report is about

Students in rural and remote areas of NSW face greater challenges compared to their metropolitan peers.

This report examined how the NSW Department of Education (the department) is ensuring that rural and remote students have access to the same quality of early childhood, school education, and skills pathways as metropolitan students.

What we found

A decade since the previous (2013) strategy to address educational disadvantage, there remain considerable gaps in access and outcomes between rural and remote students and metropolitan students.

The Rural and Remote Education Strategy (2021–24) is unlikely to address these longstanding and known issues of educational disadvantage in rural and remote areas.

Key enabling factors such as resourcing a dedicated team, setting performance measures, and establishing suitable governance arrangements were not put in place to support effective implementation of the 2021 strategy.

The department has programs aimed at addressing remoteness challenges, but does not know if these initiatives improve access or outcomes.

The department does not monitor or report on student access or outcomes according to geographic location.

What we recommended

The Department of Education should:

• develop a new strategy that addresses disadvantage in regional, rural and remote education
• establish and report publicly on regional, rural and remote key performance indicators
• improve data collection by using a standard remoteness classification
• improve governance arrangements for regional, rural and remote education
• review the resources provided for regional, rural and remote areas that recognises the additional costs
• develop an approach that ensures all students can access best practice modes of delivery.

In February 2021, the department of Education (the department) released the ‘Rural and Remote Education Strategy (2021–2024)’. The strategy sets a vision that ‘every child in regional New South Wales has access to the same quality of education as their metropolitan peers’. It recognises that students in rural and remote areas of New South Wales face greater challenges compared to students in metropolitan locations. These challenges contribute to regional, rural and remote students underperforming on major educational indicators compared to their metropolitan peers.

In recent years, regional, rural and remote communities experienced a series of natural disasters as well as the COVID-19 pandemic. In response to the pandemic and subsequent school closures, the department introduced new initiatives aimed at minimising the disruption to children including online learning and small group tuition.

The department established a regional, rural and remote education policy unit in 2021 to support delivery of the strategy and its vision.

The objective of this audit was to assess the effectiveness of the department’s activities to ensure that regional, rural and remote students have access to the same quality of early childhood, school education, and skills pathways as their metropolitan peers.

In making this assessment, the audit examined whether:

• The department developed and implemented a strategy that enables regional, rural and remote students to access the same quality of early childhood education, school education, and skills pathways as students in metropolitan New South Wales.
• The department has been addressing the complexities and needs of regional, rural and remote early childhood education, school education, and skills pathways.

This chapter examines the process to develop the Rural and Remote Education Strategy (2021–2024). It considers whether there was a comprehensive program of stakeholder consultation, whether relevant research and evidence was incorporated and whether an effective performance monitoring system was established.

The department made genuine efforts to consult with stakeholders on the new strategy

The department had a clear process to engage and obtain feedback from key stakeholders during the development of the new strategy. It developed a range of documents to support the consultation process including a stakeholder engagement plan, communications plan, and presentation. The department used the International Association for Public Participation (IAP2) Spectrum of Public Participation principles to help ensure that relevant stakeholders were included in the planning and decision-making process.

In late 2019, the department began its first phase of consultations with internal and external stakeholders to get their views on rural and remote education. It consulted internally with department directors, advisory groups, and learning communities, and externally with government agencies, service providers, non-government schools, and universities.

In March 2020, the department developed a stakeholder engagement paper to test the key issues from stakeholder consultations. Four focus areas were identified and included in a consultation paper that went out to key stakeholders for the second round of consultations in May 2020.

In the third consultation phase, the department conducted a workshop with stakeholders to review the earlier feedback, prioritise issues, identify gaps, and provide further input.

This consultation process enabled the department to identify issues and challenges to inform the new strategy. However, it was already aware that the blueprint was having limited success, and had already identified potential focus areas, following the evaluation of the blueprint in 2019.

The department did not consider recent research when developing the new strategy

The department's guidance materials promote the importance of considering research during policymaking. The guidelines describe the need to understand a topic, consult with stakeholders, identify gaps in existing knowledge, and ensure future work is informed by current literature.

In 2013, the department published a literature review on rural and remote education to inform the blueprint. The literature review found that students in rural and remote schools were not performing as well as their metropolitan peers, and that this performance gap was widening. The review attributed this to the higher number of children from low socio-economic backgrounds attending rural and remote schools. The review also identified several other factors that could negatively impact performance outcomes for rural and remote students. The department used the findings of the literature review to develop the key focus areas in the 2013 blueprint.

When the department began developing the new rural and remote education strategy in 2019, it recognised the need to review the literature on recent international initiatives. However, it has not yet released this review. This means that the department could have missed important new developments since it last examined the literature in 2013. Incorporating up-to-date research is important where past strategies have not met all their intended outcomes.

A national review into rural and remote education in 2018 examined Australian and international literature to inform its findings. The review made 11 recommendations to the Australian and state governments. While the NSW Government was not required to formally respond to the review, it could have considered the work done by that review when developing the new strategy. Several review recommendations are addressed in the strategy, while several others are only partly addressed. Gaps between review recommendations and specific strategy actions include improving the availability of quality accommodation, substantially reducing the waiting times for specialist assessments of students with learning difficulties and disabilities and increasing access to high quality distance education.

In 2019, the department commissioned a rural and remote project to contribute a research and evidence base to the new strategy. The main aim of the project was to help the department understand how it could better support rural and remote schools to increase educational outcomes. There was not enough time for this review to be completed prior to the release of the strategy. As of June 2023, the research project had not yet been released.

The strategy did not address all findings and recommendations from a recent evaluation

In 2020, the department's Centre for Education Statistics and Evaluation (CESE) published an evaluation of the blueprint. The evaluation examined how the actions in the blueprint were implemented. It recommended that a new strategy be developed, and made recommendations for things that should be incorporated into the strategy.

