What the report is about

The term ‘machinery of government’ refers to the way government functions and responsibilities are organised.

The decision to make machinery of government changes is made by the Premier. Changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day.

Larger machinery of government changes typically occur after an election or a change of Premier.

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet (DPC) and NSW Treasury in overseeing machinery of government changes.

What we found

The anticipated benefits of the changes were not articulated in sufficient detail and the achievement of benefits has not been monitored. The costs of the changes were not tracked or reported.

DPC and NSW Treasury provided principles to guide implementation but did not require departments to collect or report information about the benefits or costs of the changes.

The implementation of the machinery of government changes was completed within the set timeframes, and operations for the new departments commenced as scheduled.

Major implementation challenges included negotiation about the allocation of corporate support staff and the integration of complex corporate and ICT systems.

What we recommended

DPC and NSW Treasury should:

• consolidate existing guidance on machinery of government changes into a single document that is available to all departments and agencies
• provide guidance for departments and agencies to use when negotiating corporate services staff transfers as a part of machinery of government changes, including a standard rate for calculating corporate services requirements
• progress work to develop and implement common processes and systems for corporate services in order to support more efficient movement of staff between departments and agencies.

The term ‘machinery of government’ refers to the way government functions and responsibilities are allocated and structured across government departments and agencies. A machinery of government change is the reorganisation of these structures. This can involve establishing, merging or abolishing departments and agencies and transferring functions and responsibilities from one department or agency to another.

The decision to make machinery of government changes is made by the Premier. These changes may be made for a range of reasons, including to support the policy and/or political objectives of the government of the day. Machinery of government changes are formally set out in Administrative Arrangements Orders, which are prepared by the Department of Premier and Cabinet, as instructed by the Premier, and issued as legislative instruments under the Constitution Act 1902.

The heads of agencies subject to machinery of government changes are responsible for implementing them. For more complex changes, central agencies are also involved in providing guidance and monitoring progress.

The NSW Government announced major machinery of government changes after the 2019 state government election. These changes took place between April and June 2019 and involved abolishing five departments (Industry; Planning and Environment; Family and Community Services; Justice; and Finance, Services and Innovation) and creating three new departments (Planning, Industry and Environment; Communities and Justice; and Customer Service). This also resulted in changes to the 'clusters' associated with departments. The NSW Government uses clusters to group certain agencies and entities with related departments for administrative and financial management. Clusters do not have legal status. Most other departments that were not abolished had some functions added or removed as a part of these machinery of government changes. For example, the functions relating to regional policy and service delivery in the Department of Premier and Cabinet were moved to the new Department of Planning, Industry and Environment.

Our Report on State Finances 2019, tabled in October 2019, outlined these changes and identified several issues that can arise from machinery of government changes if risks are not identified early and properly managed. These include: challenges measuring the costs and benefits of machinery of government changes; disruption to services due to unclear roles and responsibilities; and disruption to control environments due to staff, system and process changes.

In April 2020, the Department of Regional NSW was created in a separate machinery of government change. This involved moving functions and agencies related to regional policy and service delivery from the Department of Planning, Industry and Environment into a standalone department.

This audit assessed how effectively the Department of Planning, Industry and Environment (DPIE) and the Department of Regional NSW (DRNSW) managed their 2019 and 2020 machinery of government changes, respectively. It also considered the role of the Department of Premier and Cabinet and NSW Treasury in overseeing machinery of government changes. The audit investigated whether:

• DPIE and DRNSW have integrated new responsibilities and functions in an effective and timely manner
• DPIE and DRNSW can demonstrate the costs of the machinery of government changes
• The machinery of government changes have achieved or are achieving intended outcomes and benefits.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #359 - released (17 December 2021).

What the report is about

This audit examined a state-wide program to provide small-group tuition to students disadvantaged by the move to learning from home during 2020.

The audit assessed the design and implementation of the program.

What we found

The program design was based on research and data showing learning loss during 2020. 

The department rapidly planned and developed the policy design and guidelines for schools. 

Governance arrangements matured during program delivery.

The department changed the models for funding schools but did not clearly explain the reasons for doing so.

Government schools with over 900 students were disadvantaged by the funding model compared to smaller schools. 

Guidelines, resources and professional learning helped schools implement the program.

