What the report is about

Effective radio communications are crucial to NSW's emergency services organisations.

The Critical Communications Enhancement Program (CCEP) aims to deliver an enhanced public safety radio network to serve the five emergency services organisations (ESOs), as well as a range of other users.

This report assesses whether the NSW Telco Authority is effectively managing the CCEP.

What we found

Where it has already been delivered (about 50% of the state), the enhanced network meets most of the requirements of ESOs.

The CCEP will provide additional infrastructure for public safety radio coverage in existing buildings agreed to with ESOs. However, radio coverage inside buildings constructed after the CCEP concludes will be at risk because building and fire regulations do not address the need for in-building public safety radio coverage.

Around 98% of radios connected to the network can be authenticated to protect against cloning, though only 42% are.

The NSW Telco Authority has not settled with ESOs on how call encryption will be used across the network. This creates the risk that radio interoperability between ESOs will not be maximised.

When completed, the public safety radio network will be the only mission critical radio network for ESOs. It is unclear whether governance for the ongoing running of the network will allow ESOs to participate in future network operational decisions.

The current estimated capital cost for the NSW Telco Authority to complete the CCEP is $1.293 billion. This is up from an estimated cost of $400 million in 2016. The estimated capital cost was not publicly disclosed until $1.325 billion was shown in the 2021–22 NSW Budget Papers.

We estimate that the full cost to government, including costs to the ESOs, of implementing the enhanced network is likely to exceed $2 billion.

We made recommendations about

• The governance of the enhanced Public Safety Network (PSN) to support agency relationships.
• The need to finalise a Traffic Mitigation Plan for when the network is congested.
• The need to provide advice to the NSW Government about the regulatory gap for ensuring adequate network reach in future buildings.
• The need to clarify how encryption and interoperability will work on the enhanced network.
• The need for the NSW Telco Authority to comply with its policy on Infrastructure Capacity Reservation.
• Expediting measures to protect against the risk of cloning by unauthenticated radios.

Public safety radio networks are critical for operational communications among Emergency Services Organisations (ESOs), which in New South Wales include:

• NSW Ambulance
• Fire and Rescue NSW
• NSW Police Force
• NSW Rural Fire Service
• NSW State Emergency Service.¹

Since 1993, these five ESOs have had access to a NSW Government owned and operated radio communications network, the Public Safety Network (PSN), to support their operational communications. Around 60 to 70 other entities also have access to this network, including other NSW government entities, Commonwealth government entities, local councils, community organisations, and utility companies.

Pursuant to the Government Telecommunications Act 2018 ('the Act'), the New South Wales Government Telecommunications Authority ('NSW Telco Authority') is responsible for the establishment, control, management, maintenance and operation of the PSN.²

Separate to the PSN, all ESOs and other government entities have historically maintained their own radio communication capabilities and networks. Accordingly, the PSN has been a supplementary source of operational radio communications for these entities.

These other radio networks maintained by ESOs and other entities are of varying size and capability, with many ageing and nearing their end-of-life. There was generally little or no interoperability between networks, infrastructure was often co-located and duplicative, and there were large gaps in geographic coverage.

In 2016, the NSW Telco Authority received dedicated NSW Government funding to commence the Critical Communications Enhancement Program (CCEP).

According to NSW Telco Authority's 2021–22 annual report, the CCEP is a transformation program for operational communications for NSW government agencies. The CCEP '…aims to deliver greater access to public safety standard radio communications for the State’s first responders and essential service agencies'. The objective of CCEP is to consolidate the large number of separate radio networks that are owned and operated by various NSW government entities and to enhance the state’s existing shared PSN. The program also aims to deliver increased PSN coverage throughout New South Wales.

The former NSW Government intended that as the enhanced PSN was progressively rolled-out across NSW, ESOs would migrate their radio communications to the enhanced network, before closing and decommissioning their own networks.

About this Audit

This audit assessed whether the CCEP is being effectively managed by the NSW Telco Authority to deliver an enhanced PSN that meets ESOs' requirements for operational communications.

We addressed the audit objective by answering the following two questions:

1. Have agreed ESO user requirements for the enhanced PSN been met under day-to-day and emergency operational conditions?
2. Has there been adequate transparency to the NSW Government and other stakeholders regarding whole-of-government costs related to the CCEP?

In answering the first question, we also considered how the agreed user requirements were determined. This included whether they were supported by evidence, whether they were sufficient to meet the intent of the CCEP (including in considering any role for new or alternative technologies), and whether they met any relevant technical standards and compliance obligations (including for cyber security resilience).

While other NSW government agencies and entities use the PSN, we focused on the experience of the five primary ESOs because these will be the largest users of the enhanced PSN.

Both the cost and time required to complete the CCEP roll-out have increased since 2016. While it was originally intended to be completed in 2020, this is now forecast to be 2027. Infrastructure NSW has previously assessed the reasons for the increases in time and cost. A summary of the findings made by Infrastructure NSW is presented in Chapter 1 of this report. Accordingly, as these matters had already been assessed, we did not re-examine them in this performance audit.

The auditee for this performance audit is the NSW Telco Authority, which is a statutory authority within the Department of Customer Service portfolio.

In addition to being responsible for the operation of the PSN, section 5 of the Act also prescribes that the NSW Telco Authority is:

• to identify, develop and deliver upgrades and enhancements to the government telecommunications network to improve operational communications for government sector agencies
• to develop policies, standards and guidelines for operational communications using telecommunications networks.

The NSW Telco Authority Advisory Board is established under section 10 of the Act. The role of the board is to advise the NSW Telco Authority and the minister on any matter relating to the telecommunications requirements of government sector agencies and on any other matter relating to the functions of the Authority. As of 2 June 2023, the responsible minister is the Minister for Customer Service and Digital Government.

The five identified ESOs are critical stakeholders of the CCEP and therefore they were consulted during this audit. However, the ESOs were not auditees for this performance audit.

The NSW Telco Authority established and tracked its own costs for the CCEP

Over the course of the program from 2016, the NSW Telco Authority prepared a series of business cases and program reviews that estimated its cost of implementing the program in full, including those shown in Exhibit 6 below.

In response to the 2016 CCEP business case, the then NSW Government approved the NSW Telco Authority implementing the CCEP in full, with funding provided in stages. The NSW Telco Authority tracked its costs against approved funding, with monthly reports provided to the multi-agency Program Steering Committee

Throughout the program, the NSW Government was informed of increasing costs being incurred by the NSW Telco Authority for the CCEP

The various business cases, program updates, and program reviews prepared by the NSW Telco Authority were provided to the NSW Government through the required Cabinet process when seeking approval for the program proceeding and requests for both capital and operational funding. These provided clear indication of the changing overall cost of the CCEP to the NSW Telco Authority, as well as the delays that were being experienced.