The blueprint aimed to ensure students in rural and remote areas could access the same quality of education as their metropolitan peers. The blueprint identified four focus areas to meet that aim:

• quality early childhood education
• great teachers and school leaders
• curriculum access for all
• effective partnerships and connections.

The department developed several initiatives to help meet the objectives of each of the four focus areas. These initiatives are described in Exhibit 5 below.

The evaluation found that initiatives in two of the four focus areas – Quality early childhood education and Curriculum access for all – had performed well. However, the evaluation found that initiatives in the other two focus areas – Great teachers and school leaders and Effective partnerships and connections – did not achieve intended outcomes.

On the whole, the evaluation found that the 'remoteness gap' between rural and remote students and metropolitan students had not reduced since the blueprint was introduced. It recommended that the department continue its focus on rural and remote education by developing a new evidence-based strategy that focused on student outcomes and clear measures of success.

Objectives and actions in the new strategy were similar to those in the blueprint

The 2021 strategy sets an overall vision that 'every child in regional New South Wales has access to the same quality of education as their metropolitan peers'. It also states that the department 'is committed to ensuring all rural and remote students have equitable access to educational opportunities'.

Four areas in the blueprint remained a focus in the new strategy – early childhood education, teacher recruitment and retention, curriculum, and student wellbeing support services. Each focus area identifies a goal, as well as the aims and actions that contribute to those goals.

While this shows the department identified that these areas required continued attention, most actions were to 'increase', 'expand' or 'improve' existing programs and resources. The new strategy did not propose any new ideas or solutions, despite the blueprint achieving limited success in improving outcomes for rural and remote students.

There were no baseline or target measures set to monitor progress of the new strategy

The blueprint evaluation recommended that the department develop a new evidence-based strategy which focused on improving student outcomes. It also recommended the department use a program logic methodology to ensure there was a clear definition of success, adequate measures of success, and continual monitoring to ensure success.

Program logic models are a visual representation of the various components of a program. They can be used to illustrate program priorities, inputs, activities, outputs, outcomes, and assumptions. Logic models are used to explain how a proposed solution will address a specific problem. They are important because they can help test assumptions, build business cases, and identify potential enablers or barriers that could impact the project.

The department did not complete a program logic model during development of the new strategy, nor did it define measures to monitor whether the strategy's overall vision for quality education or the commitment to equitable access was on track to be achieved.

The department has not comprehensively monitored changes in educational outcomes in regional, rural and remote areas since the evaluation of the blueprint in 2020. This evaluation had seven indicators of educational outcomes by remoteness. The measures used in the evaluation could have provided a starting point given the similarity in focus areas between the blueprint and the new strategy. Not addressing past review recommendations increases risks that issues will be repeated.

The policy unit advised it has plans to set up a dashboard to monitor performance across the department's business plan measures by remoteness. This is intended to identify areas where system-wide improvements are required. This is not a comprehensive account of the strategy outcomes because the business plan measures don't capture all the goals of the strategy.

There were no timeframes or resources identified for implementing new strategy actions

The strategy has an overall timeframe of 2021–2024 but does not clarify when it expects the vision, goals, or aims to be achieved, or actions to be implemented.

The department's guidance on policymaking sets out how projects should be transitioned between the policy and implementation teams. This guidance is intended to help ensure the policy intent and scope of the project are not lost during the delivery of the project. The guidance highlights that the policy team should establish clear project implementation timeframes. It is important to have clear timeframes because it enables teams to measure progress, manage resources, and prioritise actions to ensure project outcomes are achieved.

The strategy states that there is a further $1 billion of investment planned over the next three years for rural and remote education but does not identify how this is allocated across its focus areas. It is important to identify the resources required to support the implementation of a program so that program objectives are met in a timely and cost-effective manner. The previous blueprint identified much lower funding of $80 million but more clearly showed how it would be allocated for identified actions across the four focus areas.

In response to our requests, the department separately identified $1.286 billion in expenditure for regional, rural and remote schools referenced in the strategy. Most of this expenditure related to existing department programs and activities rather than new initiatives. The total amount included:

• $576.9 million for new and upgraded schools
• $365.8 million for upgraded information technology equipment and resources
• $120 million for school facility upgrades to be co-funded by schools
• $60 million to replace school roofs
• $60 million for the COVID Intensive Learning Support Program
• $32 million for the Early Action for Success program
• $29.7 million for staffing incentives
• $21.7 million for literacy and numeracy interventions
• $18.8 million in school location allowances
• $1.45 million for the Rural Learning Exchange Pilot
• $0.4 million for Rural and Remote Network initiatives.

This chapter examines the arrangements in place to implement the strategy. It considers whether effective governance arrangements are in place and how progress is monitored and reported.

This chapter considers the effectiveness of arrangements to ensure regional, rural and remote students have access to quality early childhood education, school education, and post‑school transitions.

This chapter considers the department's arrangements to monitor educational and wellbeing outcomes of students by remoteness. It reports on differences in outcomes between students in metropolitan areas and those in regional, rural and remote areas.

Those living in regional, rural and remote areas can have greater difficulty in accessing government services, often needing to travel long distances, or facing lower service levels than provided in major cities. This context is important when considering educational and wellbeing outcomes, given the disruptive effects of waiting or missing out on important services.

The rest of this chapter details key measures in the department's outcome and business plan.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #385 - released 10 August 2023

What the report is about

Effective radio communications are crucial to NSW's emergency services organisations.

The Critical Communications Enhancement Program (CCEP) aims to deliver an enhanced public safety radio network to serve the five emergency services organisations (ESOs), as well as a range of other users.