Staff eligibility for the program was expanded after reported difficulties in recruiting qualified teachers in some areas. 

Online tuition and third-party provider options were developed throughout the program.

There were issues with the quality and timeliness of data used to monitor school progress. 

Evaluation arrangements were developed early in the program.

Data limitations mean the evaluation will not be able to fully assess all program objectives.

What we recommended

1. Distributing funds between schools more equitably and improving communication of the funding methods. 
2. Clearer communication about the intended targeted group of students.
3. Reviewing the time needed to administer the program.
4. Improve support for educators other than qualified teachers.
5. Offer the online tuition program to more schools.
6. Analysis of the effects of learning from home during 2021 across equity groups and geographic areas.
7. Working with universities to increase use of pre-service teachers in the program.

The report also identifies lessons learned for future programs.
 

The NSW Government announced the COVID Intensive Learning Support Program on 10 November 2020, as part of the 2020–21 NSW Budget. The primary goal of the $337 million program was to deliver intensive small group tuition for students who were disadvantaged by the move to remote and/or flexible learning, helping to close the equity gap. It included:

• $306 million to provide small-group tuition for eligible students across every NSW Government primary, secondary and special purpose school
• $31.0 million for around 400 non-government schools to provide small-group tuition to students with the greatest levels of need.

The objective of this audit was to assess the effectiveness of the design and implementation of the COVID Intensive Learning Support Program (the program). To address this objective, the audit assessed whether the Department of Education (the department):

• effectively designed the program and supporting governance arrangements
• is effectively implementing the program.

This audit focuses on activities between October 2020 and August 2021, which aimed to address the first session of learning from home in New South Wales. From August to October 2021, students in many areas of New South Wales were learning from home again, but this second period has not been a focus of this audit. On 18 October 2021, the NSW Government announced the program would be extended into 2022.

This chapter considers how effectively the COVID Intensive Learning Support Program (the program) was designed and planned for implementation.

This chapter considers how effectively the COVID Intensive Learning Support Program was implemented over our period of review (Terms 1 and 2, 2021).

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #358 - released (15 December 2021).

What the report is about

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.

Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.

NSW Treasury estimates these risks could have significant costs.

What we found

DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.

In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.

DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.

There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.

DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.

NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.

In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.

What we recommended

DPIE and NSW Treasury should, in partnership:

• enhance the coordination of climate risk management across agencies
• implement climate risk management across their clusters.

DPIE should:

• update information and strengthen education to agencies, and monitor progress
• review relevant land-use planning, development and building guidance
• deliver a climate change adaptation action plan for the state.

NSW Treasury should:

• strengthen climate risk-related guidance to agencies
• coordinate guidance on resilience in infrastructure planning
• review how climate risks have been assured in agencies’ asset management plans.

According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.

According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.

The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.

In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.

The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:

• use robust climate projection information to understand the potential climate impacts
• undertake sound climate risk assessments, within an enterprise risk management framework
• implement adaptation plans that reduce these risks, and harness opportunities.

Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.

According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.

This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.

Appendix one – Response from agencies

Appendix two – Timeline of key activities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #355 - released (7 September 2021).

What the report is about

This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020. 

The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications. 

DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:

• deliver jobs
• progress to the next stage of development within six months of determination
• deliver public benefit.

The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.

What we found

Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.

Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.

DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19. 

Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments. 

What we recommended

DPIE should:

• strengthen controls over conflicts of interest 
• evaluate the Fast-tracked Assessment Program.

In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.

In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:

• deliver jobs – particularly in the construction industry
• be capable of progressing to the next stage of development within six months of determination
• deliver public benefit.

At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.

This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.

Appendix one – Response from agency

Appendix two – Planning determination pathways

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #354 - released (27 July 2021).

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining how effectively NSW emergency response agencies address public inquiry recommendations.

The audit found that agencies’ governance arrangements to address public inquiry recommendations have important and consistent gaps. 

The agencies did not sufficiently verify that they had implemented accepted recommendations as intended, and in line with the outcomes sought. This creates a risk that issues with disaster prevention or responses highlighted by public inquiries are not addressed in a complete or timely way and may persist or recur in the future. 

The audit also found that agencies did not always nominate milestone dates or priority rankings for accepted recommendations, and so could not demonstrate they were managing or monitoring them effectively.

