What the report is about

The movement of freight contributes $66 billion annually to the NSW economy. Two thirds of all freight in NSW moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036.

This audit assessed the effectiveness of transport agencies in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

What we found

Transport agencies do not have strategies or targets in place to improve the efficiency or capacity of the metropolitan shared rail network for freight.

The transport agencies acknowledge that they do not have sufficient information to achieve the most efficient freight outcomes and they do not know how to use the shared rail network to maximise freight capacity without compromising passenger rail services.

The Freight and Ports Plan 2018-2023 contains one target for rail freight - to increase the use of rail at Port Botany to 28 per cent by 2021. However, Transport for NSW (TfNSW)'s data indicates this target will not be met.

Sydney Trains records data on train movements and collects some data on delays and incidents. TfNSW collects data for the construction of the Standard Working Timetable and third-party contracts.

However, a lack of clarity around what data is gathered and who has ownership of the data makes data sharing difficult and limits its analysis and reporting.

The Freight and Ports Plan 2018-2023 includes the goal of 'Reducing avoidable rail freight delays', but the transport agencies do not have any definition for an avoidable delay and, as a result, do not measure or report them.

TfNSW and Sydney Trains are appointed to manage and deliver the Transport Asset Holding Entity of New South Wales (TAHE)'s obligations to allow rail freight operators to use the shared rail network. There are no performance measures in rail freight operator contracts or inter-agency agreements. This limits transport agencies' ability to improve performance.

TfNSW’s Freight Branch is working on four freight-specific strategies; a review of the Plan, a freight rail strategy, a port efficiency strategy and a freight data strategy.

TfNSW has not yet determined the timeframes or intended outcomes of these strategies.

What we recommended

Transport agencies should:

• commit, as part of the review of Future Transport 2056, to delivering the freight-specific strategies currently in development and develop whole-of-cluster accountability for this work including timeframes, specific targets and clear roles and responsibilities 
• improve the collection and sharing of freight data
• develop a plan to reduce avoidable freight delays
• systematically collect data on the management of all delays involving and/or impacting rail-freight
• develop and implement key performance indicators for the agreements between the transport agencies.

The movement of freight contributes $66.0 billion annually to the New South Wales economy — or 13 per cent of the Gross State Product. Two thirds of all freight in New South Wales moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036. This increasing demand is driven by increasing population and economic growth.

The sequence of activities required to move goods from their point of origin to the eventual consumer (the supply chain) is what matters most to shippers and consumers. Road can provide a single-mode door-to-door service, whereas conveying goods by rail typically involves moving freight onto road at some point. In Greater Sydney, 80 per cent of all freight is moved on road. Freight often passes through intermodal terminals (IMTs) as it transitions from one mode of transport to the next.

In 2016, Transport for NSW (TfNSW) released Future Transport 2056 - the NSW Government's 40-year vision for transport in New South Wales, which is intended to guide investment over the longer term. In Future Transport 2056, TfNSW noted that New South Wales will struggle to meet increasing demand for freight movements unless rail plays a larger role in the movement of freight.

Sydney Trains manages the metropolitan shared rail network, which is made up of rail lines that are used by both passenger and freight trains. The Transport Administration Act 1988 requires that, for the purposes of network control and timetabling, NSW Government transport agencies give ‘reasonable priority’ to passenger trains on shared lines. As the Greater Sydney population and rail patronage continue to grow, so too will competition for access to the shared rail network. See Appendix two for details of the area encompassed by Greater Sydney.

Freight operators can also use dedicated rail freight lines operated by the Australian Rail Track Corporation (ARTC - an Australian Government statutory-owned corporation). As the metropolitan shared rail network connects with dedicated freight lines, freight operators often use both to complete a journey.