This report assesses whether the NSW Telco Authority is effectively managing the CCEP.

What we found

Where it has already been delivered (about 50% of the state), the enhanced network meets most of the requirements of ESOs.

The CCEP will provide additional infrastructure for public safety radio coverage in existing buildings agreed to with ESOs. However, radio coverage inside buildings constructed after the CCEP concludes will be at risk because building and fire regulations do not address the need for in-building public safety radio coverage.

Around 98% of radios connected to the network can be authenticated to protect against cloning, though only 42% are.

The NSW Telco Authority has not settled with ESOs on how call encryption will be used across the network. This creates the risk that radio interoperability between ESOs will not be maximised.

When completed, the public safety radio network will be the only mission critical radio network for ESOs. It is unclear whether governance for the ongoing running of the network will allow ESOs to participate in future network operational decisions.

The current estimated capital cost for the NSW Telco Authority to complete the CCEP is $1.293 billion. This is up from an estimated cost of $400 million in 2016. The estimated capital cost was not publicly disclosed until $1.325 billion was shown in the 2021–22 NSW Budget Papers.

We estimate that the full cost to government, including costs to the ESOs, of implementing the enhanced network is likely to exceed $2 billion.

We made recommendations about

• The governance of the enhanced Public Safety Network (PSN) to support agency relationships.
• The need to finalise a Traffic Mitigation Plan for when the network is congested.
• The need to provide advice to the NSW Government about the regulatory gap for ensuring adequate network reach in future buildings.
• The need to clarify how encryption and interoperability will work on the enhanced network.
• The need for the NSW Telco Authority to comply with its policy on Infrastructure Capacity Reservation.
• Expediting measures to protect against the risk of cloning by unauthenticated radios.

Public safety radio networks are critical for operational communications among Emergency Services Organisations (ESOs), which in New South Wales include:

• NSW Ambulance
• Fire and Rescue NSW
• NSW Police Force
• NSW Rural Fire Service
• NSW State Emergency Service.¹

Since 1993, these five ESOs have had access to a NSW Government owned and operated radio communications network, the Public Safety Network (PSN), to support their operational communications. Around 60 to 70 other entities also have access to this network, including other NSW government entities, Commonwealth government entities, local councils, community organisations, and utility companies.

Pursuant to the Government Telecommunications Act 2018 ('the Act'), the New South Wales Government Telecommunications Authority ('NSW Telco Authority') is responsible for the establishment, control, management, maintenance and operation of the PSN.²

Separate to the PSN, all ESOs and other government entities have historically maintained their own radio communication capabilities and networks. Accordingly, the PSN has been a supplementary source of operational radio communications for these entities.

These other radio networks maintained by ESOs and other entities are of varying size and capability, with many ageing and nearing their end-of-life. There was generally little or no interoperability between networks, infrastructure was often co-located and duplicative, and there were large gaps in geographic coverage.

In 2016, the NSW Telco Authority received dedicated NSW Government funding to commence the Critical Communications Enhancement Program (CCEP).

According to NSW Telco Authority's 2021–22 annual report, the CCEP is a transformation program for operational communications for NSW government agencies. The CCEP '…aims to deliver greater access to public safety standard radio communications for the State’s first responders and essential service agencies'. The objective of CCEP is to consolidate the large number of separate radio networks that are owned and operated by various NSW government entities and to enhance the state’s existing shared PSN. The program also aims to deliver increased PSN coverage throughout New South Wales.

The former NSW Government intended that as the enhanced PSN was progressively rolled-out across NSW, ESOs would migrate their radio communications to the enhanced network, before closing and decommissioning their own networks.

About this Audit

This audit assessed whether the CCEP is being effectively managed by the NSW Telco Authority to deliver an enhanced PSN that meets ESOs' requirements for operational communications.

We addressed the audit objective by answering the following two questions:

1. Have agreed ESO user requirements for the enhanced PSN been met under day-to-day and emergency operational conditions?
2. Has there been adequate transparency to the NSW Government and other stakeholders regarding whole-of-government costs related to the CCEP?

In answering the first question, we also considered how the agreed user requirements were determined. This included whether they were supported by evidence, whether they were sufficient to meet the intent of the CCEP (including in considering any role for new or alternative technologies), and whether they met any relevant technical standards and compliance obligations (including for cyber security resilience).

While other NSW government agencies and entities use the PSN, we focused on the experience of the five primary ESOs because these will be the largest users of the enhanced PSN.

Both the cost and time required to complete the CCEP roll-out have increased since 2016. While it was originally intended to be completed in 2020, this is now forecast to be 2027. Infrastructure NSW has previously assessed the reasons for the increases in time and cost. A summary of the findings made by Infrastructure NSW is presented in Chapter 1 of this report. Accordingly, as these matters had already been assessed, we did not re-examine them in this performance audit.

The auditee for this performance audit is the NSW Telco Authority, which is a statutory authority within the Department of Customer Service portfolio.

In addition to being responsible for the operation of the PSN, section 5 of the Act also prescribes that the NSW Telco Authority is:

• to identify, develop and deliver upgrades and enhancements to the government telecommunications network to improve operational communications for government sector agencies
• to develop policies, standards and guidelines for operational communications using telecommunications networks.

The NSW Telco Authority Advisory Board is established under section 10 of the Act. The role of the board is to advise the NSW Telco Authority and the minister on any matter relating to the telecommunications requirements of government sector agencies and on any other matter relating to the functions of the Authority. As of 2 June 2023, the responsible minister is the Minister for Customer Service and Digital Government.

The five identified ESOs are critical stakeholders of the CCEP and therefore they were consulted during this audit. However, the ESOs were not auditees for this performance audit.