The audit examined how five emergency response agencies – Fire and Rescue NSW, National Parks and Wildlife Service, NSW Rural Fire Service, NSW State Emergency Service and Resilience NSW – have addressed accepted recommendations from public inquiries over the last ten years. The audit assessed the effectiveness of governance arrangements to track recommendation implementation.

The report makes six recommendations to improve disaster response agency arrangements to address public inquiry recommendations.  

While the focus of this audit was agencies that responded to natural disasters, the findings and recommendations from this report have the potential to be applied across the NSW public sector in response to public inquiries related to other areas of government activity.

Major disasters and emergencies often trigger public post-event inquiries and reviews. The purpose of these reviews is to identify the causes of disaster or emergency events and areas for future improvement in prevention, preparedness, response and recovery. Areas identified for future improvement are then the subject of recommendations to government or government agencies and, when accepted, become public commitments to action.

Responses to the bushfires of 2019–20 followed this pattern, producing both NSW and Australian Government commissioned inquiries: the NSW Bushfire Inquiry and the Royal Commission into National Natural Disaster Arrangements. Both highlighted the significant volume of inquiries in recent years. Both asked whether agency responses to previous inquiries were improving Australia's capacity to prevent, prepare for, respond to and recover from natural disasters. The inquiries reflected on the difficulty of answering this question due to insufficient clarity and transparency on whether the improvements and risks that inquiries identified have been addressed in practice.

This audit stems from similar questions about how effectively government agencies in NSW are delivering on public inquiry recommendations. It assessed how five emergency response agencies have addressed accepted recommendations from 17 public inquiries over the last ten years. For this audit, we considered inquiries and reviews that affected agencies' operational capacity to respond to and recover from bushfire, floods and storms. The in scope public inquiries for this audit relate to:

• the 2013–14, the 2016–17 and the 2017–18 bushfire seasons
• severe storms and floods in 2015, 2016 and 2017
• workforce issues affecting the ability of agencies to respond to natural disasters.

The public inquiries we reviewed included coronial inquiries and inquests, parliamentary inquiries, independent reports and reviews, performance audits and recovery coordinator reports. In total, we looked at the processes that agencies used to implement 191 recommendations from these 17 public inquiries.

The objective of this audit was to determine how effective emergency response agencies are in addressing accepted recommendations from public inquiries. To answer our audit objective, we asked two questions:

• Do agencies have effective governance arrangements in place to respond to, monitor and implement accepted recommendations from public reviews and inquiries?
• Do agencies provide timely and accurate information on the implementation of accepted inquiry recommendations to senior decision makers and the public?

The agencies reviewed were:

• Fire and Rescue NSW
• NSW National Parks and Wildlife Service (now a division of the Department of Planning, Industry and Environment)
• NSW Rural Fire Service
• NSW State Emergency Service
• Resilience NSW (formerly the Ministry for Police and Emergency Services; and the Office of Emergency Management).

While the focus of this audit was agencies that respond to natural disasters (flood, bushfire and storms), the findings and recommendations from this report have the potential to be applied across the NSW public sector in response to public inquiries related to other areas of government activity.

This chapter reviews the way agencies have responded to, monitored and ensured they have implemented accepted recommendations from public inquiries.

This chapter reviews how agencies provided information to senior decision makers, agency Audit and Risk Committees and the public on the implementation of accepted recommendations from public inquiries.

Appendix one – Response from agencies

Appendix two – Identifying in scope inquiries

Appendix three – In scope inquiries

Appendix four – Recommendations reported by agencies as still in progress (detail)

Appendix five – Agency reported recommendation implementation status (unaudited) 

Appendix six – About the audit 

Appendix seven – Performance auditing

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #348 - released (22 April 2021).

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the planning and delivery of new, redeveloped and upgraded public schools.

School Infrastructure NSW has identified the need to accommodate an additional 180,000 enrolments in public schools by 2039 with a large portion of this growth expected in metropolitan Sydney. It has also identified that around 34,000 teaching spaces will require upgrading to be fit-for-purpose.

Although School Infrastructure NSW has developed a long-term strategic plan that advises government of ongoing funding requirements, it has not presented a list of priorities to meet those needs. Developing a longer-term list of priorities would help signal the areas of greatest need and allow more time to develop the best options to meet those needs.