TfNSW, Sydney Trains and the Transport Asset Holding Entity (TAHE) work in conjunction with other rail infrastructure owners and private sector entities, including port operators, privately operated IMTs and freight-shipping companies. TfNSW and Sydney Trains are responsible for managing the movement of freight across the metropolitan shared rail network. TAHE is the owner of the rail infrastructure that makes up the metropolitan shared rail network. The NSW Government established TAHE, a NSW Government state-owned corporation, on 1 July 2020 to replace the former rail infrastructure owner - RailCorp. The Auditor-General for New South Wales has commenced a performance audit on TAHE which is expected to table in 2022.

On 1 July 2021, TAHE entered into new agreements with TfNSW and Sydney Trains to operate, manage and maintain the metropolitan shared rail network. Until 30 June 2021, and in accordance with TAHE's Implementation Deed, TAHE operated under the terms of RailCorp's existing arrangements and agreements.

This audit assessed the effectiveness of TfNSW, Sydney Trains and TAHE in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

The audit focused on:

• the monitoring of access to shared rail lines
• the management of avoidable delays of rail freight movements
• steps to increase the use of rail freight capacity in Greater Sydney.

Appendix one - Response from agencies

Appendix two - The Greater Sydney region

Appendix three - TfNSW strategic projects 

Appendix four - Sydney Trains path priority principles 

Appendix five - Sydney Trains delay management

Appendix six - About the audit 

Appendix seven - Performance auditing
 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #357 - released (19 October 2021).

What the report is about

This audit assessed whether adults in custody have effective access to health services. The audit examined the activities of Justice Health and Corrective Services NSW.

What we found

The majority of custodial patients receive timely health care, but a small proportion of patients are not receiving care within target timeframes.

Eleven per cent of scheduled health appointments are not attended, and agencies can do more to understand the reasons for non-attendance.

Demand for mental health care exceeds service capacity and some patients are held in environments not appropriate for their needs.

Justice Health's information systems do not support the effective transfer of medical records as patients move around the prison network.

Not all patients are released from custody with a discharge plan.

Justice Health's system managers do not receive sufficiently detailed reports to understand strategic risks or opportunities to improve access to health services.

Public and private prison health operators do not report against consistent performance measures.

Justice Health is mandated to assess health services in private prisons. This conflicts with its role as a contracted provider of health services in the private prison system.

What we recommended

Enhanced reporting on patient access to health services, to identify risks and challenges across key service areas.

Identification and implementation of the improvements required for information to be shared across the custodial network and with external health providers.

Development of a framework to govern and monitor costs for patient health escorts and movements.

Development of a framework to govern responsibilities for mental health services.

Progression of infrastructure plans that address the lack of specialist accommodation for mental health patients and aged and frail patients.

Collaboration to align the performance measures to enable benchmarking between public and private prison health services.

Action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Access to health services in custody

This audit examined whether adults in the New South Wales public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that patients have timely access to health services, systems and practices support continuity of care, and access to health services is monitored and reviewed.

As part of this audit, we assessed actions undertaken by Justice Health and Corrective Services NSW in managing the first COVID-19 outbreak in 2020. However, due to the timing of this audit report, this audit does not report on the agencies’ response to managing the current outbreak of COVID-19 in September 2021.

Health services in New South Wales prisons are delivered by both public and private operators. The public prison system is made up of 33 correctional centres and the Long Bay Hospital. All health services in the public prison system are delivered by the Justice Health and Forensic Mental Health Network (Justice Health).

In the public prison system, Justice Health is responsible for the clinical care of patients with physical and mental illnesses. Clinicians provide health assessments, treatments, medication management, and some counselling services in prison health clinics. Patients are triaged by primary health nurses and if they require treatments or medication, they are referred to prison‑based doctors including specialists or other clinicians. Patients requiring complex or emergency care are transferred to hospitals or other specialty services outside the prison complex.

Private operators deliver health services in three private prisons through contract arrangements with Corrective Services NSW. Justice Health delivers health care at one correctional centre via a contract arrangement with Corrective Services NSW. In total, contracted health service operators deliver health care to approximately 25 per cent of the New South Wales prison population.