The NSW Telco Authority established and tracked its own costs for the CCEP

Over the course of the program from 2016, the NSW Telco Authority prepared a series of business cases and program reviews that estimated its cost of implementing the program in full, including those shown in Exhibit 6 below.

In response to the 2016 CCEP business case, the then NSW Government approved the NSW Telco Authority implementing the CCEP in full, with funding provided in stages. The NSW Telco Authority tracked its costs against approved funding, with monthly reports provided to the multi-agency Program Steering Committee

Throughout the program, the NSW Government was informed of increasing costs being incurred by the NSW Telco Authority for the CCEP

The various business cases, program updates, and program reviews prepared by the NSW Telco Authority were provided to the NSW Government through the required Cabinet process when seeking approval for the program proceeding and requests for both capital and operational funding. These provided clear indication of the changing overall cost of the CCEP to the NSW Telco Authority, as well as the delays that were being experienced.

There was no transparency to the Parliament and community about changes in the capital cost of the CCEP until the 2021–22 NSW Budget

As the business cases for the CCEP were not publicly available, the only sources of information about capital cost were NSW Budget papers and media releases. The information provided in the annual Budget papers prior to the 2021–22 NSW Budget provided no visibility of the estimated full capital cost to complete all stages of the CCEP. As shown in Exhibit 7 below, this information was fragmented and complex.

Media releases about the progress of the CCEP did not provide the estimated total cost to the NSW Telco Authority of $1.325 billion to complete all stages of the CCEP until June 2021. Prior to this date, media releases only provided funding for the initial stages of the program or for the stages subject to a funding announcement.

Even during the September 2019 and March 2020 Parliamentary Estimate Committee hearings where the costings and delays to the CCEP were raised, the estimated full cost of the CCEP was not revealed.

The original business case for the CCEP included estimated ESO costs, though these costs were not tracked throughout the program

Estimates for ESO costs for operating and maintaining their own radio networks over the four years from 2016–17 were included in the original March 2016 business case. They included $75.2 million for capital expenditure and $95 million for one-off operating costs. These costs, as well as costs incurred by ESOs due to the delay in the program, were not subsequently tracked by the NSW Telco Authority.

In January 2017, Infrastructure NSW reviewed the CCEP business case of March 2016. In this review, Infrastructure NSW recommended that the NSW Telco Authority identify combined and apportioned costs and cashflow for all ESOs over the CCEP funding period reflecting all associated costs to deliver the CCEP. These to include additional incidental capital costs accruing to ESOs, transition and migration to the new network and the cost (capital and operational) of maintaining existing networks. This recommendation was implemented in the November 2017 program review, with ESO capital costs estimated as $183 million.

In 2019, Infrastructure NSW conducted a Deep Dive Review on the progress of the CCEP. In this review, Infrastructure NSW made what it described as a 'critical recommendation' that the NSW Telco Authority:

It should be noted that the delay to CCEP completion now is seven years and that further ‘operational bridging solutions’ have been needed by the ESOs.

'Stay Safe and Keep Operational' costs incurred by ESOs will be significantly higher than originally estimated

Stay Safe and Keep Operational (SSKO) funding was established to provide funding to ESOs to maintain their legacy networks while the CCEP was refreshing and enhancing the PSN. This recognised that much of the network infrastructure relied on by ESOs had reached – or was reaching – obsolescence and would either require extensive maintenance or replacement before the PSN was available for ESOs to migrate to it. ESOs may apply to NSW Treasury for SSKO funding, with their specific proposals being reviewed (and endorsed, where appropriate) by the NSW Telco Authority. Accordingly, SSKO expenditure does not fall within the CCEP budget allocation.

As shown in the table below, extracted from the March 2016 CCEP business case, the total expected cost for SSKO purposes over the course of the CCEP was originally $40 million, assuming the enhanced PSN would be fully available by 2020.

In October 2022, the expected completion date for the CCEP was re-baselined to August 2027. Accordingly, ESOs will be required to continue to maintain their radio networks using legacy equipment for seven years longer than the original 2020 forecast. This will likely become progressively more expensive and require additional SSKO funding. For example, NSW Telco Authority endorsed SSKO bids for 2022–23 exceeded $35 million for that year alone.

Compared to the original forecast made in the March 2016 CCEP business case of $40 million, we found ESOs had estimated SSKO spending to 2027 will be $292.5 million.

A refresh of paging network used by ESOs and the decommissioning of redundant sites were both removed from the original 2016 scope of the CCEP

Paging

A paging network is considered an important user requirement by the Fire and Rescue NSW, NSW Rural Fire Service, and NSW State Emergency Service. The 2016 CCEP business case included a paging network refresh within the program scope of works. This was reiterated in the November 2017 internal review of the program. These documents did not estimate a cost for this refresh. The March 2020 and October 2020 business cases excluded paging from the program scope. The audit is unable to identify when, why or by whom the decision was made to remove paging from the program scope, something that was also not well communicated to the affected ESOs.

In 2021, after representations from the affected ESOs, the NSW Telco Authority prepared a separate business case for a refresh of the paging network at an estimated capital cost of $60.31 million. This program was subsequently approved by the NSW Government and included in the 2022–23 NSW Budget.

In determining an estimated full whole-of-government cost of delivering the enhanced PSN, we have included the budgeted cost of the paging network refresh on the basis that:

• it was expressly included in the original approved March 2016 business case
• the capability is deemed essential to the needs of three ESOs.

Decommissioning costs

The 2016 CCEP business case included cost estimates for decommissioning surplus sites (whether ‘old’ GRN sites or sites belonging to ESOs’ own networks). These estimates were provided for both the NSW Telco Authority ($38 million) and for the ESOs ($55 million). However, while these estimates were described, they were not included as part of the NSW Telco Authority's estimated capital cost ($400 million) or (more relevantly) operating cost ($37.3 million) for the CCEP. This is despite decommissioning being included as one of eight planned activities for the rollout of the program.

