Refine search Expand filter

Audit progress

- Any -

Sector

- Any -

Year

- Any -

Report type

- Any -

Topic

- Any -

Reports

Published

Flood housing response

Planning
Whole of Government
Community Services
Premier and Cabinet
Internal controls and governance
Management and administration
Procurement
Project management
Risk
Service delivery
Shared services and collaboration

What this report is about

Extreme rainfall across eastern Australia in 2021 and 2022 led to a series of major flood events in New South Wales.

This audit assessed how effectively the NSW Government provided emergency accommodation and temporary housing in response to the early 2022 Northern Rivers and late 2022 Central West flood events.

Responsible agencies included in this audit were the Department of Communities and Justice, NSW Reconstruction Authority, the former Department of Planning and Environment, the Department of Regional NSW and the Premier’s Department.

Findings

The Department of Communities and Justice rapidly provided emergency accommodation to displaced persons immediately following these flood events.

There was no plan in place to guide a temporary housing response and agencies did not have agency-level plans for implementing their responsibilities.

The NSW Government rapidly procured and constructed temporary housing villages. However, the amount of temporary housing provided did not meet the demand.

There is an extensive waitlist for temporary housing and the remaining demand in the Northern Rivers is unlikely to be met. The NSW Reconstruction Authority has not reviewed this list to confirm its accuracy.

Demobilisation plans for the temporary housing villages have been developed, but there are no long-term plans in place for the transition of tenants out of the temporary housing.

Agencies are in the process of evaluating the provision of emergency accommodation and temporary housing.

The findings from the 2022 State-wide lessons process largely relate to response activities.

Audit recommendations

The NSW Reconstruction Authority should:

  • Develop a plan for the provision of temporary housing.
  • Review the temporary housing waitlist.
  • Determine a timeline for demobilising the temporary housing villages.
  • Develop a strategy to manage the transition of people into long-term accommodation.
  • Develop a process for state-wide recovery lessons learned.

All audited agencies should:

  • Finalise evaluations of their role in the provision of emergency accommodation and temporary housing.
  • Develop internal plans for implementing their roles under state-wide plans.

Extreme rainfall across eastern Australia in 2021 and 2022 led to a series of major flood events in New South Wales. In response, the NSW Government declared each of these events a natural disaster and made available a wide range of support for affected individuals and businesses. The flooding experienced by the State was widespread and its severity caused significant destruction in communities across the State. Some of the most significant damage occurred in the Northern Rivers and Central West regions of New South Wales.

Whilst areas of the Northern Rivers are prone to regular flooding, the scale of flooding in 2022 had not been experienced in the region before. On 28 February 2022, the Wilsons River in Lismore reached a height of 14.4 metres, approximately 2.3 metres higher than the previous record. A second flood occurred on 30 March 2022, with the river reaching 11.4 metres. The flooding in the region was extensive, affecting towns including Lismore, Coraki, Woodburn and Ballina. Between late February and early April 2022, 13 lives were lost in the Northern Rivers floods. In addition, 4,055 properties were deemed uninhabitable, and a further 10,849 properties were assessed as damaged. Approximately 4,000 people had to be evacuated from Lismore alone during this period, with thousands displaced from their homes across the region.

In the Central West, on 14 November 2022, the Lachlan River at Forbes peaked at 10.6 metres and was categorised as major flooding due to the inundation of extensive rural areas with properties, villages and towns isolated. On the same day in Eugowra, the Mandagery Creek peaked at 9.8 metres, passing the previous record of 9.6 metres in 1950. Flooding occurred in other areas of the Central West including Parkes, Molong, Cowra and Canowindra. Two lives were lost in the town of Eugowra with 80% of homes and businesses in the town damaged.

This audit assessed the following two areas of NSW Government support provided in response to these flood events:

  • Provision of emergency accommodation: short-term accommodation provided to displaced persons unable to return to their own home in an emergency situation.
  • Provision of temporary housing provided in the form of temporary pods and caravans.

The Department of Communities and Justice (DCJ) is responsible for the provision of emergency accommodation and other welfare services in response to a disaster event. With regards to temporary housing, the following agencies were involved in this audit:

  • Resilience NSW was the lead agency responsible for recovery and led the implementation of the temporary housing program under the oversight of the Chair, Housing Taskforce (HTF) from July 2022. On 16 December 2022, Resilience NSW was abolished, with some staff transferred to the NSW Police Force, Department of Premier and Cabinet (DPC) and DCJ. The remaining staff were transitioned to the newly established NSW Reconstruction Authority.
  • The Department of Planning and Environment (DPE) chaired the HTF until July 2022 and led the process for the identification and evaluation of temporary housing village sites. On 1 January 2024, DPE was abolished and the DPE functions discussed in this report now form part of the Department of Planning, Housing and Infrastructure.
  • NSW Public Works (NSWPW), a branch of the Department of Regional NSW (DRNSW) procured and managed the construction of the pods used in this program, and procured the caravans used as part of the temporary housing response.

The then DPC (now Premier’s Department (PD)) was responsible for whole-of-government policy advice, convening the Crisis Policy Committee of Cabinet, and whole-of-government communications.

This audit assessed how effectively the NSW Government provided emergency and temporary housing in response to the early 2022 Northern Rivers and late 2022 Central West flood events. We addressed this objective by examining whether the audited agencies:

  • effectively planned for the provision of emergency accommodation and temporary housing prior to the flood events
  • provided emergency accommodation and temporary housing to meet the needs of affected communities in response to the flood events
  • are effectively capturing lessons learned in relation to their provision of emergency accommodation and temporary housing as part of the flood response.

There is a State-level plan in place to guide the approach to emergency accommodation

The Welfare Services Functional Area Supporting Plan (WSFASP, the plan) is a supporting plan to the New South Wales Emergency Management Plan (EMPLAN). The plan outlines the responsibilities of the Department of Communities and Justice (DCJ) for the coordination and delivery of disaster welfare services in New South Wales. This includes the provision of emergency accommodation services. The plan in place during the flood events outlined the responsibilities of DCJ and the former Office of Emergency Management (OEM), some responsibilities of which have since transitioned to the NSW Reconstruction Authority (the Reconstruction Authority). The plan sets out a framework for government and non-government organisations to coordinate to provide key welfare services during an emergency, and outlines agreed roles and responsibilities. The plan outlines preparedness measures and arrangements for the provision of key welfare services during the response to and recovery from emergencies in New South Wales.

The plan details the organisations and key positions involved in welfare services, including their overall roles and responsibilities, and a basic structure for the delivery of disaster welfare services. For example, the plan states that both the former Department of Families and Communities Services and the not-for-profit Adventist Development and Relief Agency (ADRA) are responsible for emergency accommodation but does not clarify the detailed responsibilities associated with this role. These provide a State-wide, though not detailed, approach to emergency accommodation and welfare services in a disaster recovery context.

There was no plan in place to guide the temporary housing response, despite the NSW Government utilising this type of response in a previous emergency event

The State-level emergency planning documents do not contemplate the need for temporary housing as a government disaster response. Although there was a temporary housing response to the Black Summer bushfires in 2019–20, albeit on a smaller scale, no specific plans were in place to guide this response or the flood events in 2021–22. The NSW Government therefore had to develop its approach to addressing demand for temporary housing whilst responding to the flood emergency as it was occurring.

A partnership was established between the NSW Government and the Minderoo Foundation in 2020 to provide 100 pods to people whose homes were destroyed in the Black Summer bushfires. The initial rollout consisted of four-person pods, however the need for greater capacity was identified, with larger, family-sized pods developed for up to six people. The implementation of this program did not include formalising the work completed in documented plans for future use in response to other emergency events.

A plan that sets out how temporary housing should be used is in place in Queensland. The Queensland Government released a Temporary Emergency Accommodation (TEA) plan in 2021 which describes the arrangements, roles and responsibilities of key organisations critical to supporting displaced community members after the closure of an evacuation centre. The TEA plan outlines the five phases in the provision of accommodation support which includes temporary housing recovery. This demonstrates that a plan for the use of temporary accommodation would not be unprecedented.

Without plans in place to respond to all aspects of an emergency, decision makers are forced to be reactive in their decision making or to develop these plans while also responding to the events. In this specific instance, the government was forced to develop governance structures and perform tasks such as options analysis and site selection for temporary housing during the immediate aftermath of the flood events.

The Reconstruction Authority has acknowledged the need for a formalised plan for temporary housing responses and has started work to develop this in preparation for future flood events. It advised that the Housing Taskforce (HTF) has begun this work by performing assessments and reviews of high-risk areas and engaging with local councils and community groups. The Reconstruction Authority is also developing a Recovery Readiness Checklist, which will include preparedness for the provision of temporary housing in an emergency. Pre-event recovery planning specific to Local Government Areas (LGAs) is also underway, with the Reconstruction Authority developing tailored checklists which cover the provision of temporary housing. These tools will form part of the State's recovery response under the NSW Recovery Plan, which the Reconstruction Authority is currently in the process of updating. The Reconstruction Authority advises that this update will include identifying responsibilities in relation to the temporary housing response and recovery more broadly.

The WSFASP in place during the flood events had not been reviewed and updated in line with its planning requirements

Plans which outline the coordination and delivery of services in response to an emergency are imperative to ensure all required activities are completed, and the needs of affected communities are met. Plans also serve as a common reference point for decision making. Out of date plans can result in unclear roles and responsibilities, requiring agencies to make improvised decisions due to the urgent nature of emergency response. This creates a risk of key activities not being fulfilled and community needs going unmet.

The WSFASP in place during the flood response was last updated and endorsed by the State Emergency Management Committee (SEMC) in June 2018. As part of the planning requirements outlined in the plan, the State Welfare Services Functional Area Coordinator (WelFAC) is required to ensure the plan is reviewed every five years, or when relevant aspects require review following emergency operations or changes to legislation. The State WelFAC is an officer from DCJ responsible for the monitoring, support and coordination of disaster welfare services in New South Wales.

In 2020, a machinery of government change was implemented which established Resilience NSW as a public service executive agency and transferred persons employed in OEM to Resilience NSW. Despite these legislative changes, the plan had not been updated in line with its requirements to reflect these and subsequent changes, as OEM was still listed as one of the two agencies responsible for the coordination and delivery of disaster welfare services. Similarly, the plan had not been updated to reflect emergency operations changes with ADRA listed as the responsible coordinator for the provision of emergency accommodation services, despite no longer being responsible for this service.

The WSFASP has since been updated to reflect these changes and was endorsed by the SEMC in September 2023. The current WSFASP aligns with the welfare services responsibilities following the transfer of the welfare services functional area to DCJ in 2023. This includes the role of DCJ as the lead agency for the WSFASP, and DCJ and the Housing Contact Centre (HCC) within DCJ as the coordinator of emergency accommodation. The updated plan also provides an outline of the key welfare services that are delivered by the functional area, including emergency accommodation, personal support, essential food and grocery items, and transition from emergency accommodation. The outline provides a description of each service and the agency, team or non-government organisation responsible for coordinating the service.

Agencies did not have agency-level plans in place for implementing their responsibilities under State-level emergency accommodation and temporary housing plans

The State EMPLAN establishes a framework for sub plans, supporting plans and related policy instruments and guidelines. It states that a supporting plan should describe the support which is to be provided to the controlling or coordinating authority during emergency operations and be an action plan which describes how an agency or functional area is to be coordinated in order to fulfill the roles and responsibilities allocated. Without this more detailed guidance being in place, there is no common reference point for individuals within an agency to refer to when implementing the broader State-level plans, such as the WSFASP.

The WSFASP defines emergency accommodation and outlines the government and non-government organisations responsible for its provision. It does not provide a detailed description of the specific roles and responsibilities related to its provision. DCJ does not have an agency-level plan in place that specifies these in more detail, and did not have any standard operating procedures (SOPs) in place to guide the process of housing displaced persons in emergency accommodation.

The absence of SOPs to guide this process can increase the chance of inconsistent implementation of the WSFASP, with a reliance on the experience of staff to complete tasks to house people in emergency accommodation. For example, at the onset of an emergency, staff in the HCC contact local accommodation venues such as hotels and motels to determine availability in the area. They may also book blocks of rooms in preparation for housing displaced persons. At the time of the flood events, there was no documentation which detailed the process for DCJ staff to follow and these tasks were not recorded anywhere as requiring completion before a disaster occurred.

DCJ has advised that they have since developed internal processes which form part of the training program for Disaster Welfare staff. In addition to this, the HCC has developed a guide which steps out the various processes relating to the provision of emergency accommodation, as well as outlining the different roles and responsibilities within the HCC in relation to these processes.

As noted, there is no State-level plan in place to guide the temporary housing response. As a result, there is no framework to guide this process at an agency level for the Reconstruction Authority. The absence of both State and agency-level plans guiding the provision of temporary housing at the time of the flood events meant that agencies were required to develop a process to follow at the same time as responding to the flood events.

Appropriate governance structures were established quickly and changed as needed to reflect recovery needs

The State Recovery Committee (SRC) was activated following the 2019–20 bushfires and was still operating at the time of the 2022 floods. As part of this, the SRC had a terms of reference which included responsibilities of the SRC and a membership list. The responsibilities of the SRC in the terms of reference are to:

  • provide strategic direction in relation to disaster recovery
  • oversee reconstruction and recovery efforts in disaster impacted areas
  • provide senior leadership to facilitate whole-of-government coordination
  • monitor and report to the Premier, Deputy Premier and Cabinet on the progress of recovery efforts in disaster impacted areas.

Once the flood events commenced on 28 February 2022, the SRC increased its meeting frequency to every two days initially, for a total of 13 meetings in March. The SRC continued to meet at least twice a week from mid-April until the end of May, at which point it reduced gradually in frequency to weekly and then fortnightly. The SRC continued to meet throughout all of 2022 and 2023.

The SRC established a range of subcommittees to assist with recovery efforts. These subcommittees were operational from March 2022 onwards. Subcommittees had terms of reference setting out their role and were chaired by appropriate agencies with operational responsibilities that aligned with those roles. The Health and Wellbeing subcommittee was established as part of this and initially had responsibility for the provision of both emergency accommodation and temporary housing. This subcommittee was chaired by a relevant Senior Executive in DCJ.

As noted above, none of the whole-of-government plans prior to the flood events allocated responsibility to an agency or subcommittee for constructing and managing temporary housing. Although temporary housing had been utilised by the government previously in response to the 2019–20 bushfires, its provision had never been implemented on the scale required in response to the flood events.

In early March, the SRC created a new subcommittee: the Housing Taskforce (HTF). The HTF contained key staff from a wide variety of agencies, as well as other key stakeholders like local councils where appropriate, and was chaired by a Senior Executive from the Planning Branch of the Department of Planning and Environment (DPE). A terms of reference was quickly developed for the subcommittee. The HTF’s initial purpose included developing a strategy for identifying locations and pathways for temporary housing. This allowed the Health and Wellbeing subcommittee and the HTF to provide more focus on their particular areas of responsibility.

The SRC helped to manage issues but did not provide strategic risk management

Subcommittees regularly reported to the SRC throughout the flood response period. The SRC was able to manage issues with these programs as they arose, often by connecting relevant staff and providing a forum for these issues to be resolved across agencies. In this way, the SRC was able to manage issues, which aligns with its role in facilitating whole-of-government coordination.