There was no transparency to the Parliament and community about changes in the capital cost of the CCEP until the 2021–22 NSW Budget

As the business cases for the CCEP were not publicly available, the only sources of information about capital cost were NSW Budget papers and media releases. The information provided in the annual Budget papers prior to the 2021–22 NSW Budget provided no visibility of the estimated full capital cost to complete all stages of the CCEP. As shown in Exhibit 7 below, this information was fragmented and complex.

Media releases about the progress of the CCEP did not provide the estimated total cost to the NSW Telco Authority of $1.325 billion to complete all stages of the CCEP until June 2021. Prior to this date, media releases only provided funding for the initial stages of the program or for the stages subject to a funding announcement.

Even during the September 2019 and March 2020 Parliamentary Estimate Committee hearings where the costings and delays to the CCEP were raised, the estimated full cost of the CCEP was not revealed.

The original business case for the CCEP included estimated ESO costs, though these costs were not tracked throughout the program

Estimates for ESO costs for operating and maintaining their own radio networks over the four years from 2016–17 were included in the original March 2016 business case. They included $75.2 million for capital expenditure and $95 million for one-off operating costs. These costs, as well as costs incurred by ESOs due to the delay in the program, were not subsequently tracked by the NSW Telco Authority.

In January 2017, Infrastructure NSW reviewed the CCEP business case of March 2016. In this review, Infrastructure NSW recommended that the NSW Telco Authority identify combined and apportioned costs and cashflow for all ESOs over the CCEP funding period reflecting all associated costs to deliver the CCEP. These to include additional incidental capital costs accruing to ESOs, transition and migration to the new network and the cost (capital and operational) of maintaining existing networks. This recommendation was implemented in the November 2017 program review, with ESO capital costs estimated as $183 million.

In 2019, Infrastructure NSW conducted a Deep Dive Review on the progress of the CCEP. In this review, Infrastructure NSW made what it described as a 'critical recommendation' that the NSW Telco Authority:

It should be noted that the delay to CCEP completion now is seven years and that further ‘operational bridging solutions’ have been needed by the ESOs.

'Stay Safe and Keep Operational' costs incurred by ESOs will be significantly higher than originally estimated

Stay Safe and Keep Operational (SSKO) funding was established to provide funding to ESOs to maintain their legacy networks while the CCEP was refreshing and enhancing the PSN. This recognised that much of the network infrastructure relied on by ESOs had reached – or was reaching – obsolescence and would either require extensive maintenance or replacement before the PSN was available for ESOs to migrate to it. ESOs may apply to NSW Treasury for SSKO funding, with their specific proposals being reviewed (and endorsed, where appropriate) by the NSW Telco Authority. Accordingly, SSKO expenditure does not fall within the CCEP budget allocation.

As shown in the table below, extracted from the March 2016 CCEP business case, the total expected cost for SSKO purposes over the course of the CCEP was originally $40 million, assuming the enhanced PSN would be fully available by 2020.

In October 2022, the expected completion date for the CCEP was re-baselined to August 2027. Accordingly, ESOs will be required to continue to maintain their radio networks using legacy equipment for seven years longer than the original 2020 forecast. This will likely become progressively more expensive and require additional SSKO funding. For example, NSW Telco Authority endorsed SSKO bids for 2022–23 exceeded $35 million for that year alone.

Compared to the original forecast made in the March 2016 CCEP business case of $40 million, we found ESOs had estimated SSKO spending to 2027 will be $292.5 million.

A refresh of paging network used by ESOs and the decommissioning of redundant sites were both removed from the original 2016 scope of the CCEP

Paging

A paging network is considered an important user requirement by the Fire and Rescue NSW, NSW Rural Fire Service, and NSW State Emergency Service. The 2016 CCEP business case included a paging network refresh within the program scope of works. This was reiterated in the November 2017 internal review of the program. These documents did not estimate a cost for this refresh. The March 2020 and October 2020 business cases excluded paging from the program scope. The audit is unable to identify when, why or by whom the decision was made to remove paging from the program scope, something that was also not well communicated to the affected ESOs.

In 2021, after representations from the affected ESOs, the NSW Telco Authority prepared a separate business case for a refresh of the paging network at an estimated capital cost of $60.31 million. This program was subsequently approved by the NSW Government and included in the 2022–23 NSW Budget.

In determining an estimated full whole-of-government cost of delivering the enhanced PSN, we have included the budgeted cost of the paging network refresh on the basis that:

• it was expressly included in the original approved March 2016 business case
• the capability is deemed essential to the needs of three ESOs.

Decommissioning costs

The 2016 CCEP business case included cost estimates for decommissioning surplus sites (whether ‘old’ GRN sites or sites belonging to ESOs’ own networks). These estimates were provided for both the NSW Telco Authority ($38 million) and for the ESOs ($55 million). However, while these estimates were described, they were not included as part of the NSW Telco Authority's estimated capital cost ($400 million) or (more relevantly) operating cost ($37.3 million) for the CCEP. This is despite decommissioning being included as one of eight planned activities for the rollout of the program.

In the October 2020 business case, an estimate of $201 million was included for decommissioning agency networks based on a model whereby:

• funding would be coordinated by the NSW Telco Authority
• scheduling and reporting through an inter-agency working group and
• where appropriate, agencies would be appointed as the most appropriate decommissioning party.

This estimated cost is not included in the CCEP budget.

In determining an estimated full whole-of-government cost of the enhanced PSN, we have included the estimated cost of decommissioning on the basis that:

• decommissioning was included in the 2016 CCEP business case as one of eight 'planned activities for the rollout of the program'
• effective decommissioning of surplus sites and equipment (including as described in the business case as incorporating asset decommissioning, asset re-use, and site make-good) is an inherent part of the program management for an enhanced PSN
• costs incurred in decommissioning are entirely a consequence of the CCEP program.

The estimated minimum cost of building an enhanced PSN consistent with the original proposal is over $2 billion

We have derived two estimated minimum whole-of-government costs for delivering an enhanced PSN. These are:

• $2.04 billion when calculated from NSW Telco Authority data – shown as estimate A in Exhibit 9 below.
• $2.26 billion when calculated from ESO supplied data – shown as estimate B in Exhibit 9.

Both totals include:

• budgeted amounts for both CCEP capital expenditure ($1,292.8 million) and operating expenditure ($139 million)
• the NSW Telco Authority's 2020 estimated cost for decommissioning ($201 million)
• the NSW Telco Authority's approved funding for paging refresh ($60.3 million).

The two estimated totals primarily vary around the capital expenditure of ESOs (particularly SSKO funding). To determine these costs, we used ESO provided actual SSKO costs to date, as well as their estimates for maintaining their legacy radio networks through to 2027.

The equivalent cost estimates from the NSW Telco Authority were sourced from the November 2017 internal review and the October 2020 business case for CCEP. It should be noted that the amounts for both estimates are not audited, or verified, but do provide an indication of how whole-of-government costs have grown over the course of the program.