In the October 2020 business case, an estimate of $201 million was included for decommissioning agency networks based on a model whereby:

• funding would be coordinated by the NSW Telco Authority
• scheduling and reporting through an inter-agency working group and
• where appropriate, agencies would be appointed as the most appropriate decommissioning party.

This estimated cost is not included in the CCEP budget.

In determining an estimated full whole-of-government cost of the enhanced PSN, we have included the estimated cost of decommissioning on the basis that:

• decommissioning was included in the 2016 CCEP business case as one of eight 'planned activities for the rollout of the program'
• effective decommissioning of surplus sites and equipment (including as described in the business case as incorporating asset decommissioning, asset re-use, and site make-good) is an inherent part of the program management for an enhanced PSN
• costs incurred in decommissioning are entirely a consequence of the CCEP program.

The estimated minimum cost of building an enhanced PSN consistent with the original proposal is over $2 billion

We have derived two estimated minimum whole-of-government costs for delivering an enhanced PSN. These are:

• $2.04 billion when calculated from NSW Telco Authority data – shown as estimate A in Exhibit 9 below.
• $2.26 billion when calculated from ESO supplied data – shown as estimate B in Exhibit 9.

Both totals include:

• budgeted amounts for both CCEP capital expenditure ($1,292.8 million) and operating expenditure ($139 million)
• the NSW Telco Authority's 2020 estimated cost for decommissioning ($201 million)
• the NSW Telco Authority's approved funding for paging refresh ($60.3 million).

The two estimated totals primarily vary around the capital expenditure of ESOs (particularly SSKO funding). To determine these costs, we used ESO provided actual SSKO costs to date, as well as their estimates for maintaining their legacy radio networks through to 2027.

The equivalent cost estimates from the NSW Telco Authority were sourced from the November 2017 internal review and the October 2020 business case for CCEP. It should be noted that the amounts for both estimates are not audited, or verified, but do provide an indication of how whole-of-government costs have grown over the course of the program.

The increase in and reasons for the increase in total CCEP costs (capital and one-off operating) incurred or forecast by the NSW Telco Authority (from $437.3 million in 2016 to $1,431.8 million in 2022) have been provided to the NSW Government through various business cases and reviews prepared by the NSW Telco Authority, as well as by reviews conducted by Infrastructure NSW as part of its project assurance responsibilities.

However, the growth in ESO costs and other consequential costs, such as paging and decommissioning, from around $263 million in the 2016 CCEP business case to between $600 million and $800 million, has to a large degree remained invisible and unexplained to the NSW Government and other stakeholders

Appendix one – Response from agency

Appendix two – Trunked public safety radio networks

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #383 - released 23 June 2023

What the report is about

Sydney Metro is Australia’s largest public transport project. It requires the acquisition of many private properties, including residential and business properties.

This audit assessed the effectiveness of the acquisition of private properties for the Sydney Metro project. The audited agencies were Sydney Metro, the Department of Planning and Environment (Valuer General NSW) and Transport for NSW (the Centre for Property Acquisition).

The audit assessed agencies against the framework for property acquisitions in New South Wales. It did not re-perform the valuations done for individual properties that were acquired by Sydney Metro.

What we found

Acquisitions of private property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. We found Sydney Metro:

• complied with legislative and policy requirements for compensation and communication with people subject to property acquisitions
• kept accurate records of its acquisitions and applied probity controls consistently
• did not complete detailed plans or negotiation strategies for the high-risk and high-value acquisitions we reviewed
• did not comply with legislative timelines for most compulsory acquisitions because of delays in receiving the required information from the Valuer General in these cases.

The Centre for Property Acquisition has overseen the implementation of reforms to residential acquisition processes, but its assessment of the effectiveness of these reforms has not been comprehensive.

What we recommended

The audit made four recommendations to the audited agencies to improve:

• plans and strategies for the acquisition of high-risk and high-value properties
• timeliness of issuing compensation determinations for compulsory acquisitions
• data quality on the experience of people subject to property acquisitions.

The NSW Government has the power to acquire land that is owned or leased by individuals or businesses, if it is needed for a public purpose. The power arises from the Land Acquisition (Just Terms Compensation) Act 1991 (the Just Terms Act). Government agencies that have the power to compulsorily acquire private property are referred to as ‘acquiring authorities’. People who are subject to acquisitions are referred to as ‘affected parties’ and include property owners (business or residential), businesses with a commercial lease on a property, or individuals with residential tenancy leases. In recent years, the vast majority of acquisitions by the NSW Government have been for public transport or road projects.

Sydney Metro is a NSW Government agency with responsibility for building the Sydney Metro railway project. Sydney Metro is Australia’s largest public transport project. The project requires the acquisition of a large number of private properties. Sydney Metro has been one of the largest acquirers of private property in recent years, completing over 500 acquisitions between 2020 and mid-2022, with a total acquisition value of over $2 billion. Other agencies and statutory officers involved in the acquisition of property for the Sydney Metro project include:

• the Department of Planning and Environment (DPE), which supports the minister responsible for the Just Terms Act. DPE also provides staff to the Valuer General of NSW
• the Valuer General of NSW, an independent statutory officer that determines compensation in cases where the acquiring authority and the affected party cannot agree on compensation for property that has been acquired
• Transport for NSW, which includes the Centre for Property Acquisition (CPA). The CPA does not have a direct role in acquiring properties, but its responsibilities include developing guidance for acquiring agencies and monitoring and reporting on their activities.