Given that all relevant agencies were represented on the SRC, it was uniquely placed to provide strategic risk management across all aspects of the recovery effort including provision of accommodation and housing following the floods. This would fall within the SRC’s role of providing strategic direction in relation to disaster recovery. Strategic risk management involves addressing external risks, including those which may impact the government’s ability to achieve its objectives. The SRC did not undertake strategic risk management to proactively identify issues that could hinder the recovery effort, such as through developing risk registers and assigning mitigation strategies to agencies or specific individuals.

In regards to the flood temporary housing response, this may have included identifying and mitigating risks that could impact on the quantity of housing provided, risks to the overall flood recovery budget, and risks related to further flood events occurring that might hinder flood recovery. While the SRC did not consider this work during the flood response, Resilience NSW and the Reconstruction Authority both documented some whole-of-government risks to the delivery of the response to natural disasters as part of their enterprise risk management processes, including throughout 2022. However, this work was not undertaken specifically in relation to the unfolding flood events, but was instead done as part of the agency's regular review of its enterprise risks. Given that only one agency was involved in this risk identification, it was not a substitute for whole-of-government risk identification through the SRC.

The HTF did undertake some separate risk identification for the temporary housing response in the Northern Rivers, but not until October 2022. The HTF had been in operation since March 2022 without undertaking formal risk assessments to determine key risks to the provision of temporary housing that required mitigation. Some of the risks identified included expenditure on temporary housing exceeding its allocated budget, temporary housing sites failing to deliver agreed outcomes, and that there would be inappropriate or ineffective engagement with Aboriginal communities. This risk identification from the HTF was also reflected in Resilience NSW's and the Reconstruction Authority’s enterprise risk registers, where it is identified that there is a risk that the agencies do not effectively deliver on short and medium term housing.

The SRC provided oversight of the work of subcommittees

As noted above, one of the roles of the SRC is to oversee reconstruction and recovery efforts in disaster impacted areas. To fulfil this role of providing oversight, the SRC received updates on the activities of each subcommittee at each meeting.

In March 2022, each subcommittee developed a 100-Day Flood Action Plan that set out actions that would be completed in the first 30, 60 and 100 days. Each subcommittee was required to update its Flood Action Plan and report progress on implementation to the SRC every two weeks. The SRC received this regular reporting from each subcommittee, which included the status of each item, actions undertaken to date, and the next steps that each subcommittee was undertaking. This served to provide the SRC with oversight of the actions of each group to supplement the subcommittee updates with greater detail.

The quality of reporting from the HTF to the SRC reduced throughout August and September 2022. At this time the updates from the subcommittee included either only a verbal update or only statistical updates on the temporary housing response. This means that throughout this period, the SRC was providing only limited oversight of the temporary housing response. From October 2022, the HTF provided more detailed updates to the SRC, providing data on the temporary housing villages including the number of dwellings, estimated capacity and the status of each of the village sites (whether operational or estimated date of construction completion).

DCJ adapted its usual procedures to house a large number of people in emergency accommodation following the Northern Rivers flood event

The HCC, a branch within DCJ, is responsible for arranging emergency accommodation during a disaster, although this responsibility was not outlined in a specific emergency accommodation plan or procedure at the time of the flood events. Once a disaster is declared, the HCC is activated for a disaster welfare response. The team is required to estimate the number of people who will be displaced by the disaster and may seek emergency accommodation. The team is also required to contact local accommodation providers such as hotels, motels and caravan parks to determine vacancy information, as well as obtain information about the facilities such as wheelchair accessibility and pet-friendly rooms. The HCC team will then make direct contact with staff at evacuation centres and facilitate bookings based on the demand. A central internal database is utilised by the HCC, which enables them to see providers and book within the system.

In following these procedures, DCJ housed 788 people in the two weeks following the initial flood event by utilising the standard local accommodation providers. On 27 April 2022, 1,440 people were reported as staying at local accommodation providers as part of the emergency accommodation response. Exhibit 5 shows the number of people housed in emergency accommodation across the North Coast from March 2022 to early April 2023.

Governance structures continued to operate as previously established in response to the Central West flood event

The governance structures established in response to the 2019–20 bushfires and the flood event in the Northern Rivers mostly operated in the same capacity for the management of the Central West flood event. In October 2022, the meeting frequency for the SRC reduced to fortnightly, following the same structure with subcommittee updates discussed as part of the agenda. There was no increase in meeting frequency during or in the immediate aftermath of the response to the Central West flood event.

Resilience NSW continued to document whole-of-government risks to the delivery of the response to natural disasters during the response to the Central West flood event, and this work was continued by the Reconstruction Authority once established. Resilience NSW also continued to develop risk dashboard heatmaps each quarter, monitoring any changes in the residual risk rating of these risks, as well as outlining issues identified, and any new and emerging risks.

DCJ housed displaced persons in the Central West quickly, considering additional needs during the process

DCJ, through the HCC, advised that it followed its standard process outlined above for the provision of emergency accommodation during the Central West flood event. The evacuation order for Eugowra was made on 15 November 2022, and by 8 December 2022, DCJ had housed 93 people from the community in emergency accommodation. The HCC was able to utilise alternative accommodation such as rooms at Charles Sturt University to meet the increasing demand for emergency accommodation in the Central West.

Through the initial consultation process conducted with displaced persons at evacuation centres, the HCC was also able to consider their additional needs and meet these where possible. For example, companion animals were supported by Local Land Services and the Royal Society for the Prevention of Cruelty to Animals through the provision of boarding services. DCJ advised that local needs were also considered as part of the intake process. For example, displaced persons were accommodated as close to their hometown as possible. Those evacuated from Forbes were given priority for emergency accommodation in Forbes. This did impact evacuees from other towns. Ordinarily, those displaced in Eugowra would also be housed in Forbes, but due to limited accommodation options, they were evacuated to Orange instead. Other considerations made for displaced persons included level access and accessible rooms for those with disabilities, and baby care items, such as cots, where required.

The At-home Caravans program was implemented as immediate shelter for displaced persons awaiting pods on their property in the Central West

By 28 November 2022, Resilience NSW made the decision to activate the At-home Caravans program in the Central West, with applications from displaced persons being taken within a week after the flood event in Eugowra. Caravans were temporarily set up on private properties in Eugowra. Displaced persons are able to live in these caravans while waiting for a pod to be installed on their property. By 10 January 2023, 102 caravans had been delivered to the Central West and started to be located on private properties. At 30 May 2023, Resilience NSW had delivered 124 out of the 129 required caravans to properties. A plan was implemented to provide immediate shelter in the community through the caravans, organise medium-term housing in the form of pods, and support displaced persons to repair or rebuild their homes. Caravans were provided to households where properties required demolition, those that were damaged but reparable, and rental properties with owner’s consent.

Other options for immediate shelter were considered but not progressed. Placing caravans on site at showgrounds or caravan parks was considered, however a NSWPW assessment found that 95% of impacted homes could accommodate caravans on property. Caravans on property require less ongoing case management, site works and utilities. Private farm house rental accommodation was also considered, however extremely low availability of these in the area resulted in the decision to not progress this option.

Resilience NSW was able to meet the demand for housing in the Central West by placing temporary housing on people’s property

Resilience NSW conducted early analysis of potential temporary housing village sites in the aftermath of the floods in the Central West. However, after reviewing the situation in Eugowra and the relatively larger blocks, it was decided a more appropriate solution would be to place temporary pods on private property. Part of this decision was the impact a centralised village located in Eugowra would have on displaced persons from other affected towns. At 30 May 2023, 59 out of 100 pods had been installed on private properties. These pods replaced caravans initially installed on private properties, although at the time of the audit some disaster-affected persons were still living in caravans while they wait for pod installation on their property.

Resilience NSW was able to utilise the excess pods from the Northern Rivers to reduce the wait time for displaced persons to move into the pod from the caravan located on their property. Once their eligibility had been confirmed, the resident met with NSWPW and the builders contracted to install the pods. The resident confirmed where they would like the pod placed and the size needed. Applicants were then prioritised by Resilience NSW and pods installed in order of this prioritisation. NSWPW engaged the same third-party contractor used in the Northern Rivers construction to expedite the installation process.

Resilience NSW used measures to adapt the pods for suitable use in the Central West, as well as configuring them to meet mobility needs of residents. Cabonne Shire and Forbes Shire Councils required pods to be built at a height of 1.5 metres. The pods were therefore installed on scaffolding to raise their height. As the pods were designed and constructed for the Northern Rivers climate, insulation was installed on the base of the pods to ensure the inside temperature was appropriate for residents in the Central West. The raised height of the pods also impacted their accessibility, so the contractor was also engaged to install ramps instead of stairs where needed.

The first demobilisation of a pod occurred on 7 August 2023, after the resident’s home had been repaired and it was suitable for them to move back home. The Reconstruction Authority advised that as pods continue to be demobilised, they will be cleaned, any required repairs completed, and then moved onto the next property as needed. There was no long-term plan initially developed for the transition of tenants out of temporary housing, although the Reconstruction Authority has advised that the newly developed Temporary Housing Plan will include these considerations to inform processes at the end of the lease period. There has been consideration for returning the pods to the Northern Rivers once the work in the Central West is complete.

The Reconstruction Authority advised that due to the delays residents are facing in accessing trades and payment of insurance claims, the HTF is currently seeking the support of councils to extend the placement of pods beyond the two years that were initially planned.

There was no clear process in place to support displaced persons in emergency accommodation who were ineligible for temporary housing in the Central West

The WSFASP in place during the flood events did not outline a transition plan for displaced persons staying in emergency accommodation. Resilience NSW took over responsibility for the transition of displaced persons from emergency accommodation to temporary housing. It was not always possible to house rental tenants by placing a pod on the property they were occupying because they were unable to obtain landowner permission. It was necessary to find an alternative property to install these pods, usually on property owned by a family member. This was able to address most tenants’ issues.

It was unclear which agency was responsible for the support of renting households in the medium to long-term. The lack of a documented process for the provision of emergency accommodation created a gap in relation to the support for displaced persons. The WSFASP has since been updated to include provision for coordinated case management support to assist people in emergency accommodation with longer-term housing needs.

DCJ maintained a list of displaced persons who had been staying in emergency accommodation and were unable to exit without assistance. This list was provided to Resilience NSW weekly. Resilience NSW provided updates to DCJ on the status of those who were being transitioned into temporary housing, but no assistance was provided by Resilience NSW to those who were ineligible for temporary housing. DCJ was therefore required to provide case management to these people to assist in their transition to more stable housing.

Agencies learned and applied lessons from the Northern Rivers floods to the Central West flood event, but most have not formalised these for future consideration

Agencies involved in the provision of emergency accommodation and temporary housing learned key lessons from the Northern Rivers floods that could be applied in the Central West response. These lessons included the Reconstruction Authority rapidly standing up the At-home Caravans Program to provide immediate accommodation to displaced persons, and instigating a community reference group to provide feedback on the proposed housing response plan. These lessons learned were largely undocumented, with many staff being involved across both the Northern Rivers and Central West flood response, and able to directly apply lessons learned from their experience in the earlier response. It is good practice to formalise lessons learned to ensure that future responses may have access to contemporary information to learn from both positive and negative experiences in previous situations.

DCJ and Premier’s Department (PD) have not yet documented any lessons learned from their roles in the flood events. Some lessons were documented by Resilience NSW in April 2022 as part of a process to identify emerging insights. These lessons covered a broad range of activities, including findings relevant to the provision of temporary housing.

In June 2023, the Reconstruction Authority formally documented its own lessons learned from the provision of temporary housing. This includes identifying actions to avoid repeating some of the negative experiences, such as Aboriginal communities not being consulted at the appropriate time, and not having adequate program design processes in place for the temporary housing program. In addition, NSWPW has commissioned an evaluation of its work in the construction and provision of temporary housing, which includes a formal lessons learned component.

External reviews have also been conducted and have captured interim lessons learned, including the 2022 NSW Flood Inquiry and the ‘Response to major flooding across New South Wales in 2022’ Parliamentary Inquiry.

Agencies are in the process of evaluating the provision of emergency accommodation and temporary housing

Agencies have commenced the process of evaluating their role in the provision of emergency accommodation and temporary housing. DCJ advised that an external evaluation would commence shortly and that it was in the process of engaging a consultancy firm to conduct this. NSWPW has also commenced an external review of its provision of temporary housing. DPE and PD have not commenced a review, although PD has established a new unit for strategic communications during disasters in response to the agency's involvement in crisis communications during the flood events. This unit has been developed to deliver overarching whole-of-government messaging during disaster events.

Similarly, the Reconstruction Authority advised that an evaluation was planned for the provision of temporary housing. In addition, Resilience NSW commissioned an evaluation of the use of the Minderoo Foundation pods in response to the 2019–20 bushfires. This review reported in November 2022, though it had limited consideration of the role of the Minderoo Foundation pods as a source of temporary housing in the Northern Rivers. This report made 19 recommendations to the Reconstruction Authority and the Minderoo Foundation, and found that the Minderoo pods had largely been delivered in line with the original intended objectives.

There is no State-wide process in place to capture lessons learned from all agencies involved in recovery

Each year, the SEMC conducts a State-wide lessons learned exercise, incorporating learnings from all of the emergency events in the previous year. This exercise has commenced for the 2022 emergency events, however at the time of the audit it was in draft and not yet formally endorsed by the SEMC.

The agencies involved in the State lessons learned process are agencies with emergency response responsibilities. The findings largely relate to these response activities, with very few lessons learned relating to recovery. Only a limited number of agencies are involved in this activity, and the 2022 review did not incorporate the views of a number of agencies that were involved in the recovery phase of the Northern Rivers and Central West flood events.

While it is important that lessons are learned from the response phase of an emergency, it is equally important that State-wide lessons are learned from the recovery phase to ensure that appropriate State-wide changes can be made, or positive experiences can be continued. There is currently no process in place to capture these lessons learned from the recovery phase from all agencies involved in the recovery phase.

Appendix one – Responses from entities

Appendix two – About the audit

Appendix three – Performance auditing

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #389 - released 22 February 2024

Published

Management of the Critical Communications Enhancement Program

Finance
Health
Justice
Whole of Government
Cyber security
Information technology
Infrastructure
Internal controls and governance
Project management
Risk
Service delivery
Shared services and collaboration

What the report is about

Effective radio communications are crucial to NSW's emergency services organisations.

The Critical Communications Enhancement Program (CCEP) aims to deliver an enhanced public safety radio network to serve the five emergency services organisations (ESOs), as well as a range of other users.

This report assesses whether the NSW Telco Authority is effectively managing the CCEP.

What we found

Where it has already been delivered (about 50% of the state), the enhanced network meets most of the requirements of ESOs.

The CCEP will provide additional infrastructure for public safety radio coverage in existing buildings agreed to with ESOs. However, radio coverage inside buildings constructed after the CCEP concludes will be at risk because building and fire regulations do not address the need for in-building public safety radio coverage.

Around 98% of radios connected to the network can be authenticated to protect against cloning, though only 42% are.

The NSW Telco Authority has not settled with ESOs on how call encryption will be used across the network. This creates the risk that radio interoperability between ESOs will not be maximised.

When completed, the public safety radio network will be the only mission critical radio network for ESOs. It is unclear whether governance for the ongoing running of the network will allow ESOs to participate in future network operational decisions.

The current estimated capital cost for the NSW Telco Authority to complete the CCEP is $1.293 billion. This is up from an estimated cost of $400 million in 2016. The estimated capital cost was not publicly disclosed until $1.325 billion was shown in the 2021–22 NSW Budget Papers.

We estimate that the full cost to government, including costs to the ESOs, of implementing the enhanced network is likely to exceed $2 billion.