The increase in and reasons for the increase in total CCEP costs (capital and one-off operating) incurred or forecast by the NSW Telco Authority (from $437.3 million in 2016 to $1,431.8 million in 2022) have been provided to the NSW Government through various business cases and reviews prepared by the NSW Telco Authority, as well as by reviews conducted by Infrastructure NSW as part of its project assurance responsibilities.

However, the growth in ESO costs and other consequential costs, such as paging and decommissioning, from around $263 million in the 2016 CCEP business case to between $600 million and $800 million, has to a large degree remained invisible and unexplained to the NSW Government and other stakeholders

Appendix one – Response from agency

Appendix two – Trunked public safety radio networks

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #383 - released 23 June 2023

Click here for the Easy English version of the report highlights

The Easy English version of the report highlights is intended to meet the needs of some people with lower literacy skills, some people with an intellectual disability, and some people from different cultural backgrounds.

The Easy English document is not the final audit report that has been prepared and tabled in NSW Parliament under s.38EB and s.38EC of the Government Sector Audit Act 1983. It should not be relied on or quoted from as the final audit report.

What this report is about

This audit assessed whether NSW Trustee and Guardian is effectively delivering public guardianship and financial management services in line with legislative requirements and standards.

What we found

NSW Trustee and Guardian is delivering guardianship and financial management services in line with its broad legal authority.

However, NSW Trustee and Guardian does not have sufficient oversight to ensure that its services are consistent with legislative principles which aim to promote positive client outcomes.

The agency's governance and practices could be better supported by relevant training and guidance to account for the diversity of its clients.

It does not track the actual costs of service delivery, the quality of services or client experiences and key findings from previous reviews remain unresolved.

Government funding for public guardianship services and direct financial management services for low-wealth clients has not kept pace with the growth in clients.

There is a risk that some fee-paying clients are unknowingly subsidising others.

NSW Trustee and Guardian has applied additional funding to increase frontline staff, but gaps in monitoring and IT system constraints create a risk that it will not address service quality issues, nor be able to demonstrate the impact of this new funding.

What we recommended

We recommended that NSW Trustee and Guardian:

• Broaden governance arrangements to enable input to key decisions from people with lived experience, relevant peak bodies and representatives of diverse communities.
• Implement mechanisms to seek feedback on the effectiveness and quality of services from clients under orders.
• Assess staff competency and implement regular training in effectively serving clients with disability, dementia, mental illness, cognitive impairments and other factors relevant to decision-making incapacity.
• Implement a risk-based quality framework to assess whether public guardian and financial management decisions are in line with policy and the legislative principles.
• Improve data collection and monitoring to track performance, the costs to serve, and client outcomes and report on these publicly.

NSW Trustee and Guardian is a NSW Government agency in the Stronger Communities cluster. It supports the NSW Trustee and the Public Guardian in the exercise of their statutory functions. It is accountable to the relevant Minister, the Attorney General.

The legislative responsibilities for the Public Guardian and the NSW Trustee are provided in separate statutes (NSW Trustee and Guardian Act 2009 and Guardianship Act 1987). Together, these establish a number of functions and services that NSW Trustee and Guardian as an agency is expected to deliver, including:

• acting as executor and administrator of deceased estates
• acting as a trustee responsible for managing trust property on behalf of another person or organisation in line with the trust terms
• drafting Will, Power of Attorney and Enduring Guardianship instruments, and educating the community about the importance of having these documents in place
• making decisions on behalf of people under guardianship or financial management orders as a guardian or a financial manager 'of last resort', or overseeing and assisting private financial managers.

This audit focuses on the last of these - NSW Trustee and Guardian's financial management and guardianship services.

The NSW Trustee and the Public Guardian are appointed to provide direct financial management and/or guardianship services (respectively) to over 13,300 people (as at 30 June 2022) who are deemed by a court or tribunal unable to manage their own affairs. This involves making decisions for people under a relevant court or tribunal order, within the terms of the order. The court or tribunal order enables the appointed guardian or financial manager to make decisions on behalf of the person for whom the order is made. The legislation allows the financial manager or guardian to exercise all the functions of the person under management has or would have were they not incapable of managing for themselves. From a legal perspective, these 'substitute decisions' have the same effect as if the person had made the decision themselves. While the legal presumption is that a person has capacity to care for themselves and manage their own affairs, a financial manager or guardian can be appointed without the person's consent if the court or tribunal finds the person does not have relevant decision-making capacity.

There can be a range of factors that impact on a person's decision-making capacity, including cognitive impairment, intellectual disability, dementia, mental illness and addiction. Guardianship (of both the person and their estate) developed as a response, through European and English law over hundreds of years. In Australia, it was a function of the Supreme Court of NSW before the establishment of government agencies. What is now known as substitute decision-making can sometimes be referred to as a 'protective' function because:

• it relates to decisions or actions that need to be taken, which the person under an order cannot take because they are incapable of managing their own affairs
• due to this lack of competence, the person may be disadvantaged in the conduct of their affairs (for example, their money or property may be dissipated or lost, they may enter agreements unwisely or they may be at risk of abuse or exploitation)
• substitute decisions must be made in the best interests of the person on whose behalf they are made.

An alternative model is 'supported decision-making'. This refers to processes and approaches that assist people with impaired decision-making capacity to exercise their autonomy and legal capacity by supporting them to make decisions. This approach seeks to give effect to the will and preferences of the person requiring decision-making support wherever possible, including decisions involving risk. There has been a longstanding legal and community push for Australian guardianship and administration systems to move from substituted to supported decision-making. However, the legislation in New South Wales provides for 'best interests' substitute decision-making and this is the framework against which we have audited NSW Trustee and Guardian.

The Public Guardian and the NSW Trustee may be appointed as substitute decision makers by the NSW Civil and Administrative Tribunal (NCAT) and the Supreme Court. The NSW Trustee may also be appointed by the Mental Health Review Tribunal for financial management orders only.¹ They are intended to be appointed as a 'last resort' when there is no one willing or suitable to fill the role, or there is significant family conflict regarding decision-making for the person. The Public Guardian and the NSW Trustee cannot refuse to accept a court or tribunal appointment to administer an order for guardianship or financial management.

Public Guardian decisions cover healthcare, lifestyle, accommodation and/or medical decisions such as where a person should live (for example: at home, in an aged care facility or disability group home), what disability or other support services they receive, who can have access to them (for example: through establishing visiting schedules between conflicting family members) and consent to the use of restrictive practices on the advice of independent experts (for example: seclusion, chemical restraint such as anti-psychotic medication, environmental restraints such as limiting access to knives).