About this audit

The objective of this audit was to assess the effectiveness of acquisitions of private properties for Sydney Metro projects. The audit assessed agencies against the legislative and policy requirements in place for government acquisitions of private property in New South Wales. In line with the Audit Office's legislative mandate, the audit does not comment on the merits of the policy objectives reflected in the Just Terms Act.

The audit examined a sample of 20 property acquisitions. This was not a statistically representative sample. While our report provides comments on Sydney Metro’s overall acquisition processes, it does not provide assurance regarding the acquisitions that were not examined for this audit.

The audit did not re-perform the valuations done for individual properties that were acquired by Sydney Metro. Affected parties who disagree with the valuation of their property have the right to seek independent assessment of this via the Valuer General and the Land and Environment Court.

This chapter presents our findings on Sydney Metro's acquisition of industrial and commercial properties. Industrial properties include construction businesses and manufacturing facilities. Commercial properties were mostly properties such as shopping centres and office towers. Many of these acquisitions involve businesses and properties that are relatively complex and have high values. This means the valuation process can require multiple experts and can be lengthy and contested. Adherence to governance and probity requirements is important for these acquisitions in order to demonstrate that the acquiring authority has achieved value for money.

This chapter presents our findings on Sydney Metro's acquisition of residential properties, which include apartments and houses, and small business leases, which mostly affected businesses in small shopping centres or arcades. Most of these acquisitions were lower value compared to industrial and commercial property acquisitions and did not require as much expert advice on complex technical issues. However, residential property acquisitions can be personally distressing for the affected parties and require staff from the acquiring authority to provide support and show empathy while ensuring legislative compliance and value for money.

Appendix one – Responses from agencies

Appendix two – About the audit 

Appendix three – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #375 - released 9 February 2023

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

• Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
• Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.

Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).

The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

We assessed this objective through two lines of inquiry:

1. Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
2. Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?

The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.

Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.

Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.

The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.

Establishment of Cyber Security NSW

Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.

The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).

The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.

Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.

Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.

NSW Government Cyber Security Strategy

The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:

• lead
• prepare
• prevent
• detect 
• respond 
• recover.

The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:

• increase NSW Government cyber resiliency
• help NSW cyber security businesses grow
• enhance cyber security skills and workforce 
• support cyber security research and innovation.

Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.

NSW Government Cyber Security Policy

The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.

The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including: 

• annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements 
• that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).

The Policy sets out that Cyber Security NSW:

• may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
• will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.

As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.

This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:

• there was a sound, evidence-based rationale for why Cyber Security NSW was established
• the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
•  there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.

This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #374 - released 8 February 2023

What the report is about

The Transport Asset Holding Entity (TAHE) is the State's custodian of rail assets. It is a state owned corporation and commenced operating on 1 July 2020.

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. We audited TAHE, Transport for NSW (TfNSW) and NSW Treasury.

Separate and related audits on TAHE are reported in 'State Finances 2022', 'State Finances 2021' and 'Transport and Infrastructure 2022' reports.

What we found

The design and implementation of TAHE, which spanned seven years, was not effective.

The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.

The benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose.

Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed.

Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.

What we recommended

We recommended that the audited agencies should:

• improve accountability and transparency for major new fiscal transformation initiatives
• ensure entities do not reflect the financial impact of significant initiatives in the Budget when there is uncertainty, or it creates perverse incentives
• review record keeping practices, systems and policies to ensure compliance with the State Records Act 1998, and the NSW Government Information Classification, Labelling and Handling Guidelines
• review procurement policies to ensure that consultant use complies with all NSW Government policy requirements.

The NSW Government established the Transport Asset Holding Entity (TAHE), a statutory State Owned Corporation (SOC), on 1 July 2020 to replace the former rail infrastructure owner – RailCorp. It is the State's custodian of rail network assets, including rail tracks and other infrastructure, rolling stock, land, train stations and facilities, retail space, and signal and power systems, within metropolitan and regional New South Wales. It is responsible for $2.8 billion of major capital projects in 2022–23.

TAHE was established under Part 2 of the Transport Administration Act 1988 and is governed by a decision-making board. The Treasurer and the Minister for Finance and Employee Relations are the Shareholding Ministers of TAHE, and they annually agree performance expectations articulated in a Statement of Corporate Intent.

Whereas TAHE is the custodian of rail assets, Sydney Trains and NSW Trains operate public rail services. TAHE does not have responsibility for the operation of the heavy rail network or train services, nor does it have network control functions. TAHE, Sydney Trains and NSW Trains are in the Transport and Infrastructure cluster in the public sector (formerly the Transport cluster and renamed in April 2022), which also includes Sydney Metro and Transport for NSW (TfNSW).

TfNSW leads the Transport and Infrastructure cluster. Its role is to set the strategic direction for transport across the State. This involves the shaping of planning, policy, strategy, regulation, resource allocation and other service and non-service delivery functions for all modes of transport.

TAHE's Operating Licence is granted by the Portfolio Minister and authorises the entity to perform the functions required to acquire, develop, finance, divest and hold assets, pursuant to the Transport Administration Act 1988. The Portfolio Minister also issues a Statement of Expectations which outlines the government’s expectation for the business for the next three to five years.

TAHE's original Portfolio Minister was the Minister for Transport who approved, on 30 June 2020, the issuing of an interim 12-month Operating Licence to enable TAHE to commence operating on 1 July 2020. The Portfolio Minister then granted TAHE's current Operating Licence in 2021. After TAHE requested a 12-month extension to its current Operating Licence, its next Operating Licence is due on 1 July 2024. The current Portfolio Minister is the Minister for Infrastructure, Cities and Active Transport.