The audit found that School Infrastructure NSW has focused on delivering existing projects, election commitments and other government announcements. This has diverted attention from identifying and delivering projects that would have better met present and future needs. 

The report makes eight recommendations to improve long-term planning for future needs, strengthen the quality of estimated project costs and benefits, and embed a continuous improvement program. 

In 2016, the Department of Education prepared a School Assets Strategic Plan (2016 SASP) which outlined long-term funding needs to support the expected growth in enrolments to 2031. Following the release of the 2016 SASP, the NSW Government substantially increased funding for new and upgraded schools from $2.4 billion in the 2016–17 State Budget to $4.2 billion in 2017–18.

In 2017, the Department of Education established School Infrastructure NSW (SINSW) to lead the delivery of the 2016 SASP and the 123 new projects announced in the 2017–18 Budget. This significantly larger program of work required rapid development of internal capacity, governance arrangements, and project management systems. This needed to be done at the same time as scoping and planning for the list of announced projects.

As there are limited funds available to meet growing needs across the State, it is important that SINSW has effective methods to prioritise projects to communities with the greatest need. To ensure that projects deliver value for money, business cases need to have robust estimates of project costs and benefits. Business cases also need to account for the inherent risks in delivering infrastructure projects. Unplanned cost escalations can reduce the number of new or modernised classrooms SINSW can deliver. Unforeseen delays may also impact families who make significant life choices based on their expectations that a school will open at the beginning of the school year.

The objective of this audit was to assess the effectiveness of planning and delivery of new, upgraded and redeveloped schools to meet demand for public school education in New South Wales. To address this objective, the audit examined whether the Department:

• has effective procedures for planning and prioritising school capital works to meet present and future demands
• develops robust business cases for school capital works that reliably inform decision-making
• has effective program/project governance and management systems that support delivering projects on-time, within budget and achievement of intended benefits.

The audit examined business cases for 12 projects as case studies. These include a mix of projects initiated before and after the establishment of SINSW.

This audit commenced in June 2020 and examined strategies and demographic projections developed prior to the emergence of COVID-19. This audit did not examine potential longer-term impacts of COVID-19 on future demands for public school education.

1. Key findings

SINSW delivered projects against an established program of works in its first years of operation

At establishment, SINSW inherited a portfolio of existing projects and 123 new projects announced as part of the 2017–18 Budget (to commence over 2017–18 and 2018–19). It has progressively worked through individual project planning to deliver against these projects.

The 2018–19 Budget funded two new projects that had not already been announced. Both projects were identified by SINSW as a priority. The 2018–19 Budget also allocated funding for 'planning' 22 new projects. Seventeen of the 22 projects had been identified by SINSW as a priority.

SINSW identified 31 new priority projects in its Capital Investment Plan for 2019–20. Thirteen of these projects were funded in that year with a further 27 projects included as election commitments. SINSW identified 20 new projects in its Capital Investment Plan for 2020–21 but only two of these were funded. SINSW advised this was due to a constrained budget environment.

There is an anticipated shortfall of classrooms based on the current funded program

Despite increased funding since 2017–18, SINSW advised the NSW Government in early 2020 that the currently funded infrastructure program would not meet forecast classroom requirements for 2023 and beyond. Accordingly, it is vital that new funding is prioritised to projects which best meet demand.

SINSW only identified specific priorities over a two-year horizon in its Capital Investment Plans for 2018–19, 2019–20 and 2020–21. The School Assets Strategic Plan 2016 and the 2020 update make the case for sustained funding for school building and redevelopment. These plans estimate annual funding requirements and show geographic areas with increasing forecast enrolments. Detailing how priorities over a ten-year timeframe fit within a ten-year capital planning limit would create more certainty about meeting growth demands.

There has been progress in formalising prioritisation frameworks, data tools and supporting governance arrangements

SINSW committed to planning for new and redeveloped schools in 'School Community Groups' in the School Assets Strategic Plan 2016. This is a new way of planning which considers the educational needs over a defined geographical area. It has developed a planning tool to prioritise School Community Groups based on weighted criteria. It has also established governance frameworks to improve transparency over decisions to reprioritise this list.

SINSW has refined its approach to planning in School Community Groups over the past four years. It now prepares Service Needs Reports to investigate needs, identify projects, prioritise, determine scope and timing, and assess non-capital options. SINSW has yet to finalise arrangements for how needs identified in Service Needs Reports progress to the strategic business case stage.