Under a financial management order where the NSW Trustee is appointed as financial manager, the NSW Trustee carries out such functions as securing and collecting assets, income and entitlements, paying expenses, debts and designing budgets, investing financial assets, lodging tax returns and paying maintenance for dependents, taking or defending legal proceedings and managing other financial and legal affairs for the person. This is referred to as direct financial management.

A court or tribunal may appoint a private financial manager, such as a family member, friend, private trustee company or other commercial provider. Where a private manager is appointed, the NSW Trustee provides authorisation and directions to the private manager and oversees their performance. As at 30 June 2022, over 6,200 people had private managers.

As an agency, the majority of NSW Trustee and Guardian's overall revenue is from fees (including for services outside the scope of the audit, such as will preparation) and investments. The remainder is from the NSW Government as funding for non-commercial services including guardianship services and subsidised financial management services for low-wealth clients. Public guardian clients do not pay fees. Financial management clients pay fees, but these are subsidised where the client does not have capacity to pay full fees. NSW Trustee and Guardian is considered a self-funded agency by NSW Treasury definitions.

Demand for financial management and guardianship services, and the complexity of clients' circumstances for these services, has grown over the last decade. In November 2020, NSW Trustee and Guardian advised the Attorney General that it had run an operating deficit in 2019–20 driven by an increase in non/low fee paying customers and an increase in the complexity of matters. NSW Trustee and Guardian advised the Attorney General that government funding was no longer meeting the full cost of guardianship services, and of direct financial management services for people with low balances. NSW Trustee and Guardian's analysis had identified a shortfall in government funding of $8.4 million in 2019–20 that was expected to increase over the forward estimates. A working group was established with officers from NSW Trustee and Guardian, NSW Treasury and the Department of Communities and Justice to advise the government on options for improving the financial sustainability of NSW Trustee and Guardian overall.

NSW Trustee and Guardian subsequently received a funding boost of $41.5 million across four years in the 2021–22 State Budget. NSW Trustee and Guardian applied the majority of the budget enhancement to recruit approximately 120 new roles mostly in financial management and guardianship services.

The objective of this audit was to assess whether NSW Trustee and Guardian is effectively delivering guardianship and financial management services in line with legislative requirements and relevant non-legislative standards. These include a legislative duty to observe certain principles when exercising the relevant legislative functions, including to: give primary consideration to clients’ welfare and interests, restrict their freedom of decision and action as little as possible, take account of their views, and encourage their self-reliance.

The audit was guided by three questions:

• Does NSW Trustee and Guardian align its service delivery with its legislative functions and principles, and relevant standards?
• Does NSW Trustee and Guardian drive and monitor performance to give effect to its legislative functions and principles, and relevant standards?
• Has NSW Trustee and Guardian effectively planned the use of additional funding to improve service delivery and adherence to its legislative functions and principles, and relevant standards?

The audit review period was the five years between 1 July 2017 - 30 June 2022.

Throughout this report:

• 'client' refers to a person who is under a guardianship order and/or whose estate is under financial management, for whom the Public Guardian and/or the NSW Trustee is appointed to act or responsible to oversee their private financial manager
• 'financial management' refers to clients under financial management orders (direct and private financial management) and/or the services provided by NSW Trustee and Guardian to these clients or their private managers
• 'guardianship' refers to clients under guardianship orders where the Public Guardian is appointed, and/or the services provided by the Public Guardian to these clients
• 'frontline staff' refers to the staff responsible for engagement with, and decision-making for, clients and private managers (titled client service officers, senior client service officers and principal client service officers in NSW Trustee and Guardian)
• Aboriginal refers to the First Nations peoples of the land and waters now called Australia and includes Aboriginal and Torres Strait Islander peoples.

NSW Trustee and Guardian has only recently identified measures to track the performance of its financial management and guardianship services

Between 2021 and 2022, NSW Trustee and Guardian developed new divisional key performance indicators which aim to track the quality of services delivered to people under financial management and guardianship orders. These measures are reported quarterly to the organisation's executive leadership team. The divisions have started measuring some of these new performance indicators, but many will require changes to consumer engagement processes and IT legacy systems to collect additional data. At this stage it is unclear when these necessary changes will occur, and when relevant data will begin to be collected and analysed.

Before 2021, NSW Trustee and Guardian measured the performance of some of its financial management and guardianship operational processes. While these operational measures identify whether it is fulfilling some of its legislative functions, they are predominantly activity measures and do not inform on the quality of decision-making for direct financial management or guardianship clients, or on client experiences and outcomes.

Operational performance targets and measures have only recently been developed and used to centrally track the time elapsed between requests for certain decisions and the decisions made or relevant actions taken by relevant frontline staff. Baseline data for these measures show that target timeframes are not close to being met for minor medical decisions for people under guardianship orders, or for first customer payment, and redirection of income for people who are directly financially managed.

NSW Trustee and Guardian has proactively developed a benefits realisation framework to monitor the expected benefits from the additional funding received in 2021–22

NSW Trustee and Guardian has developed a benefits realisation framework to monitor the expected benefits from the additional funding (and other elements of the budget bid including increased fees and business improvements for efficiencies). This is not a requirement imposed by NSW Treasury, but a proactive step taken by NSW Trustee and Guardian to account for the use of the additional funding and to attempt to identify its impacts.

The benefits realisation framework includes interim and preferred measures, which reflect the things that can be tracked with existing data, and those that require new data collection, respectively. The measures are underpinned by separate program logics for direct and private financial management, and guardianship, and an overall investment logic. 'Logics' articulate the inputs, outputs and short/medium/long term outcomes expected from a project, program or investment, as well as the underpinning assumptions about how desired changes will occur (the 'mechanism' or 'theory' of change).

The targets and measures for NSW Trustee and Guardian's benefits realisation framework are the responsibility of the organisational divisions delivering guardianship and financial management services. The baseline data against which change will be measured is 30 June 2021, as the budget enhancement funds were allocated from 1 July 2021. The audit has been provided with baseline data, but not first year results (covering 2021–22) and as such, cannot assess whether any progress has been made towards the targets.

The benefits realisation framework may not provide the information needed to demonstrate the effectiveness of the budget enhancement

A lack of available data and limited measures in the benefits realisation framework may mean NSW Trustee and Guardian will not be able to meaningfully assess the impact of the additional funding.

The 22 measures in the benefits realisation framework across guardianship and financial management functions are predominantly monitoring activity and outputs which seek to track staff caseloads, the number of decisions made, the timeliness of key actions/tasks, and annual consumer engagements.

There is one service quality outcome measure: that customers, family and carers report an improved experience. The metrics for this measure will initially be monitored using the whole-of-government customer satisfaction measurement survey administered by the Department of Customer Service, until such time as other additional sources are developed. The whole-of-government survey is built around six core customer commitments relating to respondents' experiences with government services and staff - that they are: 'easy to access, act with empathy, respect my time, explain what to expect, resolve the situation and engage the community'. It is not clear whether or how the whole-of-government survey targets and engages people with impaired decision-making capacity or accessible communication needs.