Justice Health is required by law to monitor the performance of contracted health service providers in New South Wales prisons, including services provided at the John Morony Correctional Centre. The Auditor‑General’s mandate does not permit a direct examination of information held by private sector entities, however this audit does assess the effectiveness of Justice Health's role in monitoring health services in private prisons.

Corrective Services NSW is responsible for security in public prisons, including the facilitation of patient access to health care at prison health clinics and the transfer of patients to hospitals and other health services outside of the prison environment. Corrective Services NSW also delivers behaviour‑based psychology services. Some are delivered as behaviour modification courses that aim to reduce criminal and offending activity amongst the prison population. These programs may be linked to parole or other custodial conditions. Other psychology services include counselling for people with self‑harming or suicidal behaviours.

Research from the Australian Institute of Health and Welfare indicates that people in custody are more likely than the general population to be affected by chronic and acute illnesses, including higher rates of mental illness and communicable diseases¹. In March 2021, there were 13,063 adults in custody in New South Wales.

The objective of this performance audit was to assess whether adults in the public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that:

• patients have timely access to health services
• systems and practices support the continuity of health care
• access to health services is monitored, reviewed, and reported across the network. 

1. Key findings

The majority of custodial patients receive timely health care, but a small proportion of patients with priority appointments are not receiving care within target timeframes

Approximately half of all health care provided by Justice Health is immediate. It is delivered to 'walk‑in' patients as soon as they present at prison health clinics. Most of these patients are receiving daily medications, while a small proportion require urgent or immediate care for injuries or illnesses. The other half of prison health care is delivered via scheduled appointments. Patients waiting for health appointments are given a priority rating according to the time within which they should be seen by a clinician.

Patients requiring the most time‑critical care are given a Priority 1 rating. These patients should receive treatment within one to three days. In December 2020, the average wait time for Priority 1 treatment was five and a half days, almost double the target. This is an improvement on wait times in June 2019, when the average wait time was just over 13 days. Justice Health does not assess or measure the impacts of delayed care on these patients.

According to Justice Health, the high numbers of ‘walk‑ins’ contribute to increased wait times for medical appointments. In addition, some specialty health clinics operate weekly, which means that patients cannot be seen by specialists within a one to three‑day timeline. Security events such as prison lockdowns can also contribute to increased wait times, as they limit the access that patients have to prison health clinics during out‑of‑cell hours.

If patients need emergency medical treatment, they are transferred to hospitals in line with Justice Health's policy. In 2020, just over 1,000 patients were transferred to hospital for emergency medical care.

A significant proportion of prison health appointments are not attended, and not enough is being done to understand the reasons, or to improve attendance rates

In 2020, 11 per cent of all scheduled health appointments in prison clinics were not attended. This amounts to approximately 60,000 appointments over the year. Non‑attended appointments have flow‑on impacts on wait times and backlogs for scheduled health appointments. Understanding why they occur is necessary to improve efficiencies in scheduling and patient access to health services.

In 2020, the most common reason for non‑attended health appointments was: 'patient unable to attend'. Justice Health clinicians use this when patients do not arrive at the prison health clinic at the scheduled time, and clinicians lack any other information to explain the non‑attendance.

The second most common recorded reason for non‑attended appointments was: 'cancelled by Corrective Services NSW'. These cancellations are due to operational or security reasons, including prison lockdowns. Data from Justice Health indicates that in 2020, there were an average of 12 lockdowns per week across New South Wales prisons.

A range of factors can impact on patient attendance at appointments, some of which are unavoidable. That said, more can be done to understand and reduce non‑attendance. For example, there is potential for Corrective Services NSW to implement tighter protocols to update information about patient availability on the daily movement lists. This might include checking whether patients are willing to attend appointments. Similarly, there is potential for Justice Health clinicians to implement tighter protocols to check patient lists ahead of scheduled appointments, and to re‑schedule appointments where patients are unavailable.

Demand for mental health care exceeds service capacity and some patients are held in environments that are not appropriate for their needs

There is a high demand for mental health services in New South Wales prisons. In March 2021, at least 143 mental health patients were waiting for access to an acute or sub‑acute mental health unit across the New South Wales prison system. The average wait time for a mental health facility was 43 days. Seventeen patients had wait times of over 100 days. Patients waiting for sub‑acute mental health services had longer wait times than those waiting for acute mental health services.

There are limited mental health beds for women across the New South Wales prison network. There are ten allocated beds for women at the Mental Health Screening Unit at Silverwater Correctional Complex, and no allocated beds for women at Long Bay Hospital.

A lack of bed availability in the Forensic Hospital means that, as of February 2021, 63 forensic patients were being held in mental health facilities in mainstream prisons, when they should have been accommodated in the Forensic Hospital. Some of these forensic patients have been held in mainstream prison facilities for decades.

Cross‑agency co‑operation and planning is required to identify and build infrastructure that will reduce wait times for mental health beds. Over several years, Justice Health has developed, reviewed, and worked to progress a strategic plan for NSW Forensic Mental Health that includes enhanced mental health bed capacity across the NSW system. The latest version of this strategic plan remains in draft and has yet to be approved by the NSW Ministry of Health.

In 2016, Corrective Services NSW commenced a Prison Bed Capacity Program. It was focussed on enhancing capacity across the prison system and did not include specialist health beds. More recently, Corrective Services NSW has been developing a business case to improve the provision of specialist health care facilities across the network, including mental health facilities.

Justice Health's clinical information systems do not support the effective transfer of health appointments or medication records as patients are moved to new prison locations

Justice Health's clinical information systems are multiple and complex. There are five health information systems that include a mix of electronic and paper‑based records. Information management systems contain clinical records, appointment information, medication records, dental records, and specialist health information. Corrective Services NSW maintain separate information systems relating to prison records and psychology treatment information.

The transfer of people across different correctional centres is a frequent occurrence. In 2020, there were over 41,000 movements between correctional centres. People are transferred for a range of reasons including for security purposes, or to be located closer to hospitals or specialist health services.

Justice Health receives a list of patient transfers one day prior to transfer. Nurses are required to prepare medications and clinical handovers for patients with complex health conditions. These handovers are verbal, however short timeframes mean that handover is not always possible.

While each patient's electronic health records are available across the network, transfer of appointment waitlists must be done manually. There is no automatic alert within the information systems to tell staff that a patient has been moved to another prison. There is a risk that if appointment records are not manually updated, or if staff at destination clinics are not contacted, then appointments will be overlooked.

Justice Health is working with eHealth NSW to develop an improved Electronic Medication Management (EMM) program with expected delivery in late 2021. The EMM has potential to improve the transfer of patient medication records, but it will not fully remediate all inefficiencies of the current systems.

Corrective Services NSW and Justice Health do not engage in sufficient joint planning to improve efficiencies in transports or escorts to health services

Corrective Services NSW and Justice Health do not engage in joint system‑level planning to mitigate the risks and the costs associated with transferring patients to health clinics in prisons, or non‑prison‑based health care. There are no protocols, and limited sharing of information to improve efficiencies in planning and coordinating patient transfers.

Corrective Services NSW does not collate or report on the costs of transporting patients to hospitals and specialist care. While there is data on the overall cost of medical escorts, estimated to be $19.9 million in 2020, Corrective Services NSW is not able to disaggregate this data to determine the reasons for transfers or the system‑level costs. For example, Corrective Services NSW does not know how many prison lockdowns occur when hospital transfers are required.

Medical escorts to specialist health services and hospitals increase the costs to the prison system and contribute to risks in prison management. Medical escorts contributed to 16 per cent of metropolitan prison lockdowns at the peak in 2018, though escort numbers have since been declining. Some Local Health Districts report significant concerns around safety incidents and assaults on staff during medical escorts to hospital.

Corrective Services NSW does not know if transport costs have increased since the 2016 Prison Bed Capacity Program which expanded prison beds in regional New South Wales. To date, there has been no assessment of the cost of taking patients to tertiary hospitals or specialist services. Corrective Services NSW has identified this as an area for improvement.

Justice Health's system managers do not receive sufficiently detailed reports on wait times for health care, to understand strategic risks or opportunities for system improvement

Justice Health's senior executives receive monthly reports on patient wait times for services in prison health clinics. These reports contain headline data about the numbers of days that patients wait for scheduled health appointments by their allocated priority level. Wait time data are averaged across all New South Wales prison health clinics. With some exceptions, almost all executive level reports describe system‑wide appointment wait times without offering further specific detail. For example, there is limited information which would allow managers to understand the performance of specialty health groups, or to make any comparative analysis of the performance of different prison facilities.

Executive reports are also not detailed enough to indicate whether prisons with particular security classifications offer greater or lesser access to health services. It is not possible to assess whether patients in metropolitan or regional prisons have different levels of health service access. This prevents managers from identifying strategic risks across the prison network, targeting resources to the areas of greatest risk, and making strategic improvements in system performance.

Trend data on wait times for the different health specialty areas is also required to enable senior managers to compare wait times across prison facilities, security classifications, and localities.

In response to the preliminary findings of this audit, Justice Health has made some improvements to its executive‑level wait time reports. This includes additional detail on health appointment wait times by prison facilities and wait times by health specialty areas.

It is not possible to compare or benchmark the performance of public and private prison health operators or to compare prison health against community health standards

It is not possible to compare or benchmark the performance of the public and private prison health operators in New South Wales using the current Key Performance Indicator (KPI) data. KPI data do not correlate across the public and private systems.

Justice Health reports to the Ministry of Health on 44 prison health KPIs. The 44 KPIs for the public prison system do not align with the seven KPIs the private health operators report against in their contracts with Corrective Services NSW. This means that public and private operators focus on different service areas. For example, private operators have a performance measure for ensuring that custodial patients are provided with release plans. Justice Health does not have a similar measure.

The KPI specifications for the private prison health system were developed by Corrective Services NSW with input from the Ministry of Health. The KPI specifications for the public prison health system were developed by the Ministry of Health in collaboration with Justice Health. There is no rationale for the difference in performance indicators across the public and private systems.

Private providers currently deliver prison services to 25 per cent of the prison population of New South Wales. This proportion has been increasing since 2016. Public and private health operators deliver comparable health services so there is scope to compare performance across the systems.

Justice Health aligns its standard for prison health services with a 'community’ standard of health care access. However, with existing health monitoring measures, it is not possible to assess how well Justice Health is tracking against community health standards with available data from most health specialties.

There is an inherent conflict of interest in Justice Health's monitoring role of health services in private prisons, as Justice Health is also a provider of health services in a private prison

There is a legislated requirement for Justice Health to monitor the performance of private health operators in New South Wales prisons. This monitoring role is described in the Crimes (Administration of Sentences) Act 1999.

Justice Health's monitoring role includes the collection and analysis of health performance data from private health operators, and periodic site visits to assess health service performance. Justice Health reports the findings of monitoring activities to Corrective Services NSW, the contract manager for private prisons.

Justice Health's monitoring role commenced in the late 1990s. In recent years, this role has expanded as the NSW Government has increased the number of privately managed prisons across the state. Justice Health now monitors health services in four private prisons, accounting for approximately one quarter of all custodial patients in the New South Wales prison system.

In 2018, Justice Health was awarded a contract to provide health services at the John Morony Correctional Centre. Justice Health also monitors the health services this Correctional Centre. The timing of the 1999 legislation did not anticipate that Justice Health would be a provider of the services it is required to monitor.

Justice Health has taken steps to maintain independence and transparency in its monitoring role by establishing a number of arms‑length governance arrangements. Justice Health set up a Commissioning Unit that operates independently from its service delivery operations. Justice Health also established an alternative reporting chain via a Board subcommittee to oversee the performance of health providers in private prisons.

Despite all actions to establish independence, the monitoring role confers dual responsibilities on the Chief Executive of Justice Health as both an operational manager of health services in a private prison and as a manager responsible for monitoring these same services. As a result, the Chief Executive of Justice Health has access to information about the overall performance of the private prison health system in New South Wales.

As a competitor for the provision of health services in privately operated prisons, Justice Health has access to information to which other private health providers do not. This potentially gives Justice Health a competitive advantage over other private health operators.

2. Recommendations

By December 2022, Justice Health should:

1. enhance reporting on patient access to health services to ensure that system managers can identify risks, challenges, and system improvements across key areas of its service profile

2. in collaboration with the NSW Ministry of Health, identify and implement the required improvements to its health information management systems that will enable effective transfers of patient clinical records and appointment information across the custodial network and with external health providers.

By December 2022, Justice Health and Corrective Services NSW should:

3. develop a joint framework to govern and monitor the costs of their common and connected responsibilities for patient health movements across the prison network and to external health services

4. develop a joint framework to govern their common and connected responsibilities for mental health services.

By December 2022, Justice Health and Corrective Services NSW, in collaboration with the NSW Ministry of Health, should:

5. progress infrastructure plans and projects that address the lack of specialist accommodation for mental health patients and aged and frail patients

6. standardise and align the key performance indicators that monitor the performance of health operators in public and private prisons so that system‑wide benchmarking is possible.

By December 2022, the NSW Ministry of Health should:

7. take action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #356 - released (23 September 2021).

What the report is about

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.

Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.

NSW Treasury estimates these risks could have significant costs.

What we found

DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.

In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.

DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.

There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.

DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.

NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.

In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.

What we recommended

DPIE and NSW Treasury should, in partnership:

• enhance the coordination of climate risk management across agencies
• implement climate risk management across their clusters.

DPIE should:

• update information and strengthen education to agencies, and monitor progress
• review relevant land-use planning, development and building guidance
• deliver a climate change adaptation action plan for the state.

NSW Treasury should:

• strengthen climate risk-related guidance to agencies
• coordinate guidance on resilience in infrastructure planning
• review how climate risks have been assured in agencies’ asset management plans.

According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.

According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.

The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.

In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.

The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:

• use robust climate projection information to understand the potential climate impacts
• undertake sound climate risk assessments, within an enterprise risk management framework
• implement adaptation plans that reduce these risks, and harness opportunities.

Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.

According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.

This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.

Appendix one – Response from agencies

Appendix two – Timeline of key activities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #355 - released (7 September 2021).

What the report is about

This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020. 

The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications. 

DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:

• deliver jobs
• progress to the next stage of development within six months of determination
• deliver public benefit.

The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.

What we found

Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.

Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.

DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19. 

Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments. 

What we recommended

DPIE should:

• strengthen controls over conflicts of interest 
• evaluate the Fast-tracked Assessment Program.

In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.

In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:

• deliver jobs – particularly in the construction industry
• be capable of progressing to the next stage of development within six months of determination
• deliver public benefit.

At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.

This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.

Appendix one – Response from agency

Appendix two – Planning determination pathways

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #354 - released (27 July 2021).

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

Water regulation aims to achieve sustainable environmental, economic and social outcomes from the management of water resources, consistent with the Water Management Act 2000. Following recommendations from reviews into water theft, reforms were made to strengthen water regulation, compliance and enforcement – including the establishment of the Natural Resources Access Regulator (NRAR) in 2018. The Department of Planning and Environment shares responsibility for issuing water access licences and approvals with the state-owned corporation, WaterNSW.

This audit could assess how effectively the Department, WaterNSW and NRAR are undertaking relevant planning, licensing and regulatory functions to ensure secure, sustainable and transparent water sharing in New South Wales. This topic could also consider how effectively the Department has implemented reforms to enhance water metering technology and rules, and the efficacy of NRAR’s activities to support this program.

This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.

Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.

Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines:

• our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
• our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.

Appendix one – Timeliness of financial reporting by agency

Appendix two – List of 2020 recommendations

Appendix three – Status of 2019 recommendations

Appendix four – Agencies most impacted by recent emergency events

Appendix five – Management letter findings by agency

Appendix six – Financial data

This report analyses the results of our audits of financial statements of the Health cluster for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

The impacts of the COVID-19 pandemic on the cluster were significant and included changes to the operations of the health entities and increased revenue, expenditure, assets and liabilities.

As a part of this year's audits of health entities, we have considered:

• financial implications of the COVID-19 emergency at both health entity and cluster levels
• changes to agencies' operating models
• agencies' access to technology and the maturity of systems and controls to prevent unauthorised and fraudulent access to data.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The response to the COVID-19 pandemic primarily impacted the financial reporting of NSW Health through:

• additional revenue from the State government in the form of grants and stimulus payments
• additional revenue from the Commonwealth government under the National Partnership Agreement for COVID-19 to cover part of the cost of responding to the COVID-19 pandemic
• increased expenses, largely due to increased payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists and increased cleaning costs
• increased purchases of personal protective equipment.

Chapter one outlines the impacts of NSW Health’s response to the COVID-19 pandemic. This chapter outlines our other audit observations related to the financial reporting of agencies in the Health cluster for 2020.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

The primary impact of the COVID-19 pandemic on the effectiveness of the internal controls of NSW Health and health entities relates to the effectiveness of controls implemented by HealthShare relating to the stocktake of personal protective equipment inventories. Inventory managed by HealthShare increased by 2,746 per cent during 2019–20. HealthShare’s inventory controls did not maintain pace with the sudden, significant increase.

The impacts of NSW Health’s response to the COVID-19 pandemic are outlined in chapter one. This chapter outlines other observations and insights from our financial statement audits of agencies in the Health cluster.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations 

Appendix three – Financial data

Appendix four – Analysis of financial indicators 

Appendix five – Analysis of performance against budget

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Auditor-General’s Report to Parliament

Health 2020

11 December 2020

This corrigendum has been prepared to amend the following text within the Auditor-General’s Report to Parliament on Health 2020, dated 10 December 2020.

NSW Health emergency department treatment times

On page five the original text was as follows:

NSW Health also measures the percentage of patients whose clinical care in emergency departments is completed within four hours. The measure is used as an indicator of accessibility to public hospital services.

NSW Health aims to complete clinical care in the emergency department for 81 per cent of patients within four hours. In 2019–20 NSW Health reports it completed clinical care within four hours for 72.1 per cent of patients (a 7.3 per cent decrease from 2018–19).

At Western Sydney Local Health District, 59 per cent of patients were treated within the targeted timeframe. NSW Health attribute this to the profile of patients presenting in emergency departments and additional time taken processing COVID-19 patients to ensure staff safety.

The original text has now been changed to:

NSW Health also measures the percentage of patients with total time in the emergency department of four hours or less for each local health district. The measure is used as an indicator of accessibility to public hospital services.

The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations
• the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statement audits of agencies in the Transport cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of financial statements of entities within the Regional NSW cluster for the year ended 30 June 2020. The table below summarises our key observations and recommendations.

The Regional NSW cluster aims to respond to regional issues, creating and preserving regional jobs, driving regional economy, growing existing and supporting emerging industries. The key areas of focus across the New South Wales (NSW) State is shown below:

MoG changes impact on Department of Regional NSW

The Department was created as result of the MoG changes during 2019–20. The Administrative Arrangements Order 2020, effective on 2 April 2020 created the Department of Regional NSW. These changes had a significant administrative impact on the cluster agencies. The MoG change resulted in a transfer of net assets ($446 million) and budget ($284 million) from DPIE to the newly created Department of Regional NSW on 2 April 2020. A summary of the MoG impacts on the Regional NSW cluster is shown below.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The COVID-19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID-19 pandemic. These amendments:

• allowed the Treasurer to authorise payments from the consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
• revised budgetary and financial and annual reporting time frames – impacting the timeliness of financial reporting
• exempted certain statutory bodies and departments from preparing financial statements.

This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statement audits of agencies in the Regional NSW cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Appendix one - List of 2020 recommendations

Appendix two - Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.