Projects announced prior to developing a business case have less opportunity to consider a range of options to meet the service needs

Business cases for projects already announced by government (or announced for planning) go through the same process of determining the service need and impacts on surrounding schools. However, for some announced projects, the range of options considered in the business case is influenced by the parameters of the announcement. This makes it more difficult to genuinely pursue alternate options that could better meet the identified service need.

Projects identified by SINSW have a more rigorous process of considering options. Service Needs Reports explore a wide range of asset and non-asset interventions across the School Community Group. Options are narrowed as the projects move through the strategic and final business case stages. SINSW uses its Investment Review Committee to engage key stakeholders early in the process so that they are informed about how non-asset solutions have been considered and why SINSW is progressing the business case for a capital solution for particular projects.

Several business cases underestimated project costs and risks, leading to scope and budget increases

Several business cases we reviewed did not adequately identify the initial scope requirements, project-specific risks or the likely project cost. For two business cases, this appeared to be due to an attempt to fit the project within a predetermined amount. Announcing a project’s scope, budget and timeframe before proper planning increases risks to successful delivery against expectations.

Several of the projects we examined required drawdowns on contingency funds due to inadequate consideration of scope, costs and project risks at the planning stage. Contingency funds are intended for unanticipated extra costs rather than those that could have or should have been identified at the planning stage.

Guidance on benefit calculations has provided a consistent framework for business cases

Business cases we examined presented a consistent set of benefits based on guidance developed in partnership with NSW Treasury. Following this guidance helps to compare cost-benefit analyses across business cases. However, the evidence for the estimated benefits is based on contexts outside of NSW. SINSW has the tools and data sources to calculate benefits more suited to the context of particular schools. Doing so would improve the accuracy of cost-benefit analyses. SINSW advised that it is currently updating the guidance in partnership with NSW Treasury.

SINSW involves school principals, executives and teaching staff in developing education rationales when commencing projects. These documents help align projects with education outcomes. They also provide a baseline for post-occupancy evaluation, which is important to determine whether the new school infrastructure is being used in the ways that were anticipated in the business case.

SINSW could elevate its existing assurance review process to consolidate lessons learned

SINSW engages external peer reviewers to conduct assurance reviews on its projects at multiple stages of planning and delivery. It has established a Community of Practice for external reviewers to keep them up to date on new developments and requirements. Higher value projects are also subject to review by Infrastructure NSW under the Investor Assurance Framework.

By looking at all projects at all stages, assurance reviews can identify systematic issues across the full portfolio of projects. A recent assurance review analysed common findings from reviews of strategic and final business cases. This provides a helpful way to improve internal processes. SINSW advised that it is implementing a continuous improvement program, which will be able to take findings from assurance reviews to build organisational capabilities.

2. Recommendations

By September 2021, the Department of Education should:

1. finalise the investment prioritisation approach with agreement from key stakeholders
2. finalise and update on an ongoing basis a ten-year list of priorities to meet the forecast demand for new classrooms and contemporary fit for purpose learning environments, which identifies individual projects and programs in the short-term and priority geographic areas and programs in the medium-term
3. seek a ten-year Capital Planning Limit from NSW Treasury to ensure the needs identified in the ten-year list of priorities are met and are coordinated with the forward capital programs of other agencies
4. improve the quality of data on cost benchmarks that underpin the annual ten-year Capital Investment Plan and updates to the School Assets Strategic Plan
5. embed an evidence-based cost benefit analysis framework for school investment, in consultation with NSW Treasury, by:
   • validating benefits estimated in previous business cases with actual results
   • building the evidence base in relation to contemporary learning environments
6. regularly share data on forecast needs with relevant planning agencies to promote strategic opportunities for servicing education needs
7. implement the continuous improvement program for service planning, options assessment, business case development, project delivery and handover. The program should be informed by findings from assurance reviews, post-occupancy evaluations and project lessons learned
8. establish benefits realisation processes and practices that:
   • ensure business cases set baselines and targets for benefits
   • review benefits during delivery, prior to handover and as part of Post Occupancy Evaluations
   • identify which part(s) of the Department are best placed to develop, manage and evaluate benefits on an ongoing basis.