Some measures in the NSW Trustee and Guardian benefits realisation framework do not yet have targets set, such as the ratio of the number of clients to the number of guardians or financial managers. Many relate to compliance with internal operational policies.

One interim measure for a direct financial management service indicator is 'increased personalised face-to-face consultations by phone or virtually'. It is intended to be replaced with the preferred measure 'ensure the client’s story is understood by staff and systems by consulting stakeholders and adding to the client’s story in the IT system'. However, the interim measure would better align with the national standards regarding regular and accessible engagement (discussed above).

A lack of availability of key data to track the preferred measures was identified by NSW Trustee and Guardian as an enterprise risk, and issues with existing data collected were identified early on, including that:

• data can be entered into systems inconsistently by staff
• current systems mask some issues – for example, a task can be completed within internal timeframes but not reflect the actual waiting time of consumers
• current systems cater to measuring outputs rather than service quality.

IT system improvements are slated in order to allow data to be collected to inform on preferred measures, but these depend on capital funding that has not yet been secured. At the time of writing, data sources were yet to be identified for three of the 22 measures, and NSW Trustee and Guardian did not have staff trained and available to run and analyse data for the benefits realisation framework.

The mechanisms of change and the underlying assumptions in the program and investment logics are also not clearly articulated in the benefits realisation framework, and nor is the underpinning evidence (such as from earlier reviews, research or pilots, or experiences elsewhere). Identifying and evidencing these would give some confidence that the assumptions are sound and that the mechanisms of change will operate as expected (for example, that a decline in frontline staff caseloads will translate into more time spent on individual matters, and improved service quality).

Given these limitations in measures, data collection and logics, there is a risk that the benefits realisation framework may not provide the performance and impact evidence necessary to assess the effectiveness of the budget enhancement, or to justify further additional funding in the future.

NSW Trustee and Guardian cannot track its financial management and guardianship service performance over time

NSW Trustee and Guardian's operational performance activity measures have changed over the audit review period, which limits NSW Trustee and Guardian’s ability to identify whether it has sustained or improved performance in its guardianship and financial management services over time.

NSW Trustee and Guardian has consistently tracked the number and themes of complaints about financial management and guardianship services, which do provide some insight into service quality and experiences. However, this is an incomplete measure as people under financial management and guardianship orders are a more vulnerable cohort than other NSW Trustee and Guardian customers and may require support to make a complaint. There is also a structural power imbalance between clients and their guardian or financial manager which may dissuade clients and their stakeholders from raising concerns. Therefore, it is not clear whether the numbers and themes in complaints received are representative of broader experiences.

Appendix one – Response

Appendix two – Client characteristics

Appendix three – Easy English, Easy Read and Plain English formats

Appendix four – Financial management fees

Appendix five – NSW Trustee and Guardian Common Funds

Appendix six – About the audit

Appendix seven – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #379 - released 18 May 2023

What the report is about

This audit assessed how effectively NSW government agencies procure and manage consultants. It examined the role of the NSW Procurement Board and NSW Procurement (a unit within NSW Treasury) in supporting and monitoring agency procurement and management of consultants.

The audit used four sources of data that contain information about spending on consultants by NSW government agencies, including annual report disclosures and the State's financial consolidation system (Prime). It also reviewed a sample of consulting engagements from ten NSW government agencies.

What we found

Our review of a selection of consulting engagements indicates that agencies do not procure and manage consultants effectively.

We found most agencies do not use consultants strategically and do not have systems for managing or evaluating consultant performance. We also found examples of non-compliance with procurement rules, including contract variations that exceeded procurement thresholds.

NSW Procurement has made improvements to the information available about spending on consultants, including additional analysis and reporting. However, there is no single data source that accurately captures spending on consultants.

Our analysis of data on whole-of-government spending on consultants, drawn from agency annual reports, indicates that four large professional services firms accounted for about a quarter of consultancy expenditure from 2017–18 to 2021–22. This concentration increases strategic risks, including over-reliance on a limited number of providers and potential reduction in the independence of advice.

It is also highly unlikely that NSW government agencies will meet the government's 2019 policy commitment to reduce consultancy expenses by 20% each year, over four years, from 2019–20. NSW Treasury advised that to implement this commitment, agency budgets were reduced in Prime in line with the savings targets. However, actual spending on consulting in NSW Treasury's Reports on State Finances 2020–21 and 2021–22 was almost $100 million higher than the savings targets over the first three years since 2019–20.

What we recommended

The report made seven recommendations which aim to improve:

• the quality and transparency of data on spending on consultants
• monitoring of strategic risks and agency compliance with procurement and recordkeeping rules
• agencies' strategic use of consultants, including evaluation and knowledge retention.

Between 2017–18 and 2021–22, NSW government agency annual reports disclosed total spending of around $1 billion on consultants across more than 10,000 engagements. More than 1,000 consulting firms provided services to NSW government agencies during this period. Consulting is a classification of professional services that is characterised by giving advice or recommendations on a specific issue. The NSW Procurement Board Direction PBD-2021-03 defines a consultant as a person or organisation that provides 'recommendations or professional advice to assist decision-making by management'. PBD-2021-03 notes that the advisory nature of the work of consultants is the main factor that distinguishes them from other providers of professional services.

The NSW Procurement Board is responsible for setting procurement policy, issuing directions to support policies, and monitoring and reporting on agency compliance with policies and directions. NSW Procurement, a division within NSW Treasury, supports agencies to comply with the NSW Procurement Board’s policies and directions. A 'devolved governance model' is used for procurement in New South Wales. This means the heads of government entities that are covered by the NSW Procurement Board’s directions are responsible for managing the entity's procurement, including managing risks, reporting and ensuring compliance, in line with procurement laws and policies.

This audit assessed how effectively NSW government agencies procure and manage consultants. It assessed the role of the NSW Procurement Board and NSW Procurement in supporting and monitoring agency procurement and management of consultants. It also reviewed a sample of consulting engagements from ten NSW government agencies to examine how agencies procured, managed and reported on their use of consultants. The ten NSW government agencies were:

• NSW Treasury
• Department of Communities and Justice
• Department of Customer Service
• Department of Education
• Department of Planning and Environment
• Department of Premier and Cabinet
• Department of Regional NSW
• Infrastructure NSW
• Sydney Metro
• Transport for NSW

There are four different sources of data that contain information about spending on consultants by NSW government agencies: the State's financial consolidation system (Prime), disclosures of spending on consultants in agency annual reports, and two systems operated by NSW Procurement (the Business Advisory Services (BAS) dashboard and Spend Cube). Each of these data sources serves a different purpose, and collects and categorises information differently. None of these provide a complete source of data on spending on consultants, either in their own right or collectively.

NSW Treasury considers Prime to be the 'source of truth' on consulting expenditure across the NSW public sector. An account within Prime records recurrent spending on consultants, but this account does not include capital expenditure (that is, spending on consultants that has from a financial reporting perspective been 'capitalised' to a project on the balance sheet). As the State's financial consolidation system, Prime captures all financial information. However, capitalised consulting expenditure is recorded within various capital accounts, and is not identifiable within these accounts. While this is appropriate for accounting purposes, it means that the Prime account that records recurrent consulting expenditure does not reflect total spending on consultants by NSW government agencies. We used the data in Prime to assess whether NSW government agencies met the NSW Government's policy commitment—stated before the 2019 election and costed by the Parliamentary Budget Office—to reduce recurrent expenditure on consulting by 20% each year, over four years, from 2019–20. We did this because, while the Prime account for recurrent consulting expenditure does not reflect all spending on consultants, it does capture the recurrent spending that was subject to the policy commitment.

Most NSW government agencies are required by legislation to disclose spending on consultants (as defined in PBD-2021-03) in their annual reports. These disclosures include both recurrent and capital expenditure. For consulting engagements that cost more than $50,000, the disclosures also provide itemised information, including the names of the individual projects and the consultants used. While this data is more complete than Prime because it includes capital expenditure, it also has some gaps. Some entities are excluded from public reporting requirements on consultant use. For example, NSW Local Health Districts (LHD) are not required to produce annual reports, and the Ministry of Health does not include LHD consulting expenditure in its annual report.¹ We used annual report disclosure data to report on total expenditure on consultants, and the concentration of suppliers of consulting services to NSW government agencies.

The BAS dashboard and Spend Cube are systems created by NSW Procurement to collect information about spending on suppliers of professional services. This includes consultants, but also includes other professional services providers. The systems were not designed for reporting on spending on consulting as defined in PBD-2021-03. However, we have used this data to assess specific aspects of NSW Procurement's monitoring of the use of consultants by NSW government agencies.

In 2018, we conducted an audit titled 'Procurement and reporting of consultancy services'. This assessed how 12 NSW government agencies complied with procurement requirements and how NSW Procurement supported the functions of the NSW Procurement Board. The 2018 audit found that none of the 12 agencies fully complied with NSW Procurement Board Directions on the use of consultants and that the NSW Procurement Board was not fully effective in overseeing and supporting agencies’ procurement of consultants. Specific findings from the 2018 audit included: 

• Agencies applied the definition of consultant inconsistently, which affected the accuracy of reporting on consultancy expenditure.
• There was inadequate guidance from NSW Procurement for agencies implementing the procurement framework, with a need for additional tools, automated processes, and other internal controls to improve compliance.
• NSW Procurement had insufficient data for effective oversight of procurement and did not publish any data on the procurement of consultancy services by NSW government agencies.

This chapter outlines our findings on the role of NSW Procurement in overseeing the use of consultants by NSW government agencies.

This chapter outlines our findings on the use of consultants by the ten NSW government agencies that were included in this audit.

Appendix one – Responses from auditees

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #378 - released 2 March 2023

What the report is about

This audit assessed the effectiveness of the NSW Rural Fire Service (RFS) and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression.

What we found

The RFS has focused its fleet development activity on modernising and improving the safety of its firefighting fleet, and on the purchase of new firefighting aircraft.

There is limited evidence that the RFS has undertaken strategic fleet planning or assessment of the capability of the firefighting fleet to respond to current bushfire events or emerging fire risks.

The RFS does not have an overarching strategy to guide its planning, procurement, or distribution of the firefighting fleet.

The RFS does not have effective oversight of fleet maintenance activity across the State, and is not ensuring the accuracy of District Service Agreements with local councils, where maintenance responsibilities are described.

What we recommended

1. Develop a fleet enhancement framework and strategy that is informed by an assessment of current fleet capability, and research into appropriate technologies to respond to emerging fire risks.
2. Develop performance measures to assess the performance and capabilities of the fleet in each RFS District by recording and publicly reporting on fire response times, fire response outcomes, and completions of fire hazard reduction works.
3. Report annually on fleet allocations to RFS Districts, and identify the ways in which fleet resources align with district-level fire risks.
4. Develop a strategy to ensure that local brigade volunteers are adequate in numbers and appropriately trained to operate fleet appliances in RFS Districts where they are required.
5. Establish a fleet maintenance framework to ensure regular update of District Service Agreements with local councils.
6. Review and improve processes for timely recording of fleet asset movements, locations, and maintenance status.

This audit assessed how effectively the NSW Rural Fire Service (the RFS) plans and manages the firefighting equipment needed to prevent, mitigate, and suppress bushfires. This audit also examined the role of local councils in managing bushfire equipment fleet assets. Local councils have vested legal ownership of the majority of the land-based firefighting fleet, including a range of legislated responsibilities to carry out fleet maintenance and repairs. The RFS has responsibilities to plan and purchase firefighting fleet assets, and ensure they are ready for use in response to fires and other emergencies.

This report describes the challenges in planning and managing the firefighting fleet, including a confusion of roles and responsibilities between the RFS and local councils in relation to managing certain land-based rural firefighting fleet – a point that has been made in our Local Government financial audits over several years. This role confusion is further demonstrated in the responses of the RFS and local councils to this audit report – included at Appendix one.

The lack of cohesion in roles and responsibilities for managing rural firefighting vehicles increases the risk that these firefighting assets are not properly maintained and managed, and introduces a risk that this could affect their readiness to be mobilised when needed.

While the audit findings and recommendations address some of the operational and organisational inefficiencies in relation to rural firefighting equipment management, they do not question the legislative arrangements that govern them. This is a matter for the NSW Government to consider in ensuring the fleet arrangements are fit for purpose, and are clearly understood by the relevant agencies.

The NSW Rural Fire Service (hereafter the RFS) is the lead combat agency for bushfires in New South Wales, and has the power to take charge of bushfire prevention and response operations anywhere in the State. The RFS has responsibilities to prevent, mitigate and suppress bushfires across 95% of the State, predominantly in the non-metropolitan areas of New South Wales. Fire and Rescue NSW is responsible for fire response activity in the cities and large townships that make up the remaining five per cent of the State.

The RFS bushfire fleet is an integral part of the agency's overall bushfire risk management. The RFS also uses this fleet to respond to other emergencies such as floods and storms, motor vehicle accidents, and structural fires. Fleet planning and management is one of a number of activities that is necessary for fire mitigation and suppression.

The Rural Fires Act 1997 (Rural Fires Act) imposes obligations on all landowners and land managers to prevent the occurrence of bushfires and reduce the risk of bushfires from spreading. Local councils have fire prevention responsibilities within their local government areas, principally to reduce fire hazards near council owned or managed assets, and minor roads.

The RFS is led by a Commissioner and is comprised of both paid employees and volunteer rural firefighters. Its functions are prescribed in the Rural Fires Act and related legislation such as the State Emergency Rescue Management Act 1989. The RFS functions are also described in Bush Fire Risk Management Plans, the State Emergency Management Plan, District Service Agreements, and RFS procedural documents. Some of the core responsibilities of the RFS include:

• preventing, mitigating, and suppressing fires across New South Wales
• recruiting and managing volunteer firefighters in rural fire brigades
• purchasing and allocating firefighting fleet assets to local councils
• establishing District Service Agreements with local councils to give the RFS permissions to use the fleet assets that are vested with local councils
• carrying out fleet maintenance and repairs when authorised to do so by local councils
• inspecting the firefighting fleet
• supporting land managers and private property owners with fire prevention activity.

In order to carry out its legislated firefighting functions, the RFS relies on land-based vehicles, marine craft, and aircraft. These different firefighting appliance types are referred to in this report as the firefighting fleet or fleet assets.

RFS records show that in 2021 there were 6,345 firefighting fleet assets across NSW. Most of the land-based appliances commonly associated with firefighting, such as water pumpers and water tankers, are purchased by the RFS and vested with local councils under the Rural Fires Act. The vesting of firefighting assets with local councils means that the assets are legally owned by the council for which the asset has been purchased. The RFS is able to use the firefighting assets through District Service Agreements with local councils or groups of councils.

In addition to the land-based firefighting fleet, the RFS owns a fleet of aircraft with capabilities for fire mitigation, suppression, and reconnaissance during fire events. The RFS hires a fleet of different appliances to assist with fire prevention and hazard reduction works. These include aircraft for firefighting and fire reconnaissance, and heavy plant equipment such as graders and bulldozers for hazard reduction. Hazard reduction works include the clearance of bush and grasslands around major roads and protected assets, and the creation and maintenance of fire trails and fire corridors to assist with fire response activity.

The RFS is organised into 44 RFS Districts and seven Area Commands. The RFS relies on volunteer firefighters to assist in carrying out most of its firefighting functions. These functions may include the operation of the fleet during fire response activities and training exercises, and the routine inspection of the fleet to ensure it is maintained according to fleet service standards. Volunteer fleet inspections are supervised by the RFS Fire Control Officer.

In 2021 there were approximately 73,000 volunteers located in 1,993 rural fire brigades across the State, making the RFS the largest volunteer fire emergency service in Australia. In addition to brigade volunteers, the RFS has approximately 1,100 salaried staff who occupy leadership and administrative roles at RFS headquarters and in the 44 RFS Districts.

Local councils have legislative responsibilities relating to bushfire planning and management. Some of the core responsibilities of local councils include:

• establishing and equipping rural fire brigades
• contributing to the Rural Fire Fighting Fund
• vested ownership of land-based rural firefighting equipment
• carrying out firefighting fleet maintenance and repairs
• conducting bushfire prevention and hazard reduction activity.

The objective of this audit was to assess the effectiveness of the RFS and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression. From the period of 2017 to 2022 inclusive, we addressed the audit objective by examining whether the NSW RFS and local councils effectively:

• plan for current and future bushfire fleet requirements
• manage and maintain the fleet required to prevent, mitigate, and suppress bushfires in NSW.

This audit did not assess:

• the operational effectiveness of the RFS bushfire response
• the effectiveness of personal protective equipment and clothing
• the process of vesting of rural firefighting equipment with local councils
• activities of any other statutory authorities responsible for managing bushfires in NSW.

As the lead combat agency for the bushfire response in NSW, the RFS has primary responsibility for bushfire prevention, mitigation, and suppression.

Three local councils were selected as case studies for this audit, Hawkesbury City Council, Wagga Wagga City Council and Uralla Shire Council. These case studies highlight the ways in which the RFS and local councils collaborate and communicate in rural fire districts.

The RFS has not made significant changes to the size or composition of the firefighting fleet in the past five years and does not have an overarching strategy to drive fleet development

Since 2017, the RFS has made minimal changes to its firefighting fleet volumes or vehicle types. The RFS is taking a fleet renewal approach to fleet planning, with a focus on refurbishing and replacing ageing firefighting assets with newer appliances and vehicles of the same classification and type. While the RFS has adopted a fleet renewal approach, driven by its Appliance Replacement Program Guide, it does not have a strategy or framework to guide its future-focused fleet development. There is no document that identifies and analyses bushfire events and risks in NSW, and matches fleet resources and fleet technologies to meet those risks. The RFS does not have fleet performance measures or targets to assess whether the size and composition of the fleet is meeting current or emerging bushfire climate hazards, or fuel load risks across its 44 NSW Fire Districts.

The RFS fleet currently comprises approximately 4,000 frontline, operational firefighting assets such as tankers, pumpers, and air and marine craft, and approximately 2,300 logistical vehicles, such as personnel transport vehicles and specialist support vehicles. Of the land-based firefighting vehicles, the RFS has maintained a steady number of approximately 3,800 tankers and 65 pumpers, year on year, for the past five years. This appliance type is an essential component of the RFS land-based, firefighting fleet with capabilities to suppress and extinguish fires.

Since 2017, most RFS fleet enhancement activity has been directed to upgrades and the modernisation of older fleet assets with new safety features. There is limited evidence of research into new fleet technologies for modern firefighting. The RFS fleet volumes and fleet types have remained relatively static since 2017, with the exception of the aerial firefighting fleet. Since 2017, the RFS has planned for, and purchased, six additional aircraft to add to the existing three aircraft in its permanent fleet.

While the RFS has made minimal changes to its fleet since 2017, in 2016 it reduced the overall number of smaller transport vehicles, by purchasing larger vehicles with increased capacity for personnel transport. The consolidation of logistical and transport vehicles accounts for an attrition in fleet numbers from 7,058 in 2016, to 6,315 in 2017 as shown in Exhibit 2.

The firefighting fleet management system is not always updated in a timely manner due to insufficient RFS personnel with permissions to make changes in the system

The RFS uses a fleet management system known as SAP EAM to record the location and status of firefighting fleet assets. The system holds information about the condition of the firefighting fleet, the home location of each fleet asset, and the maintenance, servicing, and inspection records of all assets. The RFS uses the system for almost all functions related to the firefighting fleet, including the location of vehicles so that they can be dispatched during operational exercises or fire responses.

Staff at RFS Headquarters are responsible for creating and maintaining asset records in the fleet management system. RFS District staff have limited permissions in relation to SAP EAM. They are able to raise work orders for repairs and maintenance, upload evidence to show that work has been done, and close actions in the system.

RFS District staff are not able to enter or update some fleet information in the system, such as the location of vehicles. When an RFS District receives a fleet appliance, it cannot be allocated to a brigade until the location of the asset is accurately recorded in the system. The location of the asset must be updated in the SAP EAM system by staff at RFS Headquarters. District staff can request system support from staff at RFS Headquarters to enter this information. At the time of writing, the position responsible for updating the fleet management system at RFS Headquarters was vacant, and RFS District personnel reported significant wait times in response to their service requests.

The RFS conducts annual audits of SAP EAM system information to ensure data is accurate and complete. RFS staff are currently doing data cleansing work to ensure that fleet allocations are recorded correctly in the system.

Communication between brigades, local councils and the RFS needs improvement to ensure that fleet information is promptly updated in the fleet management system

RFS brigade volunteers do not have access to the fleet management system. When fleet assets are used or moved, volunteers report information about the location and condition of the fleet to RFS District staff using a paper-based form, or by email or phone. Information such as vehicle mileage, engine hours, and defects are all captured by volunteers in a logbook which is scanned and sent to RFS District staff. RFS District staff then enter the relevant information into the fleet management system, or raise a service ticket with RFS Headquarters to enter the information.

Brigade volunteers move fleet assets for a range of reasons, including for fire practice exercises. If volunteers are unable to report the movement of assets to RFS District staff in a timely manner, this can lead to system inaccuracies. Lapses and backlogs in record keeping can occur when RFS staff at district offices or at Headquarters are not available to update records at the times that volunteers report information. A lack of accurate record keeping can potentially impact on RFS operational activities, including fire response activity.

Brigade volunteers notify RFS District staff when fleet appliances are defective, or if they have not been repaired properly. District staff then enter the information into the fleet management system. The inability of volunteers to enter information into the system means they have no visibility over their requests, including whether they have been approved, actioned, or rejected.

Local councils are responsible for servicing and maintaining the firefighting fleet according to the Rural Fires Act, but this responsibility can be transferred to the RFS through arrangements described in local service agreements. Council staff record all fleet servicing and maintenance information in their local systems. The types of fleet information that is captured in local council records can vary between councils. RFS staff described the level of council reporting, and the effectiveness of this process, as 'mixed'.

Councils use different databases and systems to record fleet assets, and some councils are better resourced for this activity than others

Firefighting fleet information is recorded in different asset management systems across NSW. Each council uses its own asset management system to record details about the vested fleet assets. All three councils that were interviewed for this audit had different systems to record information about the fleet. In addition, the type of information captured by the three councils was varied.

Local councils have varying levels of resources and capabilities to manage the administrative tasks associated with the firefighting fleet. Some of the factors that impact on the ability of councils to manage administrative tasks include: the size of the council; the capabilities of the information management systems, the size of the staff team, and the levels of staff training in asset management.

Uralla Shire Council is a small rural council in northern NSW. This council uses financial software to record information about the firefighting fleet. While staff record information about the condition of the asset, its replacement value, and its depreciation, staff do not record the age of the asset, or its location. Staff manually enter fleet maintenance information into their systems. Uralla Shire Council would like to purchase asset maintenance software that generates work orders for fleet repairs and maintenance. However, the council does not have trained staff in the use of asset management software, and the small size of the fleet may not make it financially worthwhile.

The Hawkesbury City Council uses a single system to capture financial and asset information associated with the firefighting fleet. Hawkesbury is a large metropolitan council located north-west of Sydney, with a relatively large staff team in comparison with Uralla Shire Council. The Hawkesbury City Council has given RFS District staff access to their fleet information system. RFS District staff can directly raise work orders for fleet repairs and maintenance through the council system, and receive automated notifications when the work is complete.

Two of the three audited councils report that they conduct annual reviews of fleet assets to assess whether the information they hold is accurate and up-to-date.

More than half of the fleet maintenance service agreements between the RFS and local councils have not been reviewed in ten years, and some do not reflect local practices

Local councils have a legislated responsibility to service, repair, and maintain the firefighting fleet to service standards set by the RFS. Councils may transfer this responsibility to the RFS through District Service Agreements. The RFS Districts are responsible for ensuring that the service agreements are current and effective.

The RFS does not have monitoring and quality control processes to ensure that service agreements with local councils are reviewed regularly. The RFS has 73 service agreements with local councils or groups of councils. Sixty-three per cent of service agreements had not been reviewed in the last ten years. Only four service agreements specify an end date and, of those, one agreement expired in 2010 and had not been reviewed at the time of this audit.

The RFS does not have a framework to ensure that service agreements with local councils reflect actual practices. Of the three councils selected for audit, one agreement does not describe the actual arrangements for fleet maintenance practices in RFS Districts. The service agreement with Hawkesbury City Council specifies that the RFS will maintain the firefighting fleet on behalf of council when, in fact, council maintains the firefighting fleet. The current agreement commenced in 2012, and at the time of writing had not been updated to reflect local maintenance practices.

When District Service Agreements are not reviewed periodically, there is a risk that neither local councils nor the RFS have clear oversight of the status of fleet servicing, maintenance, and repairs.

RFS District Service Agreements set out a requirement that RFS and local councils establish a liaison committee. Liaison committees typically include council staff, RFS District staff, and RFS brigade volunteers. While service agreements state that liaison committees must meet periodically to monitor and review the performance of the service agreement, committee members determine when and how often the committee meets.

RFS District staff and staff at the three audited councils are not meeting routinely to review or update their service agreements. At Wagga Wagga City Council, staff meet with RFS District staff each year to report on activity to fulfil service agreement requirements. Uralla Shire Council staff did not meet routinely with RFS District staff before 2021. When liaison committees do not meet regularly, there is a risk that the RFS and local councils have incorrect or outdated information about the location, status, or condition of the firefighting fleet. Given that councils lack systems to track and monitor fleet locations, regular communication between the RFS and local councils is essential.

The RFS has not established processes to ensure that local councils and RFS District personnel meet and exchange information about the fleet. Of the three councils selected for this audit, one council had not received information about the number, type, or status of the fleet for at least five years, and did not receive an updated list of appliances until there was a change in RFS District personnel. This has impacted on the accuracy of council record keeping. Councils do not always receive notification about new assets or information about the location of assets from the RFS, and therefore cannot reflect this information in their accounting and reporting.

RFS area commands audit system records to ensure fleet inspections occur as planned, but central systems are not always updated, creating operational risks

RFS District staff are required by the Rural Fires Act to ensure the firefighting fleet is inspected at least once a year. Regular inspections of the fleet are vital to ensure that vehicles are fit-for-purpose and safe for brigade volunteers. Inspections are also fundamental to the operational readiness and capability of RFS to respond to fire incidents.

RFS Area Command personnel conduct audits of fleet maintenance data to ensure that fleet inspections are occurring as planned. These inspections provide the RFS with assurance that the fleet is being maintained and serviced by local council workshops, or third-party maintenance contractors.

Some RFS Districts run their own fleet management systems outside of the central management system. They do this to manage their fleet inspection activity effectively. Annual fleet inspection dates are programmed by staff at RFS Headquarters. Most of the inