What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

• Integrity and transparency
• Performance and monitoring
• Governance and oversight
• Cyber security and data
• System planning for disruption
• Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

• Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
• Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
• Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

What the report is about

The report examined whether Transport for NSW (TfNSW) and Infrastructure NSW (INSW) effectively assessed and justified major scope changes to the WestConnex project since 2014.

What we found

NSW Government decisions to fund WestConnex-related projects outside WestConnex's $16.812 billion budget have reduced transparency and understate the full cost of WestConnex.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency over the cost of the road component of Sydney Gateway. $1.76 billion of the cost to complete Sydney Gateway is funded outside the WestConnex budget.

Network integration costs, currently estimated at $2.3 billion, are also funded outside the WestConnex budget. Many of these costs are directly attributable to WestConnex and ought to be included in the reported budget.

The Parramatta Road Urban Amenity Improvement Program, costing $198 million, should also be included as part of the WestConnex reported budget.

Decisions to exclude or remove these elements from WestConnex without justification have seen $4.26 billion of projects funded outside the $16.8 billion budget.

Positively, robust analysis was used to develop and incorporate design improvements into the 2015 WestConnex Updated Strategic Business Case.

The separate components of WestConnex underwent all required assurance reviews. However, the NSW Government's assurance framework does not require ongoing ‘whole-of-program’ assurance for large and complex projects like WestConnex. The absence of a holistic review of WestConnex allows for some costs and benefits to avoid scrutiny.

What we recommended

TfNSW should:

• review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects
• ensure that estimated costs and benefits of works which are reasonably required to meet consent conditions are included in business cases for complex large infrastructure projects
• establish centralised and project specific record keeping for major infrastructure projects.

Infrastructure NSW should provide transparent whole of program assurance on total costs and benefits when complex projects are split into sub-projects.

Government should consider enhancing public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole-of-program level.

WestConnex

WestConnex is a 33 km motorway network that will link the western and south‑western suburbs with the Sydney CBD and the Airport and Port Botany precinct. It will also connect with proposed future motorway links to the north shore, northern beaches, and southern Sydney. The project is being delivered in three stages, with completion scheduled for 2023.

When first conceived by Infrastructure NSW (INSW) in 2012, WestConnex was described as a single integrated concept. In August 2013, government approved a business case for an integrated concept of WestConnex, with an estimated cost of $14.881 billion (in nominal outturn costs). Transport for NSW (TfNSW) is the government agency (sponsor agency) accountable for the delivery of WestConnex in accordance with the business case. In August 2014, the NSW Government established the Sydney Motorway Corporation to fund, deliver and operate WestConnex.

In November 2015, the NSW Government publicly released an updated WestConnex business case with greater detail and design enhancements, which increased the estimated cost to $16.812 billion.

Subsequent to this update, further changes were made to the design, including realignment of the M4 to M5 Link connection to the Western Harbour Tunnel project, an expanded interchange at Rozelle, the deletion of the Camperdown Intersection, and the addition of the Iron Cove Link. The reported budget for WestConnex was not changed as a result of these design updates.

To fund WestConnex, Sydney Motorway Corporation consolidated a concessional loan of $2 billion from the Australian Government, private sector debt and equity funding from the State. The Australian Government also provided a $1.5 billion contribution to the State to partially fund construction of WestConnex.

In August 2018, the NSW Government sold 51 per cent of its stake in Sydney Motorway Corporation for $9.26 billion. At the time of writing, the NSW Government is in the process of selling its remaining 49 per cent stake of Sydney Motorway Corporation.

About this audit

In the course of delivering a complex major infrastructure project, it is reasonable to expect changes to the original design and scope. Changes may occur as the design moves from a high‑level concept to a detailed design for project delivery, as new risks or issues are identified, as demands change, or as other interdependent projects are approved. Changes can also occur in response to potential cost or delivery overruns which arise as a result of planning deficiencies. Where design and scope changes significantly change the project costs and/or expected benefits, the justification for these changes should be robust and transparent.

Following our 2014 performance audit, 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF) to improve accountability and transparency over major projects that are developed, procured, or delivered by government agencies. Under the framework, TfNSW, as project sponsor, is responsible for ensuring the WestConnex project meets all IIAF requirements. These include ensuring the project remains strategically aligned and viable, and benefits are on track. INSW is responsible for coordinating the assurance review process and reporting directly to NSW Cabinet on project delivery against time, budget and risks to project delivery.

The objective of this performance audit is to assess whether TfNSW and INSW effectively assessed and justified major scope changes to the WestConnex project since 2014.

1. Key findings

Government decisions to fund WestConnex related projects outside of WestConnex's $16.812 billion reported budget have reduced transparency over costs and understate the full cost of WestConnex

In 2015, the work required to integrate WestConnex with existing roads ('network integration') was funded as a separate project with an estimated cost of $1.534 billion outside the 2015 WestConnex budget of $16.812 billion. TfNSW then created the Network Integration Program to respond to the conditions of planning approval for WestConnex. The current estimated cost to deliver all network integration works is $2.3 billion.

Since the 2015 WestConnex Business Case, the NSW Government has removed several elements from the scope of WestConnex and funded them as separate projects, while keeping the published WestConnex budget at an estimated $16.812 billion. Projects removed include:

• Sydney Gateway, currently costed at $2.56 billion (with an $800 million contribution from WestConnex)
• Parramatta Road Urban Amenity Improvement Program, costed at $198 million in late 2018 and funded though new funding to the Greater Sydney Commission.

Together, these projects represent costs of $4.26 billion that are not included in the WestConnex budget, but are required for WestConnex to achieve the objectives of the 2013 and 2015 WestConnex Business Cases. The costs of these elements in supporting the objectives of WestConnex is not tracked centrally, and there is no single point of oversight over them. Exhibit 1 compares total WestConnex forecast costs (including related projects) between November 2015 and April 2021.

Many network integration costs are directly attributable to WestConnex and ought to be included in the reported budget for WestConnex

Prior to 2015, the scope of WestConnex included enabling works needed before or during construction, as well as funding for future works to address any adverse traffic outcomes created by WestConnex which become apparent after its opening. These works are also known as network integration works.

When government approved the 2015 WestConnex Business Case, it noted that the project would require $1.534 billion for network integration works to address the impacts of WestConnex on the road network. However, the WestConnex project budget of $16.812 billion did not include funding for network integration works. Instead, Roads and Maritime Services (RMS, now TfNSW) was to fund network integration through its normal budget allocation.

It is important to recognise these costs as part of the total WestConnex project cost because:

• TfNSW created the Network Integration Program to respond to network traffic and transport elements of the planning conditions of approval for WestConnex granted by the then NSW Department of Planning and Environment under the Environment, Planning and Assessment Act 1979.
• NSW Treasury guidelines for business cases note that accurate cost estimates include assessment of the financial impact of meeting the conditions of planning approval.
• Travel time and vehicle operating cost benefits attributed to the WestConnex project in the 2015 WestConnex Business Case assume that some network integration works, then costed at $373 million, were in place.

Refer to Appendix two for more detail on network integration works.

Some of the projects in the WestConnex Network Integration Program provide community and place benefits, such as parklands and cycleways. These benefits have not been attributed to WestConnex. Additionally, some network integration works are likely to deliver additional traffic related benefits to WestConnex. As the Network Integration Program’s primary purpose is to meet the conditions of planning approval for WestConnex, TfNSW should attribute all the costs and benefits of the program to WestConnex.

To September 2021, the total funded cost of the Network Integration Program is approximately $2.077 billion. TfNSW estimates that it will need a further $222 million to complete all expected network integration works.

The NSW Government's decision to separate Sydney Gateway from WestConnex has reduced transparency and accountability for TfNSW's underestimation of the cost of the road component of Sydney Gateway

Sydney Gateway is a high‑capacity connection between the new St Peters Interchange and the Sydney Airport and Port Botany precinct. It includes a road and rail components. The road component was included in the scope of WestConnex in the 2015 WestConnex Business Case. The November 2015 design, which TfNSW costed at $800 million, involved separate roadways from the St Peters Interchange to the International terminal, and to the domestic terminals and Mascot airport precinct.

By October 2016, TfNSW was aware that the $800 million budget for Sydney Gateway was insufficient and revised the forecast cost for the road component to $1.8 billion. The original cost estimate did not sufficiently consider the cost of:

• constructing a complex design adjacent to the airport precinct
• obtaining access to land required for the project
• managing environmental contamination.

On 9 August 2017, the then Minister for WestConnex announced that the Sydney Gateway project was not part of WestConnex.

The 2015 WestConnex Business Case notes that material changes to the WestConnex budget, funding, scope, or timeframe are subject to Cabinet approval processes. It states that, when seeking approval for material changes, the portfolio Minister will make a submission to the relevant Cabinet Committee. Changes in project scope required the approval of the then Cabinet Committee on Infrastructure and should have been endorsed by the WestConnex Interdepartmental Steering Committee.

TfNSW and the NSW Department of Premier and Cabinet (DPC) assert that there is no documentation to support the government’s decision to separate Sydney Gateway from the WestConnex Program, or the WestConnex Interdepartmental Steering Committee's endorsement of a submission to Cabinet seeking approval for the separation.

The established governance processes for major scope changes were not followed in this instance. The lack of transparency regarding government's decision to separate Sydney Gateway from WestConnex also reduces visibility of TfNSW's underestimation of the cost of delivering the road component of Sydney Gateway.

The November 2018 Final Business Case for Sydney Gateway, which was approved by the government, included an estimate of $2.45 billion (nominal outturn cost) for the road component. This estimate included an $800 million contribution from WestConnex. A more recent estimate (late 2020) for this project is $2.56 billion (nominal outturn cost).

The Parramatta Road Urban Amenity Improvement Program should be included as part of the WestConnex budget

A specific objective of the 2015 WestConnex Business Case was the creation of opportunities for urban renewal along and around Parramatta Road. The business case included an allocation of $198 million in the $16.812 billion WestConnex budget for the Parramatta Road Urban Amenity Improvement program, designed to implement aspects of the objective. In November 2018, the NSW Government removed the Parramatta Road Urban Amenity Improvement Program from the WestConnex program of works and reallocated the $198 million (inside the $16.812 billion WestConnex budget) for urban renewal works around the Rozelle Interchange. As part of this decision, government approved new funding of $198 million to the Greater Sydney Commission for the urban amenity program, outside the $16.812 billion WestConnex budget. This understates the cost of WestConnex meeting its objectives by $198 million.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

In August 2015, INSW conducted its first Gateway Review of WestConnex as a program consisting of composite projects. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or mega‑project. This is not inconsistent with the IIAF and all WestConnex related projects, including Sydney Gateway and the Network Integration Program, have undergone independent assurance reviews as individual projects under the IIAF.

Once a program like WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to provide independent assurance on the program as a whole until it is completed. This is then done as part of the Gateway review for benefits realisation, which examines whether project benefits are being measured and meet expectations. These individual projects are, in themselves, significant in scale and complexity. While addressing them as discrete components for the purposes of the assurance review process can be justified, the absence of strategic, holistic reviews of WestConnex allows for total costs and benefits to become opaque and avoid scrutiny. Programs of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

There is a lack of public transparency on the total costs and benefits of the WestConnex project

Prior to 2018, the Audit Office provided assurance on costs borne and levied by Sydney Motorway Corporation and its controlled entities. Since the NSW Government sold 51 per cent of its stake in WestConnex in August 2018, the Auditor‑General no longer has the mandate to provide this assurance. The Audit Office is also unable to provide any assurance regarding the performance of tolling concessions.

This means that the total costs of WestConnex, including those levied on road users through tolling, are not reported alongside the full cost of delivering the project. This information, and independent assurance over that information, would provide transparency and context to the outcome of government's sale of its interest in WestConnex.

To enhance the transparency of existing infrastructure assurance processes, government could consider requiring large and complex infrastructure programs to undergo periodic review at a whole‑of‑program level. This could take the form of annual reports to Parliament on the total costs and benefits of selected large and complex projects by the responsible agency. The reports could include an assessment of the cost to government and cost to the community of funding and financing. Independent assurance of the agency report would provide Parliament with greater confidence that infrastructure is delivered economically and providing value for money for the people of NSW.

The Australian National Audit Office provides similar assurance on selected Department of Defence acquisition projects as part of its annual Major Projects Report.

Design enhancements included in the 2015 WestConnex Updated Strategic Business Case were supported by robust analysis

The 2015 WestConnex Business Case contained more detail than the 2013 WestConnex business case. Design enhancements were made as a result of modelling analysis conducted over the two years since the 2013 business case. Enhancements included a full underground link between Kingsgrove and St Peters as part of the New M5 and re‑alignment of the M4‑M5 link tunnel (Stage 3) to include the Rozelle Interchange. The Rozelle Interchange will provide a direct connection to the Anzac Bridge and Victoria Road, and will enable a connection to the proposed Western Harbour Tunnel and Beaches Link. A map and description of these elements can be found at Exhibits 2 and 3 of this report.

In 2016, TfNSW revised the design of the M4‑M5 Link and Rozelle to address traffic and integration issues

As part of preparing the 2015 WestConnex Business Case, TfNSW prepared a Project Definition and Delivery Report (PDDR) for the M4‑M5 Link. This report describes the scope of the project, including a high‑level concept design. TfNSW identified limitations with the proposed design of the M4‑M5 in the PDDR, which it would need to address as the project moved to a detailed design stage. In particular, these limitations included:

• poor integration with the Bays Precinct masterplan
• traffic capacity constraints on Victoria Road and Anzac Bridge
• construction complexity.

Following a comprehensive review in mid‑2016, TfNSW changed the design of the M4‑M5 Link and Rozelle Interchange to address these limitations. These changes included:

• deletion of the Camperdown intersection to improve traffic conditions on Parramatta Road
• a fully underground and larger Rozelle Interchange with 10‑hectare dedicated parklands
• a toll‑free tunnel link from Iron Cove Bridge to Anzac Bridge
• increasing the lanes in the dual tunnels from three to four each way.

TfNSW documented, but did not publish, the rationale for the design changes, including how the changes addressed the limitations of the previous design while providing increased community benefit through the creation of open space. TfNSW undertook cost comparison studies which estimated that these changes would have a neutral impact on the estimated project cost while achieving the same or improved benefits.

TfNSW's record‑keeping systems for large infrastructure investments negatively impact accountability and transparency

In response to our formal requests for relevant information, made during the conduct of this audit, TfNSW advised that complete and valid records of key decision‑making processes, analysis and advice were unavailable. Additionally, TfNSW often provided information that was incomplete or unverifiable (for instance, unsigned briefing notes). This is not consistent with accepted governance practices and does not comply with the requirements of the State Records Act 1998.

We also requested that TfNSW provide a list of relevant documents held by the Sydney Motorway Corporation (SMC). While TfNSW acknowledged that SMC may hold material relevant to the audit, TfNSW did not have a list or description of these documents. As SMC is now a majority privately held entity, both the Audit Office and TfNSW have limited power to require SMC to provide documentation.

The delivery timeframe for large and complex infrastructure projects such as WestConnex frequently exceeds five years, and some projects can take over a decade to deliver. These projects represent a significant investment of public resources and government agencies should expect independent review and assurance activities such as performance audits. The establishment of dedicated record keeping facilities for major infrastructure projects, such as data rooms, would improve transparency and accountability. This would ensure that the use of public resources is fully auditable in line with public expectations and the requirements of the Government Sector Finance Act 2018, the State Records Act 1998 and the Public Finance and Audit Act 1983.

2. Recommendations

By December 2021, TfNSW should:

1. review the impact of scope changes on project objectives, costs and benefits for complex infrastructure projects

2. when preparing business cases for complex large infrastructure projects, ensure that the estimated costs and benefits of works which are reasonably expected to meet consent conditions are included in the overall project cost and its benefits (as per Treasury guidelines)

3. establish and maintain centralised and project‑specific record keeping, including through dedicated project data rooms, to ensure major infrastructure projects can readily be subject to external oversight and assurance.

By June 2022, INSW should:

4. provide transparent whole‑of‑program assurance on total costs and benefits throughout the project life‑cycle when complex projects are split into sub‑projects.

By June 2022, NSW Government should:

5. consider enhancing the public transparency of existing infrastructure assurance processes by requiring that large complex infrastructure programs undergo periodic review at a whole‑of‑program level. This could take the form of reports to Parliament on the total costs and benefits on selected large and complex projects by the responsible agency, including cost to government and cost to community of funding and financing, as well as an accompanying independent assessment of the agency report.

Following our 2014 performance audit report 'WestConnex: Assurance to the government', the NSW Government established the Infrastructure Investor Assurance Framework (IIAF). INSW is responsible for the development, implementation and administration of the IIAF. The assurance framework involves gateway reviews, health checks, deep dive reviews, and project monitoring and reporting at various stages in the lifecycle of a project. The main aims of the IIAF are to help ensure major infrastructure projects are delivered on time and on budget, and to ensure that reports are regularly monitored by the Cabinet of the NSW Government. The IIAF gateway review process is compulsory for all significant investments and expenditure under the NSW Treasury Gateway Policy.

In accordance with the IIAF, INSW is responsible for the following:

• providing a dedicated Assurance Team including Gateway Review Managers to coordinate Reviews
• determining appropriate expert reviewers, and manages scheduling, commissioning and administration of Assurance Review reports. Infrastructure NSW is independent of the Expert Review Team
• monitoring Tier 1 – High Profile/High Risk projects, Tier 2 and Tier 3 (if required) project performance through independent Assurance Reviews
• providing independent analysis and advice on key risks and any corrective actions recommended for Tier 1 – High Profile/High Risk, Tier 2 and Tier 3 projects
• escalating projects to Infrastructure Investor Assurance Committee (IIAC) and Cabinet where projects present ‘red flag issues’ and where corrective action is needed
• working with delivery agencies to register all capital projects with an estimated cost greater than $10.0 million and ensures they are risk profiled and assigned a risk‑based project tier with an endorsed IIAF Project Registration report
• preparing forward looking annual Cluster Assurance Plans
• maintaining and continuously improves the IIAF process
• reporting to the IIAC, Cabinet and Infrastructure NSW Board
• regularly report to NSW Treasury on the performance of the IIAF.

In relation to WestConnex, TfNSW is the sponsor agency responsible for meeting relevant IIAF requirements, including:

• registering and risk profiling projects
• IIAF gateway, health check, and deep dive assurance reviews
• regular reporting.

Under the IIAF, it is mandatory for all capital projects valued over $10.0 million to be registered with INSW. Capital projects can be registered either as a program (comprising of a group of related projects or activities) or as a project (which may or may not be part of a program).

According to the IIAF, programs tend to have a lifespan of several years and aim to deliver outcomes and benefits related to an organisation's strategic objectives. Projects tend to have a shorter lifespan, and deal with outputs. Projects can, however, be grouped under a single program if they are similar in nature or if they are aimed at collectively achieving a strategic objective. Complex projects can be delivered in multiple stages, under different contracts, and across different time periods.

The last assurance review of the entire WestConnex program of works as a whole was in 2015

INSW conducted the first IIAF gateway review of WestConnex in August 2015. TfNSW developed a draft WestConnex Updated Strategic Business Case to consolidate the latest analysis on WestConnex, and to confirm that the project remained fit for purpose, economically viable, and financially deliverable. The review followed a recommendation in our 2014 performance audit report that business cases be thoroughly revisited.

During September 2015, INSW conducted additional informal reviews to identify strategic risks associated with public release of the WestConnex business case. Subsequently, INSW gave the Premier of NSW its views on the draft business case, including the following points:

• The $398 million budget for Sydney Gateway was insufficient to meet the benefits claimed in the business case for a ‘functional’ connection to Sydney Airport and Port Botany. INSW studies indicate a future‑proof solution would require a minimum spend of $755 million.
• Enabling works for WestConnex estimated at $1.534 billion were excluded from the cost of WestConnex. Significant work remained for RMS to identify mitigation measures to address planning approvals and network performance issues.
• Enabling works (a Southern Connector), an access ramp and surface road improvements within St Peters were excluded from the draft 2015 business case despite their inclusion in the WestConnex scope in the 2014–15 State Budget.
• The overall cost of works not funded within the WestConnex budget ranged from $2.011 billion to $2.196 billion. This included the enabling works, access ramp and surface road improvements and the shortfall for Sydney Gateway.

All WestConnex related projects, including Sydney Gateway have undergone independent assurance reviews under the IIAF

Since INSW submitted the first WestConnex progress update report to Cabinet in June 2015, INSW has been reporting monthly on the different stages of the WestConnex Program, including Sydney Gateway, as the projects were registered with INSW as High‑Profile, High‑Risk projects. Separate reporting enabled INSW to report and review each stage with more detailed scrutiny, compared to the reporting and reviewing at a program level.

WestConnex Stage 2 (New M5) underwent both mandatory and non‑mandatory reviews at key points in the project lifecycle. Three mandatory gateway reviews – at Gate 2 (Final business case), Gate 3 (Readiness for market), and Gate 4 (Tender evaluation) – were conducted by TfNSW before the introduction of IIAF. Four non‑mandatory health check reviews and one non‑mandatory deep dive review were conducted after the introduction of the IIAF managed by INSW.

Similarly, WestConnex Stage 3 projects – M4‑M5 link, M4‑M5 Tunnels, and Rozelle Interchange – also underwent mandatory and non‑mandatory reviews at key points in their lifecycle under IIAF.

The M4‑M5 Link had two mandatory gateway reviews and one non‑mandatory health check review under IIAF. These reviews were conducted before Stage 3 was split into two stages, due to major design changes to the Rozelle Interchange and the M4‑M5 tunnels.

The M4‑M5 tunnels had two mandatory gateway reviews (at Gates 3 and 4), one non‑mandatory health check review, and one non‑mandatory deep dive review under IIAF.

Rozelle Interchange also underwent three mandatory gateway reviews at Gate 3 (part 1), Gate 3 (part 2), and Gate 4, two non‑mandatory health check reviews, and one non‑mandatory deep dive review under IIAF.

Since mid‑2017, the Sydney Gateway project has undergone required independent assurance reviews, as well as a number of optional assurance reviews

In November 2016, INSW conducted a mandatory Gate 1 gateway review on a strategic business case for the Sydney Gateway Project. TfNSW did not proceed with this business case. Following the separation of Sydney Gateway from WestConnex in mid‑2017, TfNSW developed a new business case for Sydney Gateway. It has undergone the required Gate 1, Gate 2, and Gate 3 gateway reviews, as well as two non‑mandatory health check reviews, and three non‑mandatory deep dive reviews under IIAF.

Network integration works have undergone all IIAF required assurance reviews

TfNSW completed a strategic business case for the Network Integration Program in August 2020, and INSW completed a gateway review in November 2020. This is despite network integration projects starting as early as 2015, with $645 million having been spent by June 2020. The strategic business case included a prioritisation process for completing remaining works in the program. Prior to November 2020, TfNSW registered individual network integration projects with INSW, and these projects have undergone gateway reviews where required.

The Network Integration Program strategic business case does not include Rozelle interchange network integration works ($353 million) and additional network integration works to settle a contractor claim adjacent to St Peters Interchange ($190 million). These were excluded from the business case on the basis they had already been approved by government, and as such were not subject to the prioritisation elements of the business case. TfNSW has not developed separate business cases for these works, although the scope of the St Peters Interchange works was developed through a negotiated process.

TfNSW did not prepare business cases for some network integration works which have commenced, including the $323 million Campbell Road/Euston Road works

Prior to its development of the August 2020 strategic business case, TfNSW did not prepare business cases for many network integration works that have commenced, and in some instances were completed, before 2019. Significantly, TfNSW did not prepare a business case for the Campbell Road/Euston Road works, which cost $323 million and have been completed.

In 2016, TfNSW’s Business Case Policy requires the creation of business cases for capital projects costing over $1.0 million. At the time of writing this report, TfNSW’s draft policy requires full business cases for capital projects costing $10.0 million or more.

There is no requirement for ongoing ‘whole‑of‑program’ assurance of the WestConnex program of works, including related projects

INSW conducted its first gateway review of WestConnex (as a program, which consisted of composite projects) in August 2015. Following that review, TfNSW registered each of the components of WestConnex with INSW as individual projects, rather than keeping WestConnex registered as a program or complex project. The IIAF allows this to occur.

Separate registration enabled INSW to report and review each stage with more scrutiny compared to whole‑of‑program level review.

Such an approach has merit, considering the individual stages (and components of these stages) are multi‑million dollar works in their own right. Each project has its own timing for gateway reviews at stages such as 'Readiness for Market' and 'Tender Evaluation'.

Once a program such as WestConnex is broken down into its composite parts, there is no requirement for the sponsor agency (TfNSW) or INSW to conduct independent assurance on the program of works as a whole until the whole program is completed as part of the Benefits Realisation (Gate 6) gateway review. The absence of strategic, holistic reviews of projects of the scale and complexity such as WestConnex during their delivery allows for total costs and benefits to become opaque and avoid scrutiny. Projects of this scale require greater ongoing transparency on total costs and benefits in order to ensure confidence they will meet intended objectives within budget.

INSW has advised us that it has prepared a proposal to expand its assurance function to include whole‑of‑program review of inter‑related infrastructure projects.

Appendix one – Responses from agencies

Appendix two – Network integration works

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #351 - released (17 June 2021).

The Auditor-General for New South Wales, Margaret Crawford, has today released a report on Transport for NSW’s (TfNSW) acquisition of 4–6 Grand Avenue in Camellia.

This audit, which was requested on 17 November 2020 by the Hon. Andrew Constance MP, the Minister for Transport and Roads, examined:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

The audit found that TfNSW conducted an ineffective process when it purchased 4–6 Grand Avenue, Camellia. The audit also found that TfNSW’s internal policies and procedures to guide the transaction were, and continue to be, insufficient.

The Auditor-General has made seven recommendations to address the issues identified in the report.

On 17 November 2020, the Hon. Andrew Constance MP, the Minister for Transport and Roads, requested this audit under section 27B(3)(c) of the Public Finance and Audit Act 1983.

On 15 June 2016, Transport for New South Wales (TfNSW) acquired 6.3 hectares of land at 4–6 Grand Avenue, Camellia, by agreement from Grand 4 Investments Pty Ltd. Grand 4 Investments was a business entity established by the owners of Billbergia Pty Ltd, a property development and investment company.

TfNSW paid Grand 4 Investments $53.5 million and assumed liability for addressing environmental issues and contamination associated with the site. This took place seven months after the vendor acquired the land as part of a competitive Expression of Interest process, in which TfNSW also participated, for $38.15 million.

TfNSW is the NSW Government agency responsible for most major transport infrastructure projects in New South Wales. TfNSW acquired the Camellia site for use as a stabling and maintenance depot to support the Parramatta Light Rail (PLR) project.

Consistent with the minister’s request, this audit assessed:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

In considering the effectiveness of the processes for this purchase, the audit considered:

• the requirements of the Land Acquisition (Just Terms Compensation) Act 1991 (the Act)
• the application of sound processes to manage risk to the NSW Government and to achieve value for money
• the application of disciplines associated with complex procurement, such as probity, in a NSW Government context.

In 2015, TfNSW identified that it would require a stabling and maintenance depot in the Camellia area for the Parramatta Light Rail

In 2014, TfNSW commissioned an external engineering consultancy to undertake a feasibility design study for the Parramatta Light Rail - the Parramatta Transport Corridor Strategy Feasibility Design study (herein referred to as ‘the feasibility study’). In early 2015, TfNSW received the feasibility study, which was one of several key sources that informed the development of business cases for the PLR.

The feasibility study recommended that TfNSW should consolidate the maintenance and cleaning operations with overnight stabling facilities on one site. The study noted that the optimal location for any such site would be in close proximity to the proposed network, and noted that the site must have access to road connections to accommodate access for cars and trucks.

The study found that a centrally located stabling and maintenance facility would be required for all routes serving the Parramatta CBD, and that the Camellia industrial area was a preferred location for such a facility. The study noted that the Camellia area was contaminated.

The feasibility study notes that its conclusions were based on assumptions about the light rail system adopted and decisions made by the future operator of the system, who had not yet been selected or appointed.

TfNSW's decision to progress a potential acquisition in 2015 considered the risk that the site may not be required

TfNSW's FIC was responsible for making decisions on funding allocations at a whole of program level within TfNSW. FIC was also responsible for approving ‘high-risk/high-value’ variations to program budgets. Members of the FIC included:

• Secretary of Transport for NSW
• Deputy Secretary, Infrastructure and Services
• Deputy Secretary, Freight, Strategy and Planning
• Deputy Secretary, Customer Services
• Deputy Secretary Finance and Investment
• Deputy Secretary People and Corporate Services.

An April 2015 submission, from the then Deputy Director-General to the agency’s FIC, sought authorisation and funding approval to participate in an Expression of Interest sale process. It noted the risk that the project may not go ahead. The submission advised that:

By acquiring a strategic site now, it reduces the risk of having to pay an improved value or a value that may be subject to rapidly improving land values due to changes in land use and rezoning.

The property can be acquired for the project, held strategically and income generated by leasing the site as hardstand ¹ space until the project requires the land for the Parramatta Light Rail project.

If the project does not proceed in the medium to longer term, the property can be sold at a premium to what has been paid today as property fundamentals improve.

This submission acknowledged the risks associated with environmental contamination and proposed that these risks would be managed by negotiating a contract where the remediation and associated expenses would be at the landowner’s cost. 

TfNSW assessed the 4–6 Grand Avenue site as one of several sites in Camellia that was a feasible location for a stabling and maintenance facility

The Departmental feasibility study assessed six potential sites for a stabling and maintenance facility, including 4–6 Grand Avenue, noting strengths and weaknesses of each site. A different site on Grand Avenue was assessed as the ‘base case’ option (1 Grand Avenue). The study’s comments on the 4–6 Grand Avenue site included the following:

With an area of approximately 63,000m², this site has sufficient space for a depot with the required stabling yard and maintenance facilities. The location allows for good road access and LRT [light rail transit] access would be from Grand Avenue, which may require a road crossing or signalised intersection. The site has been used for general industrial uses; however the land has been cleared and is currently undergoing remediation ². The site is not affected by flooding based on one in 100-year flood data.

In early 2015, once the opportunity to acquire 4–6 Grand Avenue emerged, TfNSW commissioned a specific feasibility study of the 4–6 Grand Avenue site. The feasibility studies clearly documented the existence of environmental contamination. In April 2015, the report concluded:

Given the limitations of this report and within the parameters that have been set it is concluded that from a spatial and geographic perspective the site at 6 Grand Avenue would be suitable as a stabling and maintenance depot for the Parramatta light rail project. There are few engineering and environmental constraints that would affect the feasibility level analysis of this site and all issues identified, within this desk study, are considered to be resolvable. However this being said there is a significant amount of work necessary to reach the final layout and definition of the stabling and maintenance depot. There are numerous items which require further consideration and conformation; planning approvals could impose restrictions on building heights, noise mitigation measures, light and visual impact requirements all of which can have significant impacts on the spatial requirements of any stabling and maintenance depot. 

The acquisition of 4–6 Grand Avenue was not informed by a Property Acquisition Strategy

For major projects, TfNSW typically requires the project team to complete a Property Acquisition Strategy, which is intended to guide both process as well as specific acquisition issues expected to be faced during the project. The Property Acquisition Strategy is not a mandated document but is a recommended tool to support property acquisition as part of major projects.

TfNSW did not have a Property Acquisition Strategy in place to guide the 2015 Expression of Interest process. On 6 November 2015, the then Project Director for the PLR project emailed the property team, noting a need to develop a Property Acquisition Strategy to close off the scoping design and preliminary business case.

In January 2016, TfNSW developed a draft Property Acquisition Strategy for the Parramatta Light Rail Project, although it was silent on the potential sites for the stabling and maintenance facility.

TfNSW focussed on 4–6 Grand Avenue because it was available and aligned to TfNSW's strategic interests

In early 2015, officials commenced monitoring the market for industrial real estate in the Camellia area and surrounds for possible sites for a stabling and maintenance facility.

In March 2015, then owner of the site, Akzo Nobel Pty Limited released the 4–6 Grand Avenue site through an Expression of Interest process managed by CBRE.

TfNSW’s then Deputy Director-General, Planning, sought approval from FIC to lodge an Expression of Interest up to $30.0 million. Approval was sought on the basis that it would ‘provide certainty for the Parramatta Light Rail project by allowing for a depot site in a suitable location and potentially avoid higher costs or longer timeframes associated with compulsory acquisition following completion of the project’s business case’. FIC approved the request at its meeting on 9 April 2015.

At this time, TfNSW had not conducted any analysis of financial or operational benefits and costs of the potential sites identified in earlier feasibility studies. TfNSW staff advised us that the decision to participate in the Expression of Interest process for 4–6 Grand Avenue was because it was available. There is no documentation substantiating this statement, which TfNSW staff provided verbally as part of this audit.

In November 2015, TfNSW was advised that it was unsuccessful in the Expression of Interest process and that Grand 4 Investments (a related entity of Billbergia) had purchased 4–6 Grand Avenue. TfNSW did not conduct any further analysis of alternative potential sites in Camellia between this date and commencing discussions with Grand 4 Investments in April 2016. In that time there had been some movement on other properties that were included in the feasibility study, including 37–39a Grand Avenue being under offer in September 2015.

In March 2016, TfNSW approached CBRE to organise a meeting with Grand 4 Investments. On 1 April 2016, TfNSW met with Grand 4 Investments.

TfNSW advises that a perceived benefit of the 4–6 Grand Avenue site was that it was not subject to other uses or leaseholds that would increase the cost of compulsory acquisition. Officers involved in the acquisition advised that other nominated sites in the feasibility study were subject to other uses or leaseholds. 

Appendix one – Response from agency 

Appendix two – About the audit 

Appendix three – Performance auditing

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #349 - released (18 May 2021).

This is a follow-up to the Auditor-General's November 2016 report on the CBD South East Sydney Light Rail project. This follow-up report assessed whether Transport for NSW has updated and consolidated information about project costs and benefits.

The audit found that Transport for NSW has not consistently and accurately updated project costs, limiting the transparency of reporting to the public.

The Auditor-General reports that the total cost of the project will exceed $3.1 billion, which is above the revised cost of $2.9 billion published in November 2019. $153.84 million of additional costs are due to omitted costs for early enabling works, the small business assistance package and financing costs attributable to project delays.

The report makes four recommendations to Transport for NSW to publicly report on the final project cost, the updated expected project benefits, the benefits achieved in the first year of operations and the average weekly journey times.

Read full report (PDF)

The CBD and South East Light Rail is a 12 km light rail network for Sydney. It extends from Circular Quay along George Street to Central Station, through Surry Hills to Moore Park, then to Kensington and Kingsford via Anzac Parade and Randwick via Alison Road and High Street.

Transport for NSW (TfNSW) is responsible for planning, procuring and delivering the Central Business District and South East Light Rail (CSELR) project. In December 2014, TfNSW entered into a public private partnership with ALTRAC Light Rail as the operating company (OpCo) responsible for delivering, operating and maintaining the CSELR. OpCo engaged Alstom and Acciona, who together form its Design and Construct Contractor (D&C).

On 14 December 2019, passenger services started on the line between Circular Quay and Randwick. Passenger services on the line between Circular Quay and Kingsford commenced on 3 April 2020.

In November 2016, the Auditor-General published a performance audit report on the CSELR project. The audit found that TfNSW would deliver the CSELR at a higher cost with lower benefits than in the approved business case, and recommended that TfNSW update and consolidate information about project costs and benefits and ensure the information is readily accessible to the public.

In November 2018, the Public Accounts Committee (PAC) examined TfNSW's actions taken in response to our 2016 performance audit report on the CSELR project. The PAC recommended that the Auditor-General consider undertaking a follow-up audit on the CSELR project. The purpose of this follow-up performance audit is to assess whether TfNSW has effectively updated and consolidated information about project costs and benefits for the CSELR project.

Appendix one – Response from agency

Appendix two – Governance and reporting arrangements for the CSELR

Appendix three – 2018 CSELR governance changes

Appendix four – About the audit

Appendix five – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #335 - released 11 June 2020

This report focuses on how Transport for NSW and Sydney Trains manage crowding at selected metropolitan train stations.

The audit found that while Sydney Trains has identified platform crowding as a key strategic risk, it does not have an overarching strategy to manage crowding in the short to medium term. Sydney Trains 'do not have sufficient oversight to know if crowding is being effectively managed’, the Auditor-General said.

Sydney Trains' operational response to crowding involves restricting customer access to platforms or station entries before crowding reaches unsafe levels or when it impacts on-time running. Assuming rail patronage increases, it is likely that Sydney Trains will restrict more customers from accessing platforms or station entries, causing customer delay. ‘Restricting customer access to platforms or station entries is not a sustainable approach to manage station crowding’, said the Auditor-General.

The Auditor-General made seven recommendations to improve Transport for NSW and Sydney Trains' management of station crowding. Transport for NSW have accepted these recommendations on behalf of the Transport cluster.

Public transport patronage has been impacted by COVID-19. This audit was conducted before these impacts occurred.

Read full report (PDF)

Sydney Trains patronage has increased by close to 34 per cent over the last five years, and Transport for NSW (TfNSW) expects the growth in patronage to continue over the next 30 years. As patronage increases there are more passengers entering and exiting stations, moving within stations to change services, and waiting on platforms. As a result, some Sydney metropolitan train stations are becoming increasingly crowded.

There are three main causes of station crowding:

• patronage growth exceeding the current capacity limits of the rail network
• service disruptions
• special events.

Crowds can inhibit movement, cause discomfort and can lead to increased health and safety risks to customers. In the context of a train service, unmanaged crowds can affect service operation as trains spend longer at platforms waiting for customers to alight and board services which can cause service delays. Crowding can also prevent customers from accessing services.

Our 2017 performance audit, ‘Passenger Rail Punctuality’, found that rail agencies would find it hard to maintain train punctuality after 2019 unless they significantly increased the capacity of the network to carry trains and people. TfNSW and Sydney Trains have plans to improve the network to move more passengers. These plans are set out in strategies such as More Trains, More Services and in the continued implementation of new infrastructure such as the Sydney Metro. Since 2017, TfNSW and Sydney Trains have introduced 1,500 more weekly services to increase capacity. Additional network capacity improvements are in progress for delivery from 2022 onwards.

In the meantime, TfNSW and Sydney Trains need to use other ways of managing crowding at train stations until increased capacity comes on line.

This audit examined how effectively TfNSW and Sydney Trains are managing crowding at selected metropolitan train stations in the short and medium term. In doing so, the audit examined how TfNSW and Sydney Trains know whether there is a crowding problem at stations and how they manage that crowding.

TfNSW is the lead agency for transport in NSW. TfNSW is responsible for setting the standard working timetable that Sydney Trains must implement. Sydney Trains is responsible for operating and maintaining the Sydney metropolitan heavy rail passenger service. This includes operating, staffing and maintaining most metropolitan stations. Sydney Trains’ overall responsibility is to run a safe rail network to timetable.

Appendix one – Response from agency

Appendix two – Sydney rail network

Appendix three – Rail services contract

Appendix four – Crowding pedestrian modelling

Appendix five – Airport Link stations case study

Appendix six – About the audit

Appendix seven – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #333 - released 30 April 2020

The Auditor-General for New South Wales, Margaret Crawford released her report today on the Family and Community Services cluster. The report focuses on key observations and findings from the most recent financial audits of agencies in the cluster. Cluster entities received unqualified audit opinions for their 30 June 2018 financial statements. Opportunities to improve the quality of financial reporting were identified and reported to management.

This report analyses the results of our audits of financial statements of the Family and Community Services cluster for the year ended 30 June 2018. The table below summarises our key observations.

This report provides NSW Parliament and other users of the financial statements of Family and Community Services' agencies with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations
• service delivery.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Family and Community Services cluster for 2018.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

• our financial statement audits of agencies in the Family and Community Services cluster for 2018
• the areas of focus identified in the Audit Office annual work program.

The Audit Office Annual Work Program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each NSW Government cluster.

This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by Cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited.

In our recent performance audit, Progress and measurement of Premier's Priorities, we identified 12 limitations of performance measurement and performance data. We recommended that the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all agency data sources.

Appendix one - List of 2018 recommendations

Appendix two - Status of previous recommendations    

Appendix three - Summary financial information

Appendix four - Cluster information

The Auditor-General for New South Wales, Margaret Crawford released her report today on key observations and findings from the 30 June 2018 financial statement audits of agencies in the Transport cluster. Unqualified audit opinions were issued for all agencies' financial statements. However, assessing the fair value of the broad range of transport related assets creates challenges.

This report analyses the results of our audits of financial statements of the Transport cluster for the year ended 30 June 2018. The table below summarises our key observations.

This report provides Parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2018.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from:

• our financial statement audits of agencies in the Transport cluster for 2018
• the areas of focus identified in the Audit Office annual work program.

The Audit Office Annual Work Program provides a summary of all audits to be conducted within the proposed time period as well as detailed information on the areas of focus for each of the NSW Government clusters. 

This chapter outlines certain service delivery outcomes for 2017–18. The data on activity levels and performance is provided by Cluster agencies. The Audit Office does not have a specific mandate to audit performance information. Accordingly, the information in this chapter is unaudited. 

We report this information on service delivery to provide additional context to understand the operations of the Transport cluster and to collate and present service information for different modes of transport in one report. 

In our recent performance audit, Progress and measurement of Premier's Priorities, we identified 12 limitations of performance measurement and performance data. We recommended that the Department of Premier and Cabinet ensure that processes to check and verify data are in place for all agency data sources.

Appendix one - Status of 2016 and 2017 recommendations

Appendix two - Cluster agencies 

Appendix three - Financial data 

Appendix four - Bus contracts regions 

Agencies need to do more to address risks posed by information technology (IT).

Effective internal controls and governance systems help agencies to operate efficiently and effectively and comply with relevant laws, standards and policies. We assessed how well agencies are implementing these systems, and highlighted opportunities for improvement.
 

1. Overall trends

2. Information Technology

3. Asset Management

4. Governance

5. Ethics and Conduct

6. Risk Management 

This report covers the findings and recommendations from our 2016–17 financial audits related to the internal controls and governance of the 39 largest agencies (refer to Appendix three) in the NSW public sector. These agencies represent about 95 per cent of total expenditure for all NSW agencies and were considered to be a large enough group to identify common issues and insights.

The findings in this report should not be used to draw conclusions on the effectiveness of individual agency control environments and governance arrangements. Specific financial reporting, controls and service delivery comments are included in the individual 2017 cluster financial audit reports tabled in Parliament from October to December 2017.

This new report offers strategic insight on the public sector as a whole

In previous years, we have commented on internal control and governance issues in the volumes we published on each ‘cluster’ or agency sector, generally between October and December. To add further value, we then commented more broadly about the issues identified for the public sector as a whole at the start of the following year.

This year, we have created this report dedicated to internal controls and governance. This will help Parliament to understand broad issues affecting the public sector, and help agencies to compare their own performance against that of their peers.

Without strong control measures and governance systems, agencies face increased risks in their financial management and service delivery. If they do not, for example, properly authorise payments or manage conflicts of interest, they are at greater risk of fraud. If they do not have strong information technology (IT) systems, sensitive and trusted information may be at risk of unauthorised access and misuse.

These problems can in turn reduce the efficiency of agency operations, increase their costs and reduce the quality of the services they deliver.

Our audits do not review every control or governance measure every year. We select a range of measures, and report on those that present the most significant risks that agencies should mitigate. This report divides these into the following six areas:

1. Overall trends
2. Information technology
3. Asset management
4. Governance
5. Ethics and conduct
6. Risk management.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations.

This chapter outlines the overall trends for agency controls and governance issues, including the number of findings, level of risk and the most common deficiencies we found across agencies. The rest of this volume then illustrates this year’s controls and governance findings in more detail.

Information technology (IT) has become increasingly important for government agencies’ financial reporting and to deliver their services efficiently and effectively. Our audits reviewed whether agencies have effective controls in place over their IT systems. We found that IT security remains the source of many control weakness in agencies.

Agency service delivery relies on developing and renewing infrastructure assets such as schools, hospitals, roads, or public housing. Agencies are currently investing significantly in new assets. Agencies need to manage the scale and volume of current capital projects in order to deliver new infrastructure on time, on budget and realise the intended benefits. We found agencies can improve how they:

• manage their major capital projects
• dispose of existing assets.

Governance refers to the high-level frameworks, processes and behaviours that help an organisation to achieve its objectives, comply with legal and other requirements, and meet a high standard of probity, accountability and transparency.

This chapter sets out the governance lighthouse model the Audit Office developed to help agencies reach best practice. It then focuses on two key areas: continuous disclosure and shared services arrangements. The following two chapters look at findings related to ethics and risk management.

All government sector employees must demonstrate the highest levels of ethical conduct, in line with standards set by The Code of Ethics and Conduct for NSW government sector employees.

This chapter looks at how well agencies are managing these requirements, and where they can improve their policies and processes.

We found that agencies mostly have the appropriate codes, frameworks and policies in place. But we have highlighted opportunities to improve the way they manage those systems to reduce the risks of unethical conduct.

Risk management is an integral part of effective corporate governance. It helps agencies to identify, assess and prioritise the risks they face and in turn minimise, monitor and control the impact of unforeseen events. It also means agencies can respond to opportunities that may emerge and improve their services and activities.

This year we looked at the overall maturity of the risk management frameworks that agencies use, along with two important risk management elements: risk culture and risk registers.

Effective risk management can improve agency decision-making, protect reputations and lead to significant efficiencies and cost savings. By embedding risk management directly into their operations, agencies can also derive extra value for their activities and services.

This report focuses on key observations and findings from 2016 audits and highlights key areas of focus for financial and performance audits in 2017.

All material misstatements identified by agencies and audit teams were corrected before the financial statements and audit opinions were signed. A material misstatement relates to an incorrect amount, classification, presentation or disclosure in the financial statements that could reasonably be expected to influence the economic decisions of users.  

Significant matters reported to the portfolio Minister, Treasurer and Agency Head

In 2015–16, we reported the following significant matters to the portfolio Minister, Treasurer and agency head in our Statutory Audit Reports:

 Appropriate financial controls help ensure the efficient and effective use of resources and the implementation and administration of agency policies. They are essential for quality and timely decision making.  

In 2015–16, our audit teams made the following key observations on the financial controls of NSW public sector agencies.