There have been significant increases in funding for education infrastructure since the 2017–18 Budget and further growth in demand for places in schools is forecast. SINSW has the challenge, not only of meeting the need for new classrooms due to population growth, but also upgrading facilities to enable modern teaching techniques. In addition, community expectations of what constitutes a vibrant and successful school community continues to increase.

Given growing demand and budget constraints, projects must be selected to best meet the needs of the community and planning and prioritisation are vital. SINSW has been progressing planning for announced projects as well as implementing a new type of strategic state-wide planning and prioritisation, cluster planning, where options are developed for School Community Groups.

The primary role of a business case is to reliably inform an investment and/or policy decision. Over the period of review, the NSW Government's guidelines for business cases have established this requires recommendations based on convincing arguments, sufficient evidence, and accurate costing of alternatives and expected benefits. Business case guidelines are underpinned by guides for economic appraisal and cost-benefit analysis.

As SINSW moves to prioritise business cases for interventions in School Community Groups, it will increasingly need to demonstrate rigour in its assessment of all options. It will also need to ensure that scope identification, cost and risk planning and the setting of contingencies are accurate. This will help decision-makers better understand, plan for and manage the investment required to meet the demand for school infrastructure.

For this audit, we examined business cases and related documentation for 12 projects. Several of these projects were developed before School Infrastructure NSW was established in mid-2017.

Over the period of review, NSW Government policies for business case development and submission have emphasised that effective governance arrangements are critical to a proposal's successful implementation.

SINSW's guidance similarly highlight the importance of effective governance and project management for achieving good outcomes. It prescribes a general governance structure managed by SINSW that can be tailored to the planning and delivery of school infrastructure projects.

Appendix one – Response from agency
 
Appendix two – About the audit 

Appendix three – Performance auditing 

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #347 - released (8 April 2021).

Auditor-General’s Report to Parliament on Delivering School Infrastructure 

This corrigendum has been prepared to amend the following text within my Auditor-General’s Report to Parliament on Delivering School Infrastructure, dated 8 April 2021. 

On page two, the original text was as follows: 

Further NSW Government announcements in the 2018–19 Budget and election commitments in the 2019–20 Budget made up the majority of new projects, rather than projects prioritised by SINSW. 

The original text has now been changed to 

Further NSW Government announcements in the 2018–19 Budget, election commitments in the 2019–20 Budget, and announcements in the 2020–21 Budget, made up the majority of new projects, rather than projects prioritised by SINSW. 

On page three, the original text was as follows: 

The 2018–19 Budget funded three new projects that had not already been announced. One of the three projects was identified by SINSW as a priority. 

The original text has now been changed to: 

The 2018–19 Budget funded two new projects that had not already been announced. Both projects were identified by SINSW as a priority. 

On page three the original text was as follows: 

SINSW identified 33 priority projects in its Capital Investment Plan for 2019–20.

The original text has now been changed to  

SINSW identified 31 new priority projects in its Capital Investment Plan for 2019–20. 

On page eleven, in Exhibit 4, the original text was as follows: 

The 2018–19 NSW Budget announced funding for an additional 43 new and upgraded schools to commence works in 2018–19. Of the 43 projects: 

•    1 was identified by SINSW as a priority in its Capital Investment Plan (SINSW requested funding for one new project)
•    40 had already been announced
•    2 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).

The original text has now been changed to: 

The 2018–19 NSW Budget announced funding for an additional 42 new and upgraded schools to commence works in 2018–19. Of the 42 projects: 

•    2 were identified by SINSW as a priority in its Capital Investment Plan (SINSW requested funding for two new projects)
•    40 had already been announced.

On page eleven, the original text was as follows: 

The 2019–20 NSW Budget announced funding for an additional 40 new and upgraded schools as election commitments. Of the 40 election commitment projects: 

•    13 were identified by SINSW as priorities in its Capital Investment Plan (SINSW requested funding for a total of 33 new projects)
•    27 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).

The original text has now been changed to: 

The 2019–20 NSW Budget announced funding for an additional 40 new and upgraded schools as election commitments. Of the 40 election commitment projects: 

•    13 were identified by SINSW as priorities in its Capital Investment Plan (SINSW requested funding for a total of 31 new projects)
•    27 were new announcements (not identified as a priority by SINSW in its Capital Investment Plan).

The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.