We made recommendations about

  • The governance of the enhanced Public Safety Network (PSN) to support agency relationships.
  • The need to finalise a Traffic Mitigation Plan for when the network is congested.
  • The need to provide advice to the NSW Government about the regulatory gap for ensuring adequate network reach in future buildings.
  • The need to clarify how encryption and interoperability will work on the enhanced network.
  • The need for the NSW Telco Authority to comply with its policy on Infrastructure Capacity Reservation.
  • Expediting measures to protect against the risk of cloning by unauthenticated radios.

Public safety radio networks are critical for operational communications among Emergency Services Organisations (ESOs), which in New South Wales include:

  • NSW Ambulance
  • Fire and Rescue NSW
  • NSW Police Force
  • NSW Rural Fire Service
  • NSW State Emergency Service.1

Since 1993, these five ESOs have had access to a NSW Government owned and operated radio communications network, the Public Safety Network (PSN), to support their operational communications. Around 60 to 70 other entities also have access to this network, including other NSW government entities, Commonwealth government entities, local councils, community organisations, and utility companies.

Pursuant to the Government Telecommunications Act 2018 ('the Act'), the New South Wales Government Telecommunications Authority ('NSW Telco Authority') is responsible for the establishment, control, management, maintenance and operation of the PSN.2

Separate to the PSN, all ESOs and other government entities have historically maintained their own radio communication capabilities and networks. Accordingly, the PSN has been a supplementary source of operational radio communications for these entities.

These other radio networks maintained by ESOs and other entities are of varying size and capability, with many ageing and nearing their end-of-life. There was generally little or no interoperability between networks, infrastructure was often co-located and duplicative, and there were large gaps in geographic coverage.

In 2016, the NSW Telco Authority received dedicated NSW Government funding to commence the Critical Communications Enhancement Program (CCEP).

According to NSW Telco Authority's 2021–22 annual report, the CCEP is a transformation program for operational communications for NSW government agencies. The CCEP '…aims to deliver greater access to public safety standard radio communications for the State’s first responders and essential service agencies'. The objective of CCEP is to consolidate the large number of separate radio networks that are owned and operated by various NSW government entities and to enhance the state’s existing shared PSN. The program also aims to deliver increased PSN coverage throughout New South Wales.

The former NSW Government intended that as the enhanced PSN was progressively rolled-out across NSW, ESOs would migrate their radio communications to the enhanced network, before closing and decommissioning their own networks.

About this Audit

This audit assessed whether the CCEP is being effectively managed by the NSW Telco Authority to deliver an enhanced PSN that meets ESOs' requirements for operational communications.

We addressed the audit objective by answering the following two questions:

  1. Have agreed ESO user requirements for the enhanced PSN been met under day-to-day and emergency operational conditions?
  2. Has there been adequate transparency to the NSW Government and other stakeholders regarding whole-of-government costs related to the CCEP?

In answering the first question, we also considered how the agreed user requirements were determined. This included whether they were supported by evidence, whether they were sufficient to meet the intent of the CCEP (including in considering any role for new or alternative technologies), and whether they met any relevant technical standards and compliance obligations (including for cyber security resilience).

While other NSW government agencies and entities use the PSN, we focused on the experience of the five primary ESOs because these will be the largest users of the enhanced PSN.

Both the cost and time required to complete the CCEP roll-out have increased since 2016. While it was originally intended to be completed in 2020, this is now forecast to be 2027. Infrastructure NSW has previously assessed the reasons for the increases in time and cost. A summary of the findings made by Infrastructure NSW is presented in Chapter 1 of this report. Accordingly, as these matters had already been assessed, we did not re-examine them in this performance audit.

The auditee for this performance audit is the NSW Telco Authority, which is a statutory authority within the Department of Customer Service portfolio.

In addition to being responsible for the operation of the PSN, section 5 of the Act also prescribes that the NSW Telco Authority is:

  • to identify, develop and deliver upgrades and enhancements to the government telecommunications network to improve operational communications for government sector agencies
  • to develop policies, standards and guidelines for operational communications using telecommunications networks.

The NSW Telco Authority Advisory Board is established under section 10 of the Act. The role of the board is to advise the NSW Telco Authority and the minister on any matter relating to the telecommunications requirements of government sector agencies and on any other matter relating to the functions of the Authority. As of 2 June 2023, the responsible minister is the Minister for Customer Service and Digital Government.

The five identified ESOs are critical stakeholders of the CCEP and therefore they were consulted during this audit. However, the ESOs were not auditees for this performance audit.

Conclusion

In areas of New South Wales where the enhanced Public Safety Network has been implemented under the Critical Communications Enhancement Program, the NSW Telco Authority has delivered a radio network that meets most of the agreed requirements of Emergency Services Organisations for routine and emergency operations.
In April 2023, the enhanced Public Safety Network (PSN) was approximately 50% completed. In areas where it is used by Emergency Services Organisations (ESOs), the PSN generally meets agreed user requirements. This is demonstrated through extensive performance monitoring and reporting, which shows that agreed performance standards are generally achieved. Reviews by the NSW Government and the NSW Telco Authority found that the PSN performed effectively during major flood events in 2021 and 2022.

Where it is completed, PSN coverage is generally equal to or better than each ESO's individual pre-existing coverage. The NSW Telco Authority has a dedicated work program to address localised coverage gaps (or 'blackspots') in those areas where coverage has otherwise been substantively delivered. Available call capacity on the network far exceeds demand in everyday use. Any operational issues that may occur with the PSN are transparent to ESOs in real time.

The NSW Telco Authority consulted extensively with ESOs on requirements for the enhanced PSN, with relatively few ESO requirements not being included in the specifications for the enhanced PSN. Lessons from previous events, including the 2019–20 summer bushfires, have informed the design and implementation of the enhanced PSN (such as the need to ensure adequate backup power supply to inaccessible sites). The network is based on the Project 25 technical standards for mission-critical radio communications, which is widely-accepted in the public safety radio community throughout Australia and internationally.

There is no mechanism to ensure adequate radio coverage within new building infrastructure after the CCEP concludes, but the NSW Telco Authority and ESOs have agreed an approach to prioritise existing in-building sites for coverage for the duration of the CCEP.
The extent to which the PSN works within buildings and other built structures (such as railway tunnels) is of crucial importance to ESOs, especially the NSW Police Force, NSW Ambulance, and Fire and Rescue NSW. This is because a large proportion of their operational communications occurs within buildings.

There is no mechanism to ensure the adequacy of future in-building coverage for the PSN in new or refurbished buildings after the CCEP concludes. Planning, building, and fire regulations are silent on this issue. We note there are examples in the United States of how in-building coverage for public safety radio networks can be incorporated into building or fire safety codes.

In regard to existing buildings, it is not possible to know whether a building requires its own in-building PSN infrastructure until nearby outside radio sites, including towers and antennae, have been commissioned into the network. Only then can it be determined whether their radio transmissions are capable of penetrating inside nearby buildings. Accordingly, much of this work for in-building coverage cannot be done until outside radio sites are finished and operating.

In March 2023, the NSW Telco Authority and ESOs agreed on a list of 906 mandatory and 7,086

non-mandatory sites for in-building PSN coverage. Most of these sites will likely be able to receive radio coverage via external antennae and towers, however this cannot be confirmed until those nearby external PSN sites are completed. The parties also agreed on an approach to prioritising those sites where coverage is needed but not provided by antennae and towers. Available funding will likely only extend to ensuring coverage in sites deemed mandatory, which is nonetheless expected to meet the overall benchmark of achieving 'same or better' coverage than what ESOs had previously.

There is a risk that radio interoperability between ESOs will not be maximised because the NSW Telco Authority has not settled with ESOs how encryption will be used across the enhanced PSN.
End-to-end encryption of radio transmissions is a security feature that prevents radio transmissions being intercepted or listened to by people who are not meant to. The ability of the PSN to provide end-to-end encryption of operational communications is of critical importance to the two largest prospective users of the PSN: the NSW Police Force and NSW Ambulance. Given that encryption excludes other parties that do not have the requisite encryption keys, its use creates an obstacle to achieving a key intended benefit of the CCEP, that is a more interoperable PSN, where first responders are better able to communicate with other ESOs.

Further planning and collaboration between PSN participants are necessary to consider how these dual benefits can be achieved, including in what operational circumstances encrypted interoperability is necessary or appropriate.

The capital cost to the NSW Telco Authority of the CCEP, originally estimated at $400 million in 2016, was not made public until the 2021–22 NSW Budget disclosed an estimate of $1.325 billon.
The estimated capital cost to complete all stages of the CCEP increased over time. This increasing cost was progressively disclosed to the NSW Government through Cabinet processes between 2015–16 and 2021–22.

In 2016, the full capital cost to the NSW Telco Authority of completing the CCEP was estimated to be $400 million. This estimated cost was not publicly disclosed, nor were subsequent increases, until the cost of $1.325 billion was publicly disclosed in the 2021–22 NSW Budget (revised down in the 2022–23 NSW Budget to $1.293 billion).

There has been no transparency about the whole-of-government cost of implementing the enhanced PSN through the CCEP.
In addition to the capital costs incurred directly by the NSW Telco Authority for the CCEP, ESOs have incurred costs to maintain their own networks due to the delay in implementing the CCEP. The ESOs will continue to incur these costs until they are able to fully migrate to the enhanced PSN, which is expected to be in 2027. These costs have not been tracked or reported as part of transparently accounting for the whole-of-government cost of the enhanced PSN. This is despite Infrastructure NSW in 2019 recommending to the NSW Telco Authority that it conduct a stocktake of such costs so that a whole-of-government cost impact is available to the NSW Government.
1 The definition of 'emergency services organisation' is set out in the State Emergency and Rescue Management Act 1989 (NSW). In addition to the five ESOs discussed in this report, the definition also includes: Surf Life Saving New South Wales; New South Wales Volunteer Rescue Association Inc; Volunteer Marine Rescue NSW; an agency that manages or controls an accredited rescue unit; and a non-government agency that is prescribed by the regulations for the purposes of this definition.
2 Section 15(1) of the Government Telecommunications Act 2018 (NSW).

The NSW Telco Authority established and tracked its own costs for the CCEP

Over the course of the program from 2016, the NSW Telco Authority prepared a series of business cases and program reviews that estimated its cost of implementing the program in full, including those shown in Exhibit 6 below.

Exhibit 6: Estimated costs to fully implement the CCEP
Source Capital cost ($ million) Operating cost
($ million)		 Completion date
March 2016 business case 400 37.3 2020
November 2017 internal review 476.7 41.7 2022
March 2020 business case 950–1,050 -- 2025
October 2020 business case 1,263.1 56.1 2026
Source: CCEP business cases as identified.

In response to the 2016 CCEP business case, the then NSW Government approved the NSW Telco Authority implementing the CCEP in full, with funding provided in stages. The NSW Telco Authority tracked its costs against approved funding, with monthly reports provided to the multi-agency Program Steering Committee

Throughout the program, the NSW Government was informed of increasing costs being incurred by the NSW Telco Authority for the CCEP

The various business cases, program updates, and program reviews prepared by the NSW Telco Authority were provided to the NSW Government through the required Cabinet process when seeking approval for the program proceeding and requests for both capital and operational funding. These provided clear indication of the changing overall cost of the CCEP to the NSW Telco Authority, as well as the delays that were being experienced.

There was no transparency to the Parliament and community about changes in the capital cost of the CCEP until the 2021–22 NSW Budget

As the business cases for the CCEP were not publicly available, the only sources of information about capital cost were NSW Budget papers and media releases. The information provided in the annual Budget papers prior to the 2021–22 NSW Budget provided no visibility of the estimated full capital cost to complete all stages of the CCEP. As shown in Exhibit 7 below, this information was fragmented and complex.

Media releases about the progress of the CCEP did not provide the estimated total cost to the NSW Telco Authority of $1.325 billion to complete all stages of the CCEP until June 2021. Prior to this date, media releases only provided funding for the initial stages of the program or for the stages subject to a funding announcement.

Even during the September 2019 and March 2020 Parliamentary Estimate Committee hearings where the costings and delays to the CCEP were raised, the estimated full cost of the CCEP was not revealed.

Exhibit 7: CCEP funding in NSW Budget papers from 2015–16 to 2022–23
Financial year Type of major work Description of expenditure Forecast estimate to complete ($ million) Estimated duration
2015–16 New work Infrastructure Rationalisation Program: Planning and Pilot 18.3 2015–16
2016–17 Work in progress CCEP Planning and Pilot 18.3 2015–17
New work CCEP 45 2016–17
2017–18 New work CCEP 190.75 2017–21
2018–19 Work in progress CCEP North Coast and State-wide Detailed Design 190.75 2017–21
New work CCEP Greater Metropolitan Area 236 2018–22
2019–20 Work in progress CCEP 426.9 2018–22
2020–21 Work in progress CCEP 664.8 2018–22
2021–22 Work in progress CCEP 1,325 2018–26
2022–23 Work in progress CCEP 1,292.8 2018–26
Source: NSW Treasury, Annual State Budget Papers.

The original business case for the CCEP included estimated ESO costs, though these costs were not tracked throughout the program

Estimates for ESO costs for operating and maintaining their own radio networks over the four years from 2016–17 were included in the original March 2016 business case. They included $75.2 million for capital expenditure and $95 million for one-off operating costs. These costs, as well as costs incurred by ESOs due to the delay in the program, were not subsequently tracked by the NSW Telco Authority.

In January 2017, Infrastructure NSW reviewed the CCEP business case of March 2016. In this review, Infrastructure NSW recommended that the NSW Telco Authority identify combined and apportioned costs and cashflow for all ESOs over the CCEP funding period reflecting all associated costs to deliver the CCEP. These to include additional incidental capital costs accruing to ESOs, transition and migration to the new network and the cost (capital and operational) of maintaining existing networks. This recommendation was implemented in the November 2017 program review, with ESO capital costs estimated as $183 million.

In 2019, Infrastructure NSW conducted a Deep Dive Review on the progress of the CCEP. In this review, Infrastructure NSW made what it described as a 'critical recommendation' that the NSW Telco Authority:

…coordinate a stocktake of the costs of operational bridging solutions implemented by PSAs [ESOs] as a result of the 18-month delay, so that a whole-of-government cost impact is available to the NSW Government.  

It should be noted that the delay to CCEP completion now is seven years and that further ‘operational bridging solutions’ have been needed by the ESOs.

'Stay Safe and Keep Operational' costs incurred by ESOs will be significantly higher than originally estimated

Stay Safe and Keep Operational (SSKO) funding was established to provide funding to ESOs to maintain their legacy networks while the CCEP was refreshing and enhancing the PSN. This recognised that much of the network infrastructure relied on by ESOs had reached – or was reaching – obsolescence and would either require extensive maintenance or replacement before the PSN was available for ESOs to migrate to it. ESOs may apply to NSW Treasury for SSKO funding, with their specific proposals being reviewed (and endorsed, where appropriate) by the NSW Telco Authority. Accordingly, SSKO expenditure does not fall within the CCEP budget allocation.

As shown in the table below, extracted from the March 2016 CCEP business case, the total expected cost for SSKO purposes over the course of the CCEP was originally $40 million, assuming the enhanced PSN would be fully available by 2020.

Exhibit 8: Stay Safe and Keep Operational forecast costs, 2017 to 2020
Year 2017 2018 2019 2020 Total
SSKO forecast ($ million) 12.5 15 10 2.5 40
Source: March 2016 CCEP business case.

In October 2022, the expected completion date for the CCEP was re-baselined to August 2027. Accordingly, ESOs will be required to continue to maintain their radio networks using legacy equipment for seven years longer than the original 2020 forecast. This will likely become progressively more expensive and require additional SSKO funding. For example, NSW Telco Authority endorsed SSKO bids for 2022–23 exceeded $35 million for that year alone.

Compared to the original forecast made in the March 2016 CCEP business case of $40 million, we found ESOs had estimated SSKO spending to 2027 will be $292.5 million.

A refresh of paging network used by ESOs and the decommissioning of redundant sites were both removed from the original 2016 scope of the CCEP

Paging

A paging network is considered an important user requirement by the Fire and Rescue NSW, NSW Rural Fire Service, and NSW State Emergency Service. The 2016 CCEP business case included a paging network refresh within the program scope of works. This was reiterated in the November 2017 internal review of the program. These documents did not estimate a cost for this refresh. The March 2020 and October 2020 business cases excluded paging from the program scope. The audit is unable to identify when, why or by whom the decision was made to remove paging from the program scope, something that was also not well communicated to the affected ESOs.

In 2021, after representations from the affected ESOs, the NSW Telco Authority prepared a separate business case for a refresh of the paging network at an estimated capital cost of $60.31 million. This program was subsequently approved by the NSW Government and included in the 2022–23 NSW Budget.

In determining an estimated full whole-of-government cost of delivering the enhanced PSN, we have included the budgeted cost of the paging network refresh on the basis that:

  • it was expressly included in the original approved March 2016 business case
  • the capability is deemed essential to the needs of three ESOs.

Decommissioning costs

The 2016 CCEP business case included cost estimates for decommissioning surplus sites (whether ‘old’ GRN sites or sites belonging to ESOs’ own networks). These estimates were provided for both the NSW Telco Authority ($38 million) and for the ESOs ($55 million). However, while these estimates were described, they were not included as part of the NSW Telco Authority's estimated capital cost ($400 million) or (more relevantly) operating cost ($37.3 million) for the CCEP. This is despite decommissioning being included as one of eight planned activities for the rollout of the program.

In the October 2020 business case, an estimate of $201 million was included for decommissioning agency networks based on a model whereby:

  • funding would be coordinated by the NSW Telco Authority
  • scheduling and reporting through an inter-agency working group and
  • where appropriate, agencies would be appointed as the most appropriate decommissioning party.

This estimated cost is not included in the CCEP budget.

In determining an estimated full whole-of-government cost of the enhanced PSN, we have included the estimated cost of decommissioning on the basis that:

  • decommissioning was included in the 2016 CCEP business case as one of eight 'planned activities for the rollout of the program'
  • effective decommissioning of surplus sites and equipment (including as described in the business case as incorporating asset decommissioning, asset re-use, and site make-good) is an inherent part of the program management for an enhanced PSN
  • costs incurred in decommissioning are entirely a consequence of the CCEP program.

The estimated minimum cost of building an enhanced PSN consistent with the original proposal is over $2 billion

We have derived two estimated minimum whole-of-government costs for delivering an enhanced PSN. These are:

  • $2.04 billion when calculated from NSW Telco Authority data – shown as estimate A in Exhibit 9 below.
  • $2.26 billion when calculated from ESO supplied data – shown as estimate B in Exhibit 9.

Both totals include:

  • budgeted amounts for both CCEP capital expenditure ($1,292.8 million) and operating expenditure ($139 million)
  • the NSW Telco Authority's 2020 estimated cost for decommissioning ($201 million)
  • the NSW Telco Authority's approved funding for paging refresh ($60.3 million).

The two estimated totals primarily vary around the capital expenditure of ESOs (particularly SSKO funding). To determine these costs, we used ESO provided actual SSKO costs to date, as well as their estimates for maintaining their legacy radio networks through to 2027.

The equivalent cost estimates from the NSW Telco Authority were sourced from the November 2017 internal review and the October 2020 business case for CCEP. It should be noted that the amounts for both estimates are not audited, or verified, but do provide an indication of how whole-of-government costs have grown over the course of the program.

The increase in and reasons for the increase in total CCEP costs (capital and one-off operating) incurred or forecast by the NSW Telco Authority (from $437.3 million in 2016 to $1,431.8 million in 2022) have been provided to the NSW Government through various business cases and reviews prepared by the NSW Telco Authority, as well as by reviews conducted by Infrastructure NSW as part of its project assurance responsibilities.

However, the growth in ESO costs and other consequential costs, such as paging and decommissioning, from around $263 million in the 2016 CCEP business case to between $600 million and $800 million, has to a large degree remained invisible and unexplained to the NSW Government and other stakeholders

Exhibit 9: Estimated whole-of-government costs of the enhanced PSN
  Estimated whole-of-government cost, over time
Cost type 20161 20172 20203 2023–Estimate A4 2023–Estimate B5
$ million $ million $ million $ million $ million
CCEP capital expenditure 400a 476.7b 1,263.1c 1,292.8d 1,292.8d
CCEP operating expenditure 37.3a 41.7b 41.5e 139d 139d
CCEP total 437.3 518.4 1,304.6 1,431.8 1,431.8
ESO capital expenditure 75.2a,f 183b,e 75.4e 258.4g 292.5
ESO one-off operating expenditure 93a n.a.l 86.5e 86.5h 273
ESO total 168.2 183 161.9 344.9 565.5
Paging n.a.i n.a.i n.a.j 60.3k 60.3k
Decommissioning 93 n.a.l 201.0 201h 201
Paging and decommissioning total 93 n.a. 201 261.3 261.3
Whole-of-government total 698.5 701.4 1,667.5 2,038 2,258.6
Notes:
  1. Financial year 2016 to Financial year 2020.
  2. Financial year 2016 to Financial year 2021.
  3. Financial year 2016 to Financial year 2025.
  4. Financial year 2016 to Financial year 2026.
  5. Financial year 2022 to Financial year 2025.
  6. Stay Safe and Keep Operational (SSKO) costs plus terminals costs.
  7. November 2017 internal review and October 2020 Business case.
  8. October 2020 Business case.
  9. Included in CCEP capital expenditure at that time.
  10. By 2020, a refresh of the paging network had been removed from the CCEP scope.
  11. A separate business case for a refresh of the paging network was approved by government in 2022.
  12. Figure not included in the source document.
Sources:
  1. March 2016 CCEP business case.
  2. November 2017 Internal Review conducted by the NSW Telco Authority.
  3. October 2020 CCEP business case.
  4. Derived from business cases, with ESO costs drawn from NSW Telco Authority data.
  5. Derived from business cases, with ESO costs based on data provided to the Audit Office of New South Wales by each of the five ESOs.

Appendix one – Response from agency

Appendix two – Trunked public safety radio networks

Appendix three – About the audit

Appendix four – Performance auditing

 

 

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #383 - released 23 June 2023

 

Published

Regulation and monitoring of local government

Planning
Whole of Government
Environment
Local Government
Compliance
Regulation
Risk

What the report is about

The Office of Local Government (OLG) in the Department of Planning and Environment is responsible for strengthening the local government sector, including through its regulatory functions.

This audit assessed whether the OLG is effectively monitoring and regulating the sector under the Local Government Act 1993. The audit covered:

  • the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions
  • whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.

What we found

The OLG does not conduct effective, proactive monitoring to enable timely risk-based responses to council performance and compliance issues.

The OLG has not clearly defined and communicated its regulatory role to ensure that its priorities are well understood.

The OLG does not routinely review the results of its regulatory activities to improve its approaches.

The department lacks an adequate framework to define, measure and report on the OLG's performance, limiting transparency and its accountability.

The OLG's new strategic plan presents an opportunity for the OLG to better define, communicate, and deliver on its regulatory objectives.

What we recommended

The OLG should:

  • publish a tool to support councils to self-assess risks and report on their performance and compliance
  • ensure its council engagement strategy is consistent with its regulatory approach
  • report each year on its regulatory activities and performance
  • publish a calendar of its key sector support and monitoring activities
  • enhance processes for internally tracking operational activities
  • develop and maintain a data management framework
  • review and update frameworks and procedures for regulatory responses.

 

The Local Government Act 1993 (the LG Act) provides the legal framework for the system of local government in New South Wales. The LG Act describes the functions of councils, county councils and joint organisations which should be exercised consistent with the guiding principles and requirements of the LG Act. Councils also have functions and responsibilities under other Acts.

There are 128 local councils, nine county councils and 13 joint organisations of councils in the New South Wales local government sector. Each council is unique in size and location, owns and manages assets, and delivers services for their communities. According to 2021–22 data provided by the Department of Planning and Environment (the department), local councils managed $175.2 billion in infrastructure, property plant and equipment, held $16.8 billion of cash and investments, collected $7.8 billion in rates and charges and entered into $3.7 billion of borrowings. Councils' decision-making responsibilities directly impact the communities they serve, including responsibilities relevant to financial management, economic development, environmental sustainability and community wellbeing.

Under the LG Act, each elected council is accountable to the community they serve. In addition to Auditor-General reports, issues relating to council performance and compliance have been identified in public inquiries commissioned by the Minister for Local Government and investigations by the Independent Commission Against Corruption, NSW Ombudsman and Office of Local Government (OLG). Challenges and opportunities related to the operations and sustainability of the local government sector have also been reported by the sector and identified in reports by NSW government agencies such as the Independent Pricing and Regulatory Tribunal.

The department is the primary state government agency with responsibility for policy, legislative, regulatory and program functions for local government matters. The Office of Local Government (OLG) is a business unit within the department that advises the Minister for Local Government and exercises delegated functions of the Secretary of the Department of Planning and Environment under the LG Act.

Key departmental planning documents state that the OLG is responsible for strengthening the sustainability, performance, integrity, transparency and accountability of the local government sector. As the state regulator of the local government sector, the OLG aims to promote voluntary compliance, build councils' capacity for high performance, and intervene only when 'warranted and appropriate'. Relevant regulatory activities include issuing guidelines, investigating councils and councillors, and supporting the Minister for Local Government's discretionary intervention powers. The OLG's other functions include developing policy, administering grants and programs, supporting local government election processes, and issuing certain approvals.

The objective of this audit was to assess whether the OLG is effectively monitoring and regulating the local government sector under the LG Act. The assessment included:

  • the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions
  • whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.

This report focuses on the OLG’s activities relevant to powers under Chapter 13 of the LG Act, and related regulatory activities, such as monitoring risks, issuing guidance and engaging with councils. It also examines strategic and operational planning for these activities in the context of the OLG's other activities, and departmental arrangements to oversee and enable the OLG's regulatory effectiveness.

Other OLG activities were not in scope of the audit but are commented on in this report where contextually relevant. This includes the OLG's responsibilities under the LG Act with respect to councillor misconduct, and the 2022 review of the councillor misconduct framework commissioned by the former Minister for Local Government.

Conclusion

The Office of Local Government (OLG) in the Department of Planning and Environment (the department) does not conduct effective, proactive monitoring to enable timely risk-based responses to council performance and compliance issues. Council performance and compliance varies and a range of issues continue across the local government sector – some significant – that can impact on councils' operations and sustainability.

The department recognises that an effective and efficient sector is 'crucial to the economic and social wellbeing of communities across the State,' but the OLG does not routinely review the results of its regulatory activities to improve its approaches. The OLG has also not clearly defined and communicated its regulatory role to ensure that its priorities are well understood.

Inadequate performance measurement and reporting on its regulatory activities is a significant transparency and accountability issue, and the OLG cannot demonstrate that it is effectively regulating the local government sector.

The department lacks an adequate framework to define, measure and report on the OLG's performance as the state regulator of the sector under the Local Government Act 1993 (the LG Act). The OLG's various council engagement activities are not well structured and coordinated towards delivering on a clearly defined regulatory role and its regulatory priorities are not well understood. In 2022, the OLG identified, in its new strategic plan, that there is a need for it to define its role in the sector. It would be expected that a clearly defined role already underpins its aim to 'strike the right mix of monitoring, intervention, capability improvement and engagement activities'.

The OLG collects various sources of information about council compliance and performance but its systems and processes do not enable structured, proactive sector monitoring to enable timely, risk-based responses. Ineffective sector monitoring is a particular issue in the context of compliance, financial management and governance risks that have been identified in inquiries and reviews by other government agencies including integrity bodies and reported by the sector. Audit Office data for 2021–22 shows that 62 councils did not have or regularly update key corporate governance policies, and 63 do not have basic controls to manage cyber security risks. Further, 31 councils or joint organisations did not meet the statutory requirement to have an audit, risk and improvement committee by 30 June 2022.1

Overall, the OLG has made limited progress on projects that have been identified since 2019 to improve its sector monitoring, such as updating its performance measurement framework for councils. These factors limit its capacity to identify and act on issues early. In early 2023, the OLG started to implement a new council risk assessment tool.

The OLG's two main frameworks to guide its sector improvement and intervention activities were last updated in 2014 and 2017. The OLG considered relevant statutory criteria when advising the Minister on the use of powers to issue performance improvement and suspension orders under the LG Act. But the OLG lacks complete and approved procedures to guide staff when preparing advice and recommendations related to interventions, and other response options. This creates risks to the consistency and transparency of relevant processes.

The department and the OLG have identified that resourcing issues present a risk to the OLG's regulatory functions. Projects since 2021 to review the OLG's budget did not progress. The OLG does not routinely review the costs or evaluate the effectiveness of its regulatory activities.

The OLG's 2022–2026 strategic plan sets out a vision to be, 'A trusted regulator and capability builder enabling councils to better serve their communities'. Implementing the strategic plan presents an opportunity for the OLG to better define, communicate, and deliver on its regulatory objectives towards strengthening the sector. The OLG advises that a delivery plan and performance indicators for its new strategy are being developed, alongside work resulting from the 2022 review of the councillor misconduct framework.

 

1 This data has been sourced through the Audit Office's financial audits of councils. The Local Government 2022 report, which compiles results from the local government sector financial statement audits for the year ended 30 June 2022, will include this and additional data, and related information. This report is expected to be tabled in June 2023.

This chapter considers the effectiveness of departmental arrangements for the OLG to undertake its regulatory functions.

This chapter assesses whether the OLG has effective mechanisms to monitor and respond to risks and issues relating to council compliance and performance.

The OLG’s 2017 Improvement and Intervention Framework is intended to guide appropriate responses to council compliance or performance risks and issues. The publicly available framework states that generally, the OLG will encourage councils to meet their obligations before a more formal intervention will be considered. It also states that any intervention or improvement response will be proportionate to the circumstances.

Appendix one – Response from agency

Appendix two – Statutory powers relevant to council accountability under the Local Government Act

Appendix three – About the audit

Appendix four – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #380 - released 23 May 2023

Published

NSW government agencies' use of consultants

Treasury
Whole of Government
Compliance
Internal controls and governance
Management and administration
Procurement
Workforce and capability

What the report is about

This audit assessed how effectively NSW government agencies procure and manage consultants. It examined the role of the NSW Procurement Board and NSW Procurement (a unit within NSW Treasury) in supporting and monitoring agency procurement and management of consultants.

The audit used four sources of data that contain information about spending on consultants by NSW government agencies, including annual report disclosures and the State's financial consolidation system (Prime). It also reviewed a sample of consulting engagements from ten NSW government agencies.

What we found

Our review of a selection of consulting engagements indicates that agencies do not procure and manage consultants effectively.

We found most agencies do not use consultants strategically and do not have systems for managing or evaluating consultant performance. We also found examples of non-compliance with procurement rules, including contract variations that exceeded procurement thresholds.

NSW Procurement has made improvements to the information available about spending on consultants, including additional analysis and reporting. However, there is no single data source that accurately captures spending on consultants.

Our analysis of data on whole-of-government spending on consultants, drawn from agency annual reports, indicates that four large professional services firms accounted for about a quarter of consultancy expenditure from 2017–18 to 2021–22. This concentration increases strategic risks, including over-reliance on a limited number of providers and potential reduction in the independence of advice.

It is also highly unlikely that NSW government agencies will meet the government's 2019 policy commitment to reduce consultancy expenses by 20% each year, over four years, from 2019–20. NSW Treasury advised that to implement this commitment, agency budgets were reduced in Prime in line with the savings targets. However, actual spending on consulting in NSW Treasury's Reports on State Finances 2020–21 and 2021–22 was almost $100 million higher than the savings targets over the first three years since 2019–20.

What we recommended

The report made seven recommendations which aim to improve:

  • the quality and transparency of data on spending on consultants
  • monitoring of strategic risks and agency compliance with procurement and recordkeeping rules
  • agencies' strategic use of consultants, including evaluation and knowledge retention.

Between 2017–18 and 2021–22, NSW government agency annual reports disclosed total spending of around $1 billion on consultants across more than 10,000 engagements. More than 1,000 consulting firms provided services to NSW government agencies during this period. Consulting is a classification of professional services that is characterised by giving advice or recommendations on a specific issue. The NSW Procurement Board Direction PBD-2021-03 defines a consultant as a person or organisation that provides 'recommendations or professional advice to assist decision-making by management'. PBD-2021-03 notes that the advisory nature of the work of consultants is the main factor that distinguishes them from other providers of professional services.

The NSW Procurement Board is responsible for setting procurement policy, issuing directions to support policies, and monitoring and reporting on agency compliance with policies and directions. NSW Procurement, a division within NSW Treasury, supports agencies to comply with the NSW Procurement Board’s policies and directions. A 'devolved governance model' is used for procurement in New South Wales. This means the heads of government entities that are covered by the NSW Procurement Board’s directions are responsible for managing the entity's procurement, including managing risks, reporting and ensuring compliance, in line with procurement laws and policies.

This audit assessed how effectively NSW government agencies procure and manage consultants. It assessed the role of the NSW Procurement Board and NSW Procurement in supporting and monitoring agency procurement and management of consultants. It also reviewed a sample of consulting engagements from ten NSW government agencies to examine how agencies procured, managed and reported on their use of consultants. The ten NSW government agencies were:

  • NSW Treasury
  • Department of Communities and Justice
  • Department of Customer Service
  • Department of Education
  • Department of Planning and Environment
  • Department of Premier and Cabinet
  • Department of Regional NSW
  • Infrastructure NSW
  • Sydney Metro
  • Transport for NSW

There are four different sources of data that contain information about spending on consultants by NSW government agencies: the State's financial consolidation system (Prime), disclosures of spending on consultants in agency annual reports, and two systems operated by NSW Procurement (the Business Advisory Services (BAS) dashboard and Spend Cube). Each of these data sources serves a different purpose, and collects and categorises information differently. None of these provide a complete source of data on spending on consultants, either in their own right or collectively.

NSW Treasury considers Prime to be the 'source of truth' on consulting expenditure across the NSW public sector. An account within Prime records recurrent spending on consultants, but this account does not include capital expenditure (that is, spending on consultants that has from a financial reporting perspective been 'capitalised' to a project on the balance sheet). As the State's financial consolidation system, Prime captures all financial information. However, capitalised consulting expenditure is recorded within various capital accounts, and is not identifiable within these accounts. While this is appropriate for accounting purposes, it means that the Prime account that records recurrent consulting expenditure does not reflect total spending on consultants by NSW government agencies. We used the data in Prime to assess whether NSW government agencies met the NSW Government's policy commitment—stated before the 2019 election and costed by the Parliamentary Budget Office—to reduce recurrent expenditure on consulting by 20% each year, over four years, from 2019–20. We did this because, while the Prime account for recurrent consulting expenditure does not reflect all spending on consultants, it does capture the recurrent spending that was subject to the policy commitment.

Most NSW government agencies are required by legislation to disclose spending on consultants (as defined in PBD-2021-03) in their annual reports. These disclosures include both recurrent and capital expenditure. For consulting engagements that cost more than $50,000, the disclosures also provide itemised information, including the names of the individual projects and the consultants used. While this data is more complete than Prime because it includes capital expenditure, it also has some gaps. Some entities are excluded from public reporting requirements on consultant use. For example, NSW Local Health Districts (LHD) are not required to produce annual reports, and the Ministry of Health does not include LHD consulting expenditure in its annual report.1 We used annual report disclosure data to report on total expenditure on consultants, and the concentration of suppliers of consulting services to NSW government agencies.

The BAS dashboard and Spend Cube are systems created by NSW Procurement to collect information about spending on suppliers of professional services. This includes consultants, but also includes other professional services providers. The systems were not designed for reporting on spending on consulting as defined in PBD-2021-03. However, we have used this data to assess specific aspects of NSW Procurement's monitoring of the use of consultants by NSW government agencies.

In 2018, we conducted an audit titled 'Procurement and reporting of consultancy services'. This assessed how 12 NSW government agencies complied with procurement requirements and how NSW Procurement supported the functions of the NSW Procurement Board. The 2018 audit found that none of the 12 agencies fully complied with NSW Procurement Board Directions on the use of consultants and that the NSW Procurement Board was not fully effective in overseeing and supporting agencies’ procurement of consultants. Specific findings from the 2018 audit included: 

  • Agencies applied the definition of consultant inconsistently, which affected the accuracy of reporting on consultancy expenditure.
  • There was inadequate guidance from NSW Procurement for agencies implementing the procurement framework, with a need for additional tools, automated processes, and other internal controls to improve compliance.
  • NSW Procurement had insufficient data for effective oversight of procurement and did not publish any data on the procurement of consultancy services by NSW government agencies.

Conclusion

Our review of a selection of consulting engagements from ten NSW government agencies indicates that these agencies do not procure and manage consultants effectively. We found that most agencies do not have a strategic approach to using consultants, or systems for managing or evaluating their performance. We also found examples of non-compliance with procurement rules, including contract variations that exceeded procurement thresholds. NSW Procurement, a division within NSW Treasury, provides frameworks and some guidance to agencies for procuring consultants. However, gaps in its data collection and analysis mean monitoring of strategic risks is limited and it does not respond to agency non-compliance consistently. There are limitations in ability of various data sources to accurately record spending on consultants. These limitations include incomplete recording of all spending, and different definitions of consulting for accounting and financial reporting purposes. Notwithstanding these limitations, and based on information in the State's financial consolidation system (Prime)—which records recurrent expenditure on consultants—it is highly unlikely that NSW government agencies will meet the government's 2019 policy commitment to reduce spending on consultants, as defined in the policy commitment and costed by the Parliamentary Budget Office. 

The use of a 'devolved governance model' for procurement means NSW government agencies are responsible for developing and implementing their own systems that align with the NSW Government Procurement Policy Framework. Agency heads are responsible for demonstrating compliance. Most agencies included in this audit did not have a clear strategic approach to how and when consultants should be used (for example, to seek advice and expertise not already available within the agency) and were using consultants in an ad hoc manner.

Our analysis of whole-of-government spending on consultants, drawn from agency annual reports, indicates that four large professional services firms account for around 27% of spending on consultants in the period from 2017–18 to 2021–22. The number of firms making up the top 50% of expenditure decreased from 11 to eight during this time, with the other 50% of expenditure spread across more than 1,000 firms. Concentration of consulting engagements within a small number of firms increases strategic risks, including that advice is not sufficiently objective and impartial, and that NSW government agencies become overly reliant on selected professional services firms.

Our review of a selection of consulting engagements by NSW government agencies found several examples of non-compliance with procurement policy. This included the use of variations to contract values which exceeded allowable limits. Record keeping was inadequate in many cases we reviewed, which limits transparency about government spending. Most agencies did not proactively manage their consulting engagements. The majority of consulting engagements that we reviewed were not evaluated or assessed by the agency for quality. Very few used any processes to ensure the transfer and retention of knowledge generated through consulting engagements. This means agencies miss opportunities to increase core staff skills and knowledge and to maximise value from these engagements.

NSW Procurement oversees a detailed policy framework that provides guidance and support to NSW government agencies when they are using consultants. The policy framework provides mandatory steps and some other guidance. Our audit on the procurement and reporting of consultancy services in 2018 found that agency reporting on the use of consultants was inconsistent and recommended that NSW Procurement should improve the quality, accuracy and completeness of data collection. NSW Procurement’s guidance on how agencies should classify and report on consulting engagements remains ambiguous. This contributes to continued inconsistent reporting by and across agencies, and reduces the quality of data on the use of consultants.

NSW Procurement has made some improvements to the information available about spending on consultants since our audit in 2018, including additional analysis and reporting that is available to agencies. However, there is still no single data source that accurately captures all spending on consultants. This is despite our recommendations in 2018 that NSW Procurement improve the quality of information collected from agencies and suppliers, which NSW Procurement accepted. This makes it harder for NSW Procurement or individual agencies to track trends and identify risks or improvement opportunities in the way consultants are used. 

In early 2019, the NSW Government made a policy commitment to reduce consultancy expenses by 20% each year, over four years, from 2019–20 (excluding capital-related consultancy expenses). This commitment was set out in the Parliamentary Budget Office's '2019 Coalition Election Policy Costings (Policy Costings)'. NSW Treasury subsequently advised that to implement this commitment, agency budgets were reduced in Prime in line with the savings targets. However, actual spending on consultants recorded in Prime in the first three years after the commitment was made was almost $100 million higher than the targets. We did not see any evidence that the financial data on actual expenditure was used to inform reporting on NSW government agencies' progress toward achieving the savings set out in the policy commitment.

1 The Government Sector Finance Legislation (Repeal and Amendment) Act 2018 No 70 will amend the Health Services Act 1997 to specify that annual reporting information for any or all NSW Health entities may be included in the annual reporting information prepared by the Ministry of Health under the Government Sector Finance Act 2018. This provision is expected to commence on 1 July 2023.

This chapter outlines our findings on the role of NSW Procurement in overseeing the use of consultants by NSW government agencies.

This chapter outlines our findings on the use of consultants by the ten NSW government agencies that were included in this audit.

Appendix one – Responses from auditees

Appendix two – About the audit

Appendix three – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #378 - released 2 March 2023

Published

Government advertising 2021–22

Finance
Education
Whole of Government
Compliance
Management and administration
Procurement

What the report is about

The Government Advertising Act 2011 requires the Auditor-General to undertake a performance audit on government advertising activities each financial year.

This audit examined whether TAFE NSW's annual advertising campaign in 2021–22:

  1. was carried out effectively, economically, and efficiently
  2. complied with regulatory requirements and the Government Advertising Guidelines.

What we found

TAFE NSW complied with Section 6 of the Act, prohibiting political content.

It also complied with most other advertising requirements.
 
An important exception was that the Managing Director certified that the campaign complied with regulatory requirements and was an efficient and cost-effective means of achieving its public purpose, before a cost-benefit analysis (CBA) was completed.

We have found issues with agencies complying with CBA requirements in previous government advertising audits. This includes the failure to complete them before signing compliance certificates.

The policy owner, the Department of Customer Service (DCS), does not consider oversight of CBAs to be within the scope of their peer review process.  

TAFE NSW evaluated this advertising campaign by surveying a population significantly broader than the target audience. As such, survey results may not accurately reflect the views of the intended audience.

What we recommended

By 30 June 2023, TAFE NSW should:

  1. implement processes that ensure:
    1. CBAs are completed before the launch of campaigns over $1 million
    2. compliance certificates are completed only after all regulatory requirements are met
  2. consider adding to its current evaluation methods by surveying a population which closely reflects the age profile of its intended target audience.

By June 2023, DCS should:

  1. improve whole‑of‑government reporting and monitoring processes to provide the NSW Government with a central view of compliance, including the completion of CBAs by agencies.

The Government Advertising Act 2011 (the Act) sets out requirements that must be followed by a government agency when it carries out a government advertising campaign. The requirements include an explicit prohibition on political advertising, as well as a need to complete a peer review and cost-benefit analysis before the campaign commences. The accompanying Government Advertising Regulation 2018 (the Regulation) and Government Advertising Guidelines (the Guidelines) address further matters of detail.

The Act also requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit must assess whether a government agency (or agencies) has carried out activities in relation to government advertising campaigns in an effective, economical and efficient manner. It also assesses compliance with the Act, the Regulation, other laws and the Guidelines.

This audit examined TAFE NSW's advertising campaign for the 2021–22 financial year. TAFE NSW is the NSW Government's public provider of vocational education and training. TAFE NSW carries out an advertising campaign every year. In 2021–22, it spent $15.16 million on developing and implementing advertising. TAFE NSW used channels such as television, radio, internet and social media, press, and out of home advertising in public settings such as bus stops. The advertising aimed to increase the percentage of people considering TAFE NSW for training or education, grow the percentage of people who consider TAFE NSW to be the preferred education provider in NSW, and maintain the proportion of people who are aware of TAFE NSW more generally.

There are a range of private service providers helping to deliver vocational education and training in NSW.

Conclusion

TAFE NSW’s advertising campaign for 2021–22 was for an allowed purpose under the Act and did not include political advertising. TAFE NSW complied with most of the requirements set out in the Act, the Regulation, and the Guidelines, but it failed to complete a cost-benefit analysis for the campaign or provide sufficient support for the compliance certificate signed by TAFE NSW's Managing Director.

TAFE NSW complied with the requirement to complete a peer review of its campaign, but it did not meet the requirement to complete a cost-benefit analysis, either before it launched the campaign or during its implementation throughout 2021–22. Some of TAFE NSW's advertising did not meet the requirement for statements to be clearly supported by evidence.

The Act requires the head of an agency to sign a compliance certificate stating that, among other things, the campaign complies with the Act, the Regulation, and the Guidelines, and that the campaign is an efficient and cost-effective means of achieving the public purpose. TAFE NSW's Managing Director signed a compliance certificate in May 2021. However, TAFE NSW had not prepared a cost-benefit analysis as required under the Act and therefore TAFE NSW's Managing Director could not validly sign the compliance certificate. TAFE NSW did not subsequently complete a cost-benefit analysis during the campaign.

The campaign achieved many of its objectives and other performance measures and is likely to have been impactful. It is also likely that TAFE NSW’s advertising campaign in 2021–22 represented economical, efficient, and effective spend. However, the lack of a cost-benefit analysis meant that this could not be confidently demonstrated by TAFE NSW.

TAFE NSW used internal resources to create its advertising content, such as videos, radio scripts and press advertising, and relied upon a specialist partner to arrange and place its media in the appropriate advertising channel. TAFE NSW also adjusted the advertising campaign in response to performance data and in response to changes in the educational and advertising marketplaces.

TAFE NSW evaluated the impact of its advertising and tracked its brand performance using a survey which reflected the New South Wales general population aged between 16 and 60. However, this evaluation did not match TAFE NSW's advertising spend as TAFE NSW directed significantly more of its campaign budget to influencing younger people in this cohort.

This part of the report sets out key aspects of TAFE NSW's compliance with the government advertising regulatory framework. It considers whether TAFE NSW complied with the:

  • Government Advertising Act 2011
  • Government Advertising Regulation 2018
  • NSW Government Advertising Guidelines 2012 and other relevant policy.

This part of the report considers whether TAFE NSW's advertising program for 2021–22 was carried out in an effective, efficient, and economical manner.

Appendix one – Responses from agencies

Appendix two – About the campaign

Appendix three – About the audit

Appendix four – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #377 - released 28 February 2023

Published

Government's acquisition of private property: Sydney Metro project

Transport
Planning
Whole of Government
Compliance
Infrastructure
Internal controls and governance
Project management
Risk

What the report is about

Sydney Metro is Australia’s largest public transport project. It requires the acquisition of many private properties, including residential and business properties.

This audit assessed the effectiveness of the acquisition of private properties for the Sydney Metro project. The audited agencies were Sydney Metro, the Department of Planning and Environment (Valuer General NSW) and Transport for NSW (the Centre for Property Acquisition).

The audit assessed agencies against the framework for property acquisitions in New South Wales. It did not re-perform the valuations done for individual properties that were acquired by Sydney Metro.

What we found

Acquisitions of private property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. We found Sydney Metro:

  • complied with legislative and policy requirements for compensation and communication with people subject to property acquisitions
  • kept accurate records of its acquisitions and applied probity controls consistently
  • did not complete detailed plans or negotiation strategies for the high-risk and high-value acquisitions we reviewed
  • did not comply with legislative timelines for most compulsory acquisitions because of delays in receiving the required information from the Valuer General in these cases.

The Centre for Property Acquisition has overseen the implementation of reforms to residential acquisition processes, but its assessment of the effectiveness of these reforms has not been comprehensive.

What we recommended

The audit made four recommendations to the audited agencies to improve:

  • plans and strategies for the acquisition of high-risk and high-value properties
  • timeliness of issuing compensation determinations for compulsory acquisitions
  • data quality on the experience of people subject to property acquisitions.

The NSW Government has the power to acquire land that is owned or leased by individuals or businesses, if it is needed for a public purpose. The power arises from the Land Acquisition (Just Terms Compensation) Act 1991 (the Just Terms Act). Government agencies that have the power to compulsorily acquire private property are referred to as ‘acquiring authorities’. People who are subject to acquisitions are referred to as ‘affected parties’ and include property owners (business or residential), businesses with a commercial lease on a property, or individuals with residential tenancy leases. In recent years, the vast majority of acquisitions by the NSW Government have been for public transport or road projects.

Sydney Metro is a NSW Government agency with responsibility for building the Sydney Metro railway project. Sydney Metro is Australia’s largest public transport project. The project requires the acquisition of a large number of private properties. Sydney Metro has been one of the largest acquirers of private property in recent years, completing over 500 acquisitions between 2020 and mid-2022, with a total acquisition value of over $2 billion. Other agencies and statutory officers involved in the acquisition of property for the Sydney Metro project include:

  • the Department of Planning and Environment (DPE), which supports the minister responsible for the Just Terms Act. DPE also provides staff to the Valuer General of NSW
  • the Valuer General of NSW, an independent statutory officer that determines compensation in cases where the acquiring authority and the affected party cannot agree on compensation for property that has been acquired
  • Transport for NSW, which includes the Centre for Property Acquisition (CPA). The CPA does not have a direct role in acquiring properties, but its responsibilities include developing guidance for acquiring agencies and monitoring and reporting on their activities.

About this audit

The objective of this audit was to assess the effectiveness of acquisitions of private properties for Sydney Metro projects. The audit assessed agencies against the legislative and policy requirements in place for government acquisitions of private property in New South Wales. In line with the Audit Office's legislative mandate, the audit does not comment on the merits of the policy objectives reflected in the Just Terms Act.

The audit examined a sample of 20 property acquisitions. This was not a statistically representative sample. While our report provides comments on Sydney Metro’s overall acquisition processes, it does not provide assurance regarding the acquisitions that were not examined for this audit.

The audit did not re-perform the valuations done for individual properties that were acquired by Sydney Metro. Affected parties who disagree with the valuation of their property have the right to seek independent assessment of this via the Valuer General and the Land and Environment Court.

Conclusion

Acquisitions of property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. Sydney Metro followed requirements for communication with affected parties. Compensation processes were conducted in compliance with legislative requirements, but compensation determinations for compulsory acquisitions were not completed within legislated time frames due to delays in receiving these from the Valuer General. Governance and probity processes were followed consistently, with some relatively minor exceptions. 

Sydney Metro has detailed guidelines for acquisitions that are based on relevant legislation and government policy. In the 20 acquisitions we assessed for this audit, these procedures were followed consistently. This included adhering to minimum timelines for negotiation periods, engaging independent valuers and other experts when needed, and complying with governance and probity processes.

Sydney Metro staff followed requirements for communication and support for residential acquisitions by assigning ‘personal managers’ and providing additional support to affected parties when needed. The Centre for Property Acquisition (CPA) has overseen reforms to the residential property acquisition process in recent years. These reforms include the introduction of the NSW Property Acquisition Standards and the use of personal managers, in addition to the existing acquisition managers, for residential acquisitions. However, the CPA has not assessed the impact of these changes on the experiences on people affected by property acquisitions.

Sydney Metro did not comply with the legislative requirement to provide a formal compensation notice to the affected party within 45 days of a compulsory acquisition starting in any of the eight relevant acquisitions in our sample. This was because Sydney Metro must wait for the Valuer General to complete a compensation determination before Sydney Metro can send the compensation notice, and the Valuer General did not do this within 45 days. We acknowledge that Sydney Metro does not have full control over this process, and that it has taken steps to mitigate the impact of delays on affected parties. 

This chapter presents our findings on Sydney Metro's acquisition of industrial and commercial properties. Industrial properties include construction businesses and manufacturing facilities. Commercial properties were mostly properties such as shopping centres and office towers. Many of these acquisitions involve businesses and properties that are relatively complex and have high values. This means the valuation process can require multiple experts and can be lengthy and contested. Adherence to governance and probity requirements is important for these acquisitions in order to demonstrate that the acquiring authority has achieved value for money.

This chapter presents our findings on Sydney Metro's acquisition of residential properties, which include apartments and houses, and small business leases, which mostly affected businesses in small shopping centres or arcades. Most of these acquisitions were lower value compared to industrial and commercial property acquisitions and did not require as much expert advice on complex technical issues. However, residential property acquisitions can be personally distressing for the affected parties and require staff from the acquiring authority to provide support and show empathy while ensuring legislative compliance and value for money.

Appendix one – Responses from agencies

Appendix two – About the audit 

Appendix three – Performance auditing 

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #375 - released 9 February 2023

Published

Cyber Security NSW: governance, roles, and responsibilities

Local Government
Whole of Government
Finance
Cyber security
Information technology
Internal controls and governance
Management and administration

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

  • Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
  • Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

  1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
  2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
  3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
  4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.

Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).

The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

We assessed this objective through two lines of inquiry:

  1. Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
  2. Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?

The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.

Conclusion

Cyber Security NSW has a clear purpose that is aligned with wider government policy and objectives, but it cannot effectively demonstrate its progress toward improving cyber resilience

Cyber Security NSW's high-level purpose is to support the NSW Government’s delivery of digitised services that are protected, connected, and trusted. This purpose is consistent with broader NSW Government and Australian Government policy and builds on the purpose of the previous NSW Office of the Government Chief Information Security Officer, which was itself informed by external research and previous Audit Office of New South Wales recommendations.

In delivering its purpose, Cyber Security NSW provides a wide range of services to NSW government agencies and the local government sector. The majority of agencies and councils consulted during this audit reported that the services they received contributed to improving their individual cyber security.

However, Cyber Security NSW does not clearly and consistently communicate its key objectives to ensure that its efforts are effectively and efficiently targeted, prioritised, planned, and reported. This is despite it receiving enhanced funding to expand the scope of services it provides. It currently has many sets of objectives across a range of sources, including the Cyber Security Strategy, business plans, corporate material, and public communications. It has too few reliable and meaningful ways of measuring progress toward its objectives, and no overall workplan or roadmap to show how the objectives will be achieved.

Without a clear and consistent program logic, it is difficult to determine whether the functions and services delivered by Cyber Security NSW are helping to achieve the level of cyber resilience required to meet the increasing cyber threats faced by the NSW public sector.

Cyber Security NSW does not provide assurance of the cyber security maturity self-assessments performed by individual NSW Government agencies

The NSW Government has a devolved model for cyber security assurance. Cyber Security NSW administers the whole-of-government policy settings, and agency heads are responsible for ensuring compliance with policy requirements.

Cyber Security NSW has a remit to carry out audits of agencies’ self-assessments, but it has not carried out these audits and does not seek its own assurance of the results of these self-assessments. It is not sufficiently addressing previously identified inconsistencies and inaccuracies in how those self-assessments are performed and reported.

This form of auditing would be an important assurance that self-assessment and reporting is reliable. This is important given that maturity reporting is the main source of knowledge about the cyber security maturity and resilience of NSW Government agencies to cyber threats. If these self-assessments are unreliable, then it creates the risk that knowledge of the potential resilience of the NSW public sector to cyber security incidents is similarly unreliable. There is no other body in NSW with the mandate to routinely provide this form of assurance.

Cyber Security NSW has a remit to assist local government improve cyber resilience, however it cannot mandate action, and does not have a strategic approach guiding its efforts

Consistent with the expectations that accompanied its 2020 funding enhancement, Cyber Security NSW has engaged with the local government sector, albeit with mixed results. While these mixed results are partly a consequence of it not being provided a formal mandate in the sector, it has also been impacted by the fact that Cyber Security NSW has not established an engagement plan or strategy to guide its engagement with the local government sector.

Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.

Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.

The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.

Establishment of Cyber Security NSW

Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.

The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).

The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.

Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.

Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.

NSW Government Cyber Security Strategy

The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:

  • lead
  • prepare
  • prevent
  • detect 
  • respond 
  • recover.

The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:

  • increase NSW Government cyber resiliency
  • help NSW cyber security businesses grow
  • enhance cyber security skills and workforce 
  • support cyber security research and innovation.

Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.

NSW Government Cyber Security Policy

The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.

The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including: 

  • annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements 
  • that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).

The Policy sets out that Cyber Security NSW:

  • may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
  • will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.

As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.

This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:

  • there was a sound, evidence-based rationale for why Cyber Security NSW was established
  • the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
  •  there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.

This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #374 - released 8 February 2023

Published

Coordination of the response to COVID-19 (June to November 2021)

Premier and Cabinet
Community Services
Health
Justice
Whole of Government
Internal controls and governance
Risk
Service delivery
Shared services and collaboration

What the report is about

This audit assessed the effectiveness of NSW Government agencies’ coordination of the response to COVID-19, with a focus on the Delta variant outbreak in the Dubbo and Fairfield Local Government Areas (LGA) between June and November 2021. We audited five agencies - the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service.

The audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

What we found

Prior to Delta, agencies developed capability to respond to COVID-19 related challenges.

However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

Gaps in emergency management plans affected agencies' ability to support individuals, families and businesses impacted by restrictions to movement and gathering such as stay-at-home orders. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

On 23 July 2021, the NSW Government established a cross-government coordinating approach, the Delta Microstrategy, which complemented existing emergency management arrangements, improved coordination between NSW Government agencies and led to more effective local responses.

Where possible, advice provided to government was supported by cross-government consultation, up-to-date evidence and insights. Public Health Orders were updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The NSW Government could provide greater transparency and accountability over decisions to apply Public Health Orders during a pandemic.

What we recommended

The audit made seven recommendations intended to improve transparency, accountability and preparedness for future emergency events.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (Fairfield City Council and Dubbo Regional Council) between June and November 2021.

As noted in this report, Resilience NSW was responsible for the coordination of welfare services as part of the emergency management arrangements. On 16 December 2022, the NSW Government abolished Resilience NSW.

During the audited period, Resilience NSW was tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions and it provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC was, and remains, responsible for the coordination and oversight of emergency management policy and preparedness.

Our work for this performance audit was completed on 15 November 2022, when we issued the final report to the five audited agencies. While the audit report does not make specific recommendations to Resilience NSW, it does include five recommendations to the State Emergency Management Committee. On 8 December 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

The community of New South Wales has experienced significant emergency events during the past three years. COVID-19 first emerged in New South Wales after bushfire and flooding emergencies in 2019–20. The pandemic is now into its third year, and there have been further extreme weather and flooding events during 2021 and 2022.

Lessons taken from the experience of these events are important to informing future responses and reducing future risks to the community from emergencies.

This audit focuses on the NSW Government's response to the COVID-19 pandemic, and in particular, the Delta variant (Delta) that occurred between June and November 2021. The response to the Delta represents six months of heightened challenges for the NSW Government.

Government responses to emergencies are guided by legislation. The State Emergency and Rescue Management Act 1989 (SERM Act) establishes emergency management arrangements in New South Wales and covers:

  • coordination at state, regional and local levels through emergency management committees
  • emergency management plans, supporting plans and functional areas including the State Emergency Management Plan (EMPLAN)
  • operations centres and controllers at state, regional and local levels.

This audit focuses on the activities of five agencies during the audit period:

  • The NSW Police Force led the emergency management response and was responsible for coordinating agencies across government in providing the tactical and operational elements that supported and enhanced the health response to the pandemic. The NSW Police Force also led the compliance response which enforced Public Health Orders and included household checks on those required to isolate at home after testing positive to COVID-19. In some parts of NSW, they were supported by the Australian Defence Force in this role.
  • NSW Health was responsible for leading the health response which coordinated all parts of the health system, initially to prevent, and then to manage, the pandemic.
  • Resilience NSW coordinated welfare services as part of the emergency management arrangements and provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC is responsible for the coordination and oversight of emergency management policy and preparedness. Resilience NSW was also tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions.
  • The Department of Customer Service (DCS) was responsible for the statewide strategic communications response.
  • The Department of Premier and Cabinet (DPC) held a key role in providing policy and legal services, as well as supporting the coordination of activity across a range of functional areas and decision-making by our State’s leaders.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (LGA) (Fairfield City Council and Dubbo Regional Council) after June 2021.

The audit investigated whether:

  • government decisions to apply LGA-specific Public Health Orders were supported by effective crisis management governance and planning frameworks
  • agencies effectively coordinated in the communication (and enforcement) of Public Health Orders.

While focusing on the coordination of NSW Government agencies’ response to the Delta variant in June through to November 2021, the audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

This audit does not assess the effectiveness of other specific COVID-19 responses such as business support. It refers to the preparedness, planning and delivery of these activities in the context of supporting communities in selected LGAs. NSW Health's contribution to the Australian COVID-19 vaccine rollout was also subject to a separate audit titled 'New South Wales COVID-19 vaccine rollout' tabled in NSW Parliament on 7 December 2022. 

This audit is part of a series of audits which have been completed, or are in progress, regarding the New South Wales COVID-19 emergency response. The Audit Office of New South Wales '2022–2025 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

In this document Aboriginal refers to the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.

Conclusion

Prior to June 2021, agencies worked effectively together to adapt and refine pre-existing emergency management arrangements to respond to COVID-19. However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

In the period March 2020 to June 2021, the State's Emergency Management (EM) arrangements coordinated the New South Wales emergency response to COVID-19 with support from the Department of Premier and Cabinet (DPC) which led the cross-government COVID-19 Taskforce. NSW Government agencies enhanced the EM arrangements, which until then had typically been activated in response to natural disasters, to meet the specific circumstances of the pandemic.

However, the State Emergency Management Committee (SEMC), supported by Resilience NSW, did not address relevant recommendations arising from the 2020 Bushfires Inquiry before June 2021 and agencies did not always integrate lessons learned from other jurisdictions or scenario training exercises into emergency management plans or strategies before Delta. As a result, deficiencies in the EM arrangements, including representation of vulnerable communities on EM bodies, well-being support for multicultural communities in locked down environments and cross-agency information sharing, persisted when Delta emerged in June 2021.

It should be noted that for the purposes of this audit there is no benchmark, informed by precedent, that articulates what level of preparation would have been sufficient or proportionate. However, the steps required to address these gaps were reasonable and achievable, and the failure to do so meant that agencies were not as fully prepared as they could have been for the scale and escalation of Delta’s spread across the State.

The Delta Microstrategy complemented the EM arrangements to support greater coordination and agencies are working to improve their capability for future events

The Delta Microstrategy (the Microstrategy) led to innovations in information sharing and collaboration across the public service. Agencies involved in the response have completed, or are completing, reviews of their contribution to the response. That said, none of these reviews includes a focus on whole-of-government coordination.

On 23 July 2021, the NSW Government approved the establishment of the Microstrategy to respond to the additional challenges presented by Delta including the need to support communities most impacted by restrictions to movement and gathering in the LGAs of concern. An extensive range of government agencies were represented across eight Microstrategy workstreams, which coordinated with the existing EM arrangements to deliver targeted strategies to communities in high-risk locations and improve data and information sharing across government. This enhanced the public health, compliance, income and food support, communications and community engagement aspects of the response.

Agencies also leveraged learnings from early weeks of the Delta wave and were able to replicate those lessons in other locations. The use of pre-staging hubs in Fairfield to support food and personal hamper distribution was used a month later in Dubbo which acted as a central hub for more remote parts of the State.

Emergency management plans did not enable government to respond immediately to support vulnerable communities in high-risk LGAs or regional NSW

There are gaps in the emergency management plans relating to the support for individuals, families and businesses impacted by the stay-at-home orders and other restrictions to movement and gathering. These gaps affected agencies' ability to respond immediately when the need arose during Delta.

Emergency management plans and supporting instruments did not include provision for immediate relief for households, which meant arrangements for isolation income support and food security measures had to be designed in the early stages of Delta before it could be approved and deployed.

There were delays – sometimes only days, on occasion, weeks - in providing support to affected communities. In particular, there were delays to the provision of income support and in scaling up efforts to coordinate food and grocery hampers to households in isolation. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

Although government issued stricter restrictions for workers in the Fairfield LGA on 14 July 2021, it only approved targeted income support for people in LGAs of concern on 16 August 2021.

Overall, agencies coordinated effectively to provide advice to government but there are opportunities to learn lessons to improve preparedness for future events

Agencies coordinated in providing advice to government. The advice was supported by timely public health information, although this was in the context of a pandemic, where data and information about the virus and its variants was changing regularly. However, agencies did not always consider the impact on key industries or supply chains when they provided advice to government, which meant that Public Health Orders would sometimes need to be corrected.

Public Health Orders were also updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The audit identified several occasions where there were delays, ranging from three to 21 days, between the provision of advice to government and subsequent decision-making (which we have not detailed due to the confidentiality of Cabinet deliberations). Agency officers advised of instances where they were not provided sufficient notice of changes to Public Health Orders to organise local infrastructure (such as traffic support for testing clinics) to support compliance with new requirements.

The COVID-19 pandemic arrived in Australia in late January 2020 as the bushfire and localised flooding emergencies were in their final stages. Between 2020 and mid-2021, agencies responded to the initial variants of COVID-19, managed a border closure with Victoria that lasted nearly four months and dealt with localised ‘flare-ups’ that required postcode-based restrictions on mobility in northern parts of Sydney and regional New South Wales. During this period, New South Wales had the opportunity to learn from events in Victoria which imposed strict restrictions on mobility across the State and the growing emergence of the Delta variant (Delta) across the Asia Pacific.

This section of the report assesses how emergency management and public health responses adapted to these lessons and determined preparedness for, and responses to, widespread community transmission of Delta in New South Wales.

The previous chapter discusses how agencies had refined the existing emergency management arrangements to suit the needs of a pandemic and describes some gaps that were not addressed. This chapter explores the first month of Delta (mid-June to mid-July 2021). It explores the areas where agencies were prepared and responses in place for the outbreak. It also discusses the impact of the gaps that were not addressed in the period prior to Delta and other issues that emerged.

NSW Health provided advice on the removal of restrictions based on up-to-date advice

The NSW Government discussed the gradual process for removing restrictions using the Doherty Institute modelling provided to National Cabinet on 10 August 2021. NSW Health highlighted the importance of maintaining a level of public health and safety measure bundles to further suppress case numbers. This was based on additional modelling from the Doherty Institute.

The Department of Regional NSW led discussion and planning around reopening with a range of proposal through August and September 2021. The Department of Premier and Cabinet and NSW Health jointly developed a paper to provide options on the restrictions when the State reached a level of 70% double dose vaccinations.

The roadmap to reopening was originally published on 9 September 2021. However, by 11 October 2021, the restrictions were relaxed when the 70% double dose threshold was reached to allow:

  • up to ten fully vaccinated visitors to a home (increased from five)
  • up to 30 fully vaccinated people attending outdoor gatherings (increased from 20)
  • weddings and funerals limits increased to 100 people (from 50)
  • the reopening of indoor pools for training, exercise and learning purposes only.

On the same day, the NSW Government announced further relaxation of restrictions once the 80% double dose threshold was reached. These restrictions were further relaxed on 8 November 2021. This included the removal of capacity restrictions to the number of visitors to a private residence, indoor pools to reopen for all purposes and density limits of one person for every two square metres, dancing allowed in nightclubs and 100% capacity in major stadia.

The NSW Government allowed workers in regional areas who received one vaccination dose to return to their workplace from 11 October 2021.

The Premier extended the date of easing of restrictions for unvaccinated people aged over 16 from 1 December to 15 December 2021.

Many agencies have undertaken reviews of their response to the Delta outbreak but a whole-of-government review has yet to be conducted

Various agencies and entities associated with the response to the Delta outbreak conducted after-action review processes. These processes assessed the achievements delivered, lessons learned and opportunities for improvement. However, a whole-of-government level review has not been conducted. This limits the New South Wales public service's ability to improve how it coordinates responses in future emergencies.

The agencies/entities that conducted reviews included:

  • South West Metropolitan region, Western NSW region, Fairfield Local Emergency Management Committee (LEMC), Dubbo Local Emergency Operations Controller (LEOCON), which were collated centrally by the State Emergency Operations Centre (SEOC)
  • Aboriginal Affairs NSW assessed representation and relevance of the emergency management arrangements for Aboriginal communities following the 2019 bushfires
  • Resilience NSW developed case studies to capture improved practice with regard to food security and supply chains
  • a community support and empowerment-focused after-action review undertaken by the Pillar 5 workstream of the Microstrategy.

Key lessons collated from the after-action reviews include:

  • the impact of variation in capability across agencies on the management of key aspects of the response including welfare support and logistics
  • issues with boundary differences between NSW Police Force regions, local government areas (LGA and local health districts (LHD) caused issues in delivering and coordinating services in an emergency situation 
  • the need to improve relationships between state and local Government outside of acute emergency responses to improve service delivery 
  • issues arising from impediments to information sharing between agencies and jurisdictions, such as:
    • timeliness and accuracy of data used to direct compliance activities
    • the impact of insufficient advance notice on changes to Public Health Orders
    • timely access to data across public sector agencies and other jurisdictions to inform decision-making, analysis and communications
    • gaps in data around ethnicity, geolocation of recent positive cases and infection/vaccination rates in Aboriginal communities.
  • the lack of Aboriginal community representation on many LEMCs
  • compared with the response to COVID-19 in 2020, improved coordination of communications with Culturally and Linguistically Diverse (CALD) populations with a reduction in overlapping messages and over-communication
  • improved attendance from agency representatives in LEMCs, and regional emergency operations centres (REOC) to improve interagency communications, planning, capability development and community engagement issues
  • deficiencies in succession planning and fatigue management practices
  • the potential for REOC Welfare/Well-being subgroups to be included as part of the wider efforts to community needs during emergencies.

NSW Health commenced a whole of system review of its COVID-19 response in May 2022. At the time of writing, the completion due date for the debrief is 7 November 2022. This debrief is expected to explore:

  • governance
  • engagement 
  • innovation and technology 
  • community impact 
  • workforce impact
  • system impact and performance.

NSW Health is also undertaking a parallel Intra-Action Review that is focused on the public health aspects of the response with finalisation estimated for the end of November 2022. At the time of completing this performance audit report, NSW Health had not finalised these reviews and, as a result, we cannot validate their findings against our own observations.

Recent inquiries are likely to impact the governance of emergency management in New South Wales

In March 2022, the NSW Government established an independent inquiry to examine and report on the causes of, preparedness for, response to and recovery from the 2022 floods. The Flood Inquiry report made 28 recommendations, which the NSW Government supported in full or in principle. Some of the recommendations relate directly to the governance and leadership of emergency management arrangements in New South Wales. 

The State Emergency Management Committee (SEMC) will likely be involved in, and impacted by, the recommendations arising from the Flood Inquiry with potential changes to its membership and reshaping of functional areas and agencies. At the same time, the SEMC may have a role in overseeing the changes that emerge from the SEOC consolidated after-action reviews. This can also extend to ensuring local and regional bodies have incorporated the required actions. There is a risk that the recommendations from the pandemic-based after-action reviews may not be considered due to the priority of action resulting from the Flood Inquiry.

Furthermore, there is potential for the SEMC to work with NSW Health during its system-wide review. Such an approach is likely to improve preparedness for future events.

Appendix one – Response from agencies

Appendix two – Chronology 2020–2021

Appendix three – About the audit

Appendix four – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #371 - released 20 December 2022

Published

Facilitating and administering Aboriginal land claim processes

Planning
Environment
Industry
Local Government
Premier and Cabinet
Whole of Government
Cross-agency collaboration
Compliance
Management and administration

What the report is about

The Aboriginal Land Rights Act 1983 (NSW) (the Act) provides land rights over certain Crown land for Aboriginal Land Councils in NSW.

If a claim is made over Crown land (land owned and managed by government) and meets other criteria under the Act, ownership of that land is to be transferred to the Aboriginal Land Council.

This process is intended to provide compensation for the dispossession of land from Aboriginal people in NSW. It is a different process to the recognition of native title rights under Commonwealth law.

We examined whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. The relevant agencies are:

  • Department of Premier and Cabinet (DPC)
  • Department of Planning and Environment (DPE)
  • NSW Aboriginal Land Council (NSWALC).

We consulted with Local Aboriginal Land Councils (LALCs) and other Aboriginal community representative groups to hear about their experiences.

What we found

Neither DPC nor DPE have established the resources required for the NSW Government to deliver Aboriginal land claim processes in a coordinated way, and which transparently commits to the requirements and intent of the Act.

Delays in determining land claims result in Aboriginal Land Councils being denied the opportunity to realise their statutory right to certain Crown land. Delays also create risks due to uncertainty around the ownership, use and development of Crown land.

DPC has not established governance arrangements to ensure accountability for outcomes under the Act, and effective risk management.

DPE lacks clear performance measures for the timely and transparent delivery of its claim assessment functions. DPE also lacks a well-defined framework for prioritising assessments.

LALCs have concerns about delays, and lack of transparency in the process.

Reviews since at least 2014 have recommended actions to address numerous issues and improve outcomes, but limited progress has been made.

The database used by DPC (Office of the Registrar) for the statutory register of land claims has not been upgraded or fully validated since the 1990s.

In 2020, DPE identified the transfer of claimable Crown land to LALCs to enable economic and cultural outcomes as a strategic priority. DPE has some activities underway to do this, and to improve how it engages with Aboriginal Land Councils – but DPE still lacks a clear, resourced strategy to process over 38,000 undetermined claims within a reasonable time.

What we recommended

In summary:

  • DPC should lead strategic governance to oversee a resourced, coordinated program that is accountable for delivering Aboriginal land claim processes
  • DPE should implement a resourced, ten-year plan that increases the rate of claim processing, and includes an initial focus on land grants
  • DPE and DPC should jointly establish operational arrangements to deliver a coordinated interagency program for land claim processes
  • DPC should plan an interagency, land claim spatial information system, and the Office of the Registrar should remediate and upgrade the statutory land claims register
  • DPC and NSWALC should implement an education program (for state agencies and the local government sector) about the Act and its operations
  • DPE should implement a five-year workforce development strategy for its land claim assessment function
  • DPE should finalise updates to its land claim assessment procedures
  • DPE should enhance information sharing with Aboriginal Land Councils to inform their claim making
  • NSWALC should enhance information sharing and other supports to LALCs to inform their claim making and build capacity.

Fast facts

  • 53,800 the number of claims lodged since the Act was introduced in 1983
  • 38,200 the number of claims awaiting DPE assessment and determination (about 70 per cent of all claims lodged)
  • 207 the number of claims granted by DPE in six months to December 2021
  • 120 LALCs, and the NSWALC, have the right to make a claim and have it determined
  • +5 years around 60 per cent of claims have been awaiting determination for more than five years
  • 22 years the time it will take DPE to determine existing claims, based on current targets

The return of land under the Aboriginal Land Rights Act 1983 (NSW) (the Act) is intended to provide compensation for the dispossession of land from Aboriginal people in New South Wales. A claim on Crown land1 made by an Aboriginal Land Council that meets criteria under the Act is to be transferred to the claimant council as freehold title. The 2021 statutory review of the Act recognises the spiritual, social, cultural and economic importance of land to Aboriginal people.

The Minister for Aboriginal Affairs administers the Act, with support from Aboriginal Affairs NSW (AANSW) in the Department of Premier and Cabinet (DPC). AANSW also leads the delivery of Opportunity, Choice, Healing, Responsibility and Empowerment (OCHRE), the NSW Government's plan for Aboriginal affairs, and assists the Minister to implement the National Agreement on Closing the Gap – which includes a target for increasing the area of land covered by Aboriginal and Torres Strait Islander people's legal rights or interests.

The Act gives responsibility for registering land claims to an independent statutory officer, the Registrar of the Aboriginal Land Rights Act (the Registrar), whose functions are supported by the Office of the Registrar (ORALRA) which is resourced by AANSW.2

The Land and Environment Court of New South Wales has stated that there is an implied obligation for land claims to be determined within a reasonable time. The Minister administering the Crown Land Management Act 2016 (NSW) is responsible for determining land claims. This function is supported by the Department of Planning and Environment (DPE),3 whose staff assess and recommend claims for determination based on the criteria under section 36(1) of the Act. There is also a mechanism under the Act for land claims to be negotiated in good faith through an Aboriginal Land Agreement.

The NSW Aboriginal Land Council (NSWALC) is a statutory corporation constituted under the Act with a mandate to provide for the development of land rights for Aboriginal people in NSW, in conjunction with the network of 120 Local Aboriginal Land Councils (LALCs). LALCs are constituted over specific areas to represent Aboriginal communities across NSW. Both NSWALC and LALCs can make land claims.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities that are required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties need to be engaged so that these processes are coordinated effectively and managed in a way that is consistent with the intent of the Act, and other legislative requirements.

The first land claim was lodged in 1983. The number of undetermined land claims has increased over time, and at 31 December 2021 DPE data shows 38,257 undetermined claims.

The issue of undetermined land claims has been publicly reported by the Audit Office since 2007. Recommendations to agencies to better facilitate processes and improve how functions are administered have been made in multiple reviews, including two Parliamentary inquiries in 2016.

The objective of this audit was to assess whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. In making this assessment, we considered whether:

  • agencies (DPE, DPC (AANSW and ORALRA) and NSWALC) coordinate information and activities to effectively facilitate Aboriginal land claim processes
  • agencies (DPE and DPC (ORALRA)) are effectively administering their roles in the Aboriginal land claim process.

We consulted with LALCs to hear about their experiences and priorities with respect to Aboriginal land claim processes and related outcomes. We have aimed to incorporate their insights into our understanding of their expectations of government with respect to delivering requirements, facilitating processes, and identifying opportunities for improved outcomes. 

Conclusion

The Department of Premier and Cabinet (DPC) and the Department of Planning and Environment (DPE) are not effectively facilitating or administering Aboriginal land claim processes. Neither agency has established the resources required for the NSW Government to operate a coordinated program of activities to deliver land claim processes in a way that transparently commits to the requirements and intent of the Aboriginal Land Rights Act 1983 (NSW) (the Act). Arrangements to engage the NSW Aboriginal Land Council (NSWALC) in these activities have not been clearly defined.

There are more than 38,000 undetermined land claims that cover approximately 1.12 million hectares of Crown land. As such, DPE has not been meeting its statutory requirement to determine land claims nor its obligation to do so within a reasonable time. Over 60 per cent of these claims were lodged with the Registrar of the Aboriginal Land Rights Act, for DPE to determine, more than five years ago.

DPE’s Aboriginal Outcomes Strategy 2020–23 identifies transferring claimable Crown land to Local Aboriginal Land Councils (LALCs) as a priority to enable economic and cultural outcomes. Since mid-2020 DPE has largely focused on supporting LALCs to identify priority land claims for assessment and on negotiating Aboriginal Land Agreements. This work may support the compensatory intent of the Act but is in its early stages and is unlikely to increase the pace at which land claims are determined. Based on current targets, it will take DPE around 22 years to process existing undetermined land claims.

Delays in processing land claims result in Aboriginal Land Councils being denied the opportunity to realise their statutory right to certain Crown land in NSW. The intent of the Act to provide compensation to Aboriginal people for the dispossession of land has been significantly constrained over time.

Since 2014, numerous reviews have made recommendations to agencies to address systemic issues, improve processes, and enhance outcomes: but DPC and DPE have made limited progress with implementing these. Awareness of the intent and operations of the Act was often poor among staff from some State government agencies and local government representatives we interviewed for the audit.

DPC has not established culturally informed, interagency governance to effectively oversee Aboriginal land claim processes – and ensure accountability for outcomes consistent with the intent of the Act, informed by the expectations of the NSWALC and LALCs. Such governance has not existed since at least 2017 (the audited period) and we have not seen evidence earlier. DPE still does not have performance indicators for its land claim assessment function that are based on a clear analysis of resources, that demonstrate alignment to defined outcomes, and which are reported routinely to key stakeholders, including NSWALC and LALCs.

LALCs have raised strong concerns during our consultations, describing delays in the land claim process and the number of undetermined land claims as disrespectful. LALCs have also noted a lack of transparency in, and opportunity to engage with, Aboriginal land claim processes. DPE’s role in assessing Aboriginal land claims, and identifying opportunities for Aboriginal Land Agreements, requires specific expertise, evidence gathering and an understanding of the complex interaction between the Act and other legislative frameworks, including the Native Title Act 1993 (Cth) and the Crown Land Management Act 2016 (NSW). In mid-2020, DPE created an Aboriginal Land Strategy Directorate within its Crown lands division, increased staffing in land claim assessment functions, and set a target to increase the number of land claims to be granted in 2021–22. In the six months to December 2021, DPE granted more land claims (207 claims) than in most years prior. DPE has also assisted some LALCs to identify priority land claims for assessment.

But the overall number of claims processed per year remains well below the historical (five-year) average number of claims lodged (2,506 claims). As such, DPE has not yet established an appropriately resourced workforce to assess the large number of undetermined land claims and engage effectively with Aboriginal Land Councils and other parties in the process. There also are notable gaps in DPE’s procedures that impact the transparency of the process, especially with respect to timeframes and the prioritisation of land claims for assessment.

DPC (the Office of the Registrar of the Aboriginal Land Rights Act, ORALRA) has not secured or applied resources that would assist the Registrar to use discretionary powers, introduced in 2015, not to refer certain land claims to DPE for assessment (those not on Crown land). This could have improved the efficiency and coordination of end-to-end land claim processes.

DPC (ORALRA) is also not effectively managing data and ensuring the functionality of the statutory Register of Aboriginal land claims. This contributes to inefficient coordination with DPE and NSWALC, and creates a risk of inconsistent information sharing with LALCs, government agencies, local councils and other parties. More broadly, responsibilities for sharing information about the location and status of land under claim are not well defined across agencies. These factors contribute to risks to Crown land with an undetermined land claim, which case law has found to establish inchoate property rights for the claimant Aboriginal Land Council.4 It can also lead to uncertainty around the ownership, use and development of Crown land, with financial implications for various parties.
1 Crown land is land that is owned and managed by the NSW Government.
 AANSW and ORALRA were previously part of the Department of Education, before the 1 July 2019 Machinery of Government changes.
 Previously, these functions were undertaken by the Department of Industry (2017–June 2019) and the Department of Planning, Industry and Environment (July 2019 to December 2021). 
 The lodgement of a land claim creates an unformed property interest for the claimant Aboriginal Land Council over the claimed land. This interest will be realised if the Crown Lands Minister determines that the land is claimable.

Since 1983, 53,861 Aboriginal land claims have been lodged with the Registrar.25

The Land and Environment Court of New South Wales has stated there is an implied obligation on the Crown Lands Minister to determine land claims within a reasonable time.26

As at 31 December 2021, DPE has processed less than a third (31 per cent) of these land claims: 14,273 were determined by the Crown Lands Minister (that is, granted or refused, in whole or part) and 2,562 were withdrawn. This amounts to 16,835 claims processed, including the negotiated settlement of 15 claims through three Aboriginal Land Agreements. As a result, DPE reports that approximately 163,900 hectares of Crown land has been granted to Aboriginal Land Councils since 1983 up to 31 December 2021.

There are 38,257 land claims awaiting determination, which cover about 1.12 million hectares of Crown land.

The 2017 report on the statutory review of the Act noted that the land claims ‘backlog’ was one of the ‘Top 5’ priorities identified by LALCs during consultations. The importance of this issue is consistent with findings from our consultations with LALCs in 2021 (see Exhibit 7).

Exhibit 7: LALCs report that delays undermine the compensatory intent of the Act

LALCs raised concerns about delays in the Aboriginal land claim process, including waiting decades for claims to be assessed and years for land to be transferred once granted.

The large number of undetermined claims has been described by LALCs as disrespectful, and as reflecting under-resourcing by governments.

LALCs reported that these delays undermine the compensatory intent of the Act, including by creating uncertainty for their plans to support the social and economic aspirations of their communities.
Source: NSW Audit Office consultation with LALCs.

Delays in delivering on the statutory requirement to determine land claims, and limited use of other mechanisms to process claims in consultation or agreement with NSWALC and LALCs, undermines the beneficial and remedial intent of Aboriginal land rights under the Act. It also:

  • impacts negatively on DPE’s ability to comply with the statutory requirement to determine land claims, because often the older a claim becomes the more difficult it can be to gather the evidence required to assess it
  • creates uncertainty around the ownership, use and development of Crown land, which can have financial impacts on Aboriginal Land Councils, government agencies, local councils and developers.

Risks that arise in the context of undetermined claims are discussed further in section 3.3.

25 According to DPC (ORALRA) data in the ALC Register up to 31 December 2021. DPC (ORALRA) data indicates that the Registrar has refused to refer claims to DPE for assessment under section 36(4A) of the Act in a small number of cases – for example, seven times in 2017 and none since that time.
26 Jerrinja Local Aboriginal Land Council v Minister Administering the Crown Lands Act [2007] NSWLEC 577 at 125. The Court stated, ‘While a reasonable time may vary on a case-by-case basis, a delay of 15 to 20 years in determining claims does not accord with any idea of reasonableness’.

NSW Treasury describes public sector governance as providing strategic direction, ensuring objectives are achieved, and managing risks and the use of resources responsibly with accountability.

Consistent with the NSW Treasury’s Risk Management Toolkit (TPP-12-03b), governance arrangements for Aboriginal land claim processes should ensure their effective facilitation and administration. That is, arrangements are expected to contribute to and oversee the performance of administrative processes and service delivery towards outcomes, and ensure that legal and policy compliance obligations are met consistent with community expectations of accountability and transparency.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties (such as native title groups and those with an interest in development on Crown land) need to be engaged so that these processes are coordinated effectively with risks managed – consistent with the intent of the Act, and other legislative requirements.

Policy commitments to Aboriginal people and communities made by the NSW Government in the OCHRE Plan and Closing the Gap priority reforms establish an expectation for culturally informed governance.

Exhibit 12: LALCs want their voices to be heard and responded to by government

LALCs expressed a strong desire to have their voices heard so that outcomes in the Aboriginal land claim process are informed by LALC aspirations and consistent with the intent of the Act. The importance of respect and transparency were consistently raised.

The following quotes are from our consultations with LALCs during this audit which illustrate the inherent cultural value of land being returned, as well as the importance of its social and economic value and potential.

There’s batches of land in and around town. This land is significant…We want to get the land activated to encourage economic development, and promote the community…our job is to step up to create infrastructure, employment, maintenance and services and lead by example.

One of the best things we were able to do is develop a long term 20-year plan and where Crown Land could directly see where land was transferred to us and it was going to things like education, housing, health and other social programs…

There has been a claim lodged on a parcel of land that has long lasting cultural significance, a place that is very special to the Aboriginal community members and holds a lot of history. If the claim lodged was successful this land would be used to strengthen the cultural knowledge of the local youth, through placing signage that depicts stories that have been passed down by the Elders, cultural talks and tours and school group visits. This land, although not large in size, has a significant number of cultural trees and artefacts. Aboriginal families and members of the LALC that have lived in our town are very protective of the site and others surrounding it, respecting the importance of the cultural history of the site. There is one, which is a cultural one. We received a land claim that contained a cultural site. This is the high point: we were given back lands that contained rock engravings, carvings. A real diamond for us, especially as an urban based land council.

At the heart of the ALRA is the ability to claim Crown Land…The slow determination of claims gets in the way of us doing what we want to do, which is focus on our communities and address our real needs which are about health, wellbeing and culture. If we could realise these rights, we can address all sorts of socio-economic needs. We would become an economic benefit to the state…If it was operating well there could be more caring for Country too.
Note: Permission has been granted by LALC interviewees to use these quotes in this context.
Source: Excerpts from NSW Audit Office interviews with LALC representatives, facilitated by Indigenous consultants.

The Crown Lands Minister, supported by DPE, is required to determine whether Aboriginal land claims meet the criteria to be ‘claimable Crown lands’ under section 36(1) of the Act. DPE staff within its Crown Lands division are responsible for assessing land claims and preparing recommendation briefs to the Crown Lands Minister, or their delegate, on determination outcomes. That is, on whether to grant or refuse the claim.38 DPE staff also make decisions about which land claims within the large number of undetermined claims should be processed first.

 

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Banner image used with permission.
Title: Forces of Nature
Artist: Lee Hampton – Koori Kicks Art
Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 

Parliamentary reference - Report number #365 - released 28 April 2022.

Published

Compliance with the NSW Cyber Security Policy

Whole of Government
Compliance
Cyber security
Information technology

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

  • met their reporting obligations under the CSP
  • reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

  • the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
  • the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
  • each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
  • none of the participating agencies had implemented all of the Essential 8 controls
  • agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
  • there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

  • monitor and report compliance with the CSP
  • require agencies to report the target and achieved levels of maturity
  • require agencies to justify why it is appropriate to target a low level of maturity
  • require the agency head to formally accept the residual risk
  • challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

Fast facts

The NSW Cyber Security Policy requires agencies to report their level of maturity implementing the mandatory requirements, which includes the ACSC's Essential 8.

  • 100% of audited agencies failed to reach level one maturity for at least three of the Essential 8 controls.

  • 53% of mandatory requirements implemented in an ad hoc or inconsistent manner, or not at all.

  • 89 of the 104 reporting agencies across government met the reporting deadline of 31 August.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year1. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector2, a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

  • Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
  • Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
  • Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
  • Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
  • Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

  • assessed its cyber security risks
  • appropriately addressed cyber security at agency governance forums
  • a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
  • certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
  • a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

  • met their reporting obligations under the CSP
  • provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
  • achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

Conclusion

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies.
The NSW CSP replaced the NSW Digital Information Security Policy from 1 February 2019. New requirements of the CSP were, inter alia, to strengthen cyber security governance, strengthen cyber security controls and improve cyber security culture.
The CSP is not achieving the objective of improved cyber governance, controls and culture because:
  • The CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8 Strategies to Mitigate Cyber Security Incidents.
  • The CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed.
  • All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis.
  • None of the participating agencies had implemented all of the Essential 8 controls to at least level one.
  • Agencies tended to over-assess their cyber security maturity, with all nine participating agencies unable to support some of their self-assessments of compliance with one or more mandatory criteria. Optimistic assessment of the current state of cyber resilience undermines effective decision making and risk management in responding to cyber risks.
  • There is no systematised and formal monitoring, by either Cyber Security NSW or another agency, of the adequacy or accuracy of agencies' cyber self-assessment processes.

 

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy3.

The Australian Signals Directorate4 currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

  • 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
  • 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

  • obtaining objective assurance over the accuracy of self-assessments
  • requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

  • the target level of maturity for each mandatory requirement they have determined appropriate for their agency
  • the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

  • compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
  • refer to the CSP guidance when determining their current level of maturity
  • ensure the attestations they make refer to departures from the CSP
  • have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

1 ACSC Annual Cyber Threat Report 2020-21 | Cyber.gov.au
2 Sustained targeting of the health sector | Cyber.gov.au
3 ACSC Essential Eight Maturity Model (June 2020)
4 Australian Signals Directorate

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision6 of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

2019 reporting template 2020 reporting template
‘A Mandatory Requirement is considered met if a maturity level of three is achieved. The Agency may choose to pursue a higher maturity level if required.

There is no mandated level for the Essential 8 Maturity reporting’.

 ‘There is no mandated maturity level for either the Mandatory Requirement reporting or Essential 8 reporting. Agencies need to risk-assess their optimal maturity and aim to be 'as high as possible’.
Source: Maturity Reporting Template v4.0, February 2019.
Source: CSP Reporting Template 2020, May 2020.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

Source: Overview of Protective Security Requirements, New Zealand Government (PSR-Overview-booklet.pdf (protectivesecurity.govt.nz).

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

  • Lead: Planning and governance requirements. Section 2.1
  • Prepare: Cyber security culture requirements. Section 2.2
  • Prevent: Managing cyber incident prevention requirements. Section 2.3
  • Detect/Respond/Recover: Resilience requirements. Section 2.4
  • Report: Reporting requirements. Section 2.5.

 

6The reporting template issued in 2019 required agencies to reach level three, but that guidance was removed in the 2020 revision.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

View our audit program
View audit program
EXPLORE
upcoming audits
Have your say
CONTRIBUTE