About this audit

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. In making this assessment, we considered whether: 

• the process of designing and implementing TAHE was cohesive and transparent, and delivered an effective outcome
• agencies' roles and responsibilities were clear in the planning of TAHE
• agencies effectively identified and managed certain risks.

Appendix one – Responses from audited agencies, and Audit Office clarification of matters raised in the TAHE formal response 

Appendix two – Classification of government entities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #372 - released 24 January 2023

What the report is about

This audit assessed the effectiveness of NSW Government agencies’ coordination of the response to COVID-19, with a focus on the Delta variant outbreak in the Dubbo and Fairfield Local Government Areas (LGA) between June and November 2021. We audited five agencies - the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service.

The audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

What we found

Prior to Delta, agencies developed capability to respond to COVID-19 related challenges.

However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

Gaps in emergency management plans affected agencies' ability to support individuals, families and businesses impacted by restrictions to movement and gathering such as stay-at-home orders. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

On 23 July 2021, the NSW Government established a cross-government coordinating approach, the Delta Microstrategy, which complemented existing emergency management arrangements, improved coordination between NSW Government agencies and led to more effective local responses.

Where possible, advice provided to government was supported by cross-government consultation, up-to-date evidence and insights. Public Health Orders were updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The NSW Government could provide greater transparency and accountability over decisions to apply Public Health Orders during a pandemic.

What we recommended

The audit made seven recommendations intended to improve transparency, accountability and preparedness for future emergency events.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (Fairfield City Council and Dubbo Regional Council) between June and November 2021.

As noted in this report, Resilience NSW was responsible for the coordination of welfare services as part of the emergency management arrangements. On 16 December 2022, the NSW Government abolished Resilience NSW.

During the audited period, Resilience NSW was tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions and it provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC was, and remains, responsible for the coordination and oversight of emergency management policy and preparedness.

Our work for this performance audit was completed on 15 November 2022, when we issued the final report to the five audited agencies. While the audit report does not make specific recommendations to Resilience NSW, it does include five recommendations to the State Emergency Management Committee. On 8 December 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

The community of New South Wales has experienced significant emergency events during the past three years. COVID-19 first emerged in New South Wales after bushfire and flooding emergencies in 2019–20. The pandemic is now into its third year, and there have been further extreme weather and flooding events during 2021 and 2022.

Lessons taken from the experience of these events are important to informing future responses and reducing future risks to the community from emergencies.

This audit focuses on the NSW Government's response to the COVID-19 pandemic, and in particular, the Delta variant (Delta) that occurred between June and November 2021. The response to the Delta represents six months of heightened challenges for the NSW Government.

Government responses to emergencies are guided by legislation. The State Emergency and Rescue Management Act 1989 (SERM Act) establishes emergency management arrangements in New South Wales and covers:

• coordination at state, regional and local levels through emergency management committees
• emergency management plans, supporting plans and functional areas including the State Emergency Management Plan (EMPLAN)
• operations centres and controllers at state, regional and local levels.

This audit focuses on the activities of five agencies during the audit period:

• The NSW Police Force led the emergency management response and was responsible for coordinating agencies across government in providing the tactical and operational elements that supported and enhanced the health response to the pandemic. The NSW Police Force also led the compliance response which enforced Public Health Orders and included household checks on those required to isolate at home after testing positive to COVID-19. In some parts of NSW, they were supported by the Australian Defence Force in this role.
• NSW Health was responsible for leading the health response which coordinated all parts of the health system, initially to prevent, and then to manage, the pandemic.
• Resilience NSW coordinated welfare services as part of the emergency management arrangements and provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC is responsible for the coordination and oversight of emergency management policy and preparedness. Resilience NSW was also tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions.
• The Department of Customer Service (DCS) was responsible for the statewide strategic communications response.
• The Department of Premier and Cabinet (DPC) held a key role in providing policy and legal services, as well as supporting the coordination of activity across a range of functional areas and decision-making by our State’s leaders.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (LGA) (Fairfield City Council and Dubbo Regional Council) after June 2021.

The audit investigated whether:

• government decisions to apply LGA-specific Public Health Orders were supported by effective crisis management governance and planning frameworks
• agencies effectively coordinated in the communication (and enforcement) of Public Health Orders.

While focusing on the coordination of NSW Government agencies’ response to the Delta variant in June through to November 2021, the audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

This audit does not assess the effectiveness of other specific COVID-19 responses such as business support. It refers to the preparedness, planning and delivery of these activities in the context of supporting communities in selected LGAs. NSW Health's contribution to the Australian COVID-19 vaccine rollout was also subject to a separate audit titled 'New South Wales COVID-19 vaccine rollout' tabled in NSW Parliament on 7 December 2022. 

This audit is part of a series of audits which have been completed, or are in progress, regarding the New South Wales COVID-19 emergency response. The Audit Office of New South Wales '2022–2025 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

In this document Aboriginal refers to the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.

The COVID-19 pandemic arrived in Australia in late January 2020 as the bushfire and localised flooding emergencies were in their final stages. Between 2020 and mid-2021, agencies responded to the initial variants of COVID-19, managed a border closure with Victoria that lasted nearly four months and dealt with localised ‘flare-ups’ that required postcode-based restrictions on mobility in northern parts of Sydney and regional New South Wales. During this period, New South Wales had the opportunity to learn from events in Victoria which imposed strict restrictions on mobility across the State and the growing emergence of the Delta variant (Delta) across the Asia Pacific.

This section of the report assesses how emergency management and public health responses adapted to these lessons and determined preparedness for, and responses to, widespread community transmission of Delta in New South Wales.

The previous chapter discusses how agencies had refined the existing emergency management arrangements to suit the needs of a pandemic and describes some gaps that were not addressed. This chapter explores the first month of Delta (mid-June to mid-July 2021). It explores the areas where agencies were prepared and responses in place for the outbreak. It also discusses the impact of the gaps that were not addressed in the period prior to Delta and other issues that emerged.

NSW Health provided advice on the removal of restrictions based on up-to-date advice

The NSW Government discussed the gradual process for removing restrictions using the Doherty Institute modelling provided to National Cabinet on 10 August 2021. NSW Health highlighted the importance of maintaining a level of public health and safety measure bundles to further suppress case numbers. This was based on additional modelling from the Doherty Institute.

The Department of Regional NSW led discussion and planning around reopening with a range of proposal through August and September 2021. The Department of Premier and Cabinet and NSW Health jointly developed a paper to provide options on the restrictions when the State reached a level of 70% double dose vaccinations.

The roadmap to reopening was originally published on 9 September 2021. However, by 11 October 2021, the restrictions were relaxed when the 70% double dose threshold was reached to allow:

• up to ten fully vaccinated visitors to a home (increased from five)
• up to 30 fully vaccinated people attending outdoor gatherings (increased from 20)
• weddings and funerals limits increased to 100 people (from 50)
• the reopening of indoor pools for training, exercise and learning purposes only.

On the same day, the NSW Government announced further relaxation of restrictions once the 80% double dose threshold was reached. These restrictions were further relaxed on 8 November 2021. This included the removal of capacity restrictions to the number of visitors to a private residence, indoor pools to reopen for all purposes and density limits of one person for every two square metres, dancing allowed in nightclubs and 100% capacity in major stadia.

The NSW Government allowed workers in regional areas who received one vaccination dose to return to their workplace from 11 October 2021.

The Premier extended the date of easing of restrictions for unvaccinated people aged over 16 from 1 December to 15 December 2021.

Many agencies have undertaken reviews of their response to the Delta outbreak but a whole-of-government review has yet to be conducted

Various agencies and entities associated with the response to the Delta outbreak conducted after-action review processes. These processes assessed the achievements delivered, lessons learned and opportunities for improvement. However, a whole-of-government level review has not been conducted. This limits the New South Wales public service's ability to improve how it coordinates responses in future emergencies.

The agencies/entities that conducted reviews included:

• South West Metropolitan region, Western NSW region, Fairfield Local Emergency Management Committee (LEMC), Dubbo Local Emergency Operations Controller (LEOCON), which were collated centrally by the State Emergency Operations Centre (SEOC)
• Aboriginal Affairs NSW assessed representation and relevance of the emergency management arrangements for Aboriginal communities following the 2019 bushfires
• Resilience NSW developed case studies to capture improved practice with regard to food security and supply chains
• a community support and empowerment-focused after-action review undertaken by the Pillar 5 workstream of the Microstrategy.

Key lessons collated from the after-action reviews include:

• the impact of variation in capability across agencies on the management of key aspects of the response including welfare support and logistics
• issues with boundary differences between NSW Police Force regions, local government areas (LGA and local health districts (LHD) caused issues in delivering and coordinating services in an emergency situation 
• the need to improve relationships between state and local Government outside of acute emergency responses to improve service delivery 
• issues arising from impediments to information sharing between agencies and jurisdictions, such as:
  • timeliness and accuracy of data used to direct compliance activities
  • the impact of insufficient advance notice on changes to Public Health Orders
  • timely access to data across public sector agencies and other jurisdictions to inform decision-making, analysis and communications
  • gaps in data around ethnicity, geolocation of recent positive cases and infection/vaccination rates in Aboriginal communities.
• the lack of Aboriginal community representation on many LEMCs
• compared with the response to COVID-19 in 2020, improved coordination of communications with Culturally and Linguistically Diverse (CALD) populations with a reduction in overlapping messages and over-communication
• improved attendance from agency representatives in LEMCs, and regional emergency operations centres (REOC) to improve interagency communications, planning, capability development and community engagement issues
• deficiencies in succession planning and fatigue management practices
• the potential for REOC Welfare/Well-being subgroups to be included as part of the wider efforts to community needs during emergencies.

NSW Health commenced a whole of system review of its COVID-19 response in May 2022. At the time of writing, the completion due date for the debrief is 7 November 2022. This debrief is expected to explore:

• governance
• engagement 
• innovation and technology 
• community impact 
• workforce impact
• system impact and performance.

NSW Health is also undertaking a parallel Intra-Action Review that is focused on the public health aspects of the response with finalisation estimated for the end of November 2022. At the time of completing this performance audit report, NSW Health had not finalised these reviews and, as a result, we cannot validate their findings against our own observations.

Recent inquiries are likely to impact the governance of emergency management in New South Wales

In March 2022, the NSW Government established an independent inquiry to examine and report on the causes of, preparedness for, response to and recovery from the 2022 floods. The Flood Inquiry report made 28 recommendations, which the NSW Government supported in full or in principle. Some of the recommendations relate directly to the governance and leadership of emergency management arrangements in New South Wales. 

The State Emergency Management Committee (SEMC) will likely be involved in, and impacted by, the recommendations arising from the Flood Inquiry with potential changes to its membership and reshaping of functional areas and agencies. At the same time, the SEMC may have a role in overseeing the changes that emerge from the SEOC consolidated after-action reviews. This can also extend to ensuring local and regional bodies have incorporated the required actions. There is a risk that the recommendations from the pandemic-based after-action reviews may not be considered due to the priority of action resulting from the Flood Inquiry.

Furthermore, there is potential for the SEMC to work with NSW Health during its system-wide review. Such an approach is likely to improve preparedness for future events.

Appendix one – Response from agencies

Appendix two – Chronology 2020–2021

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #371 - released 20 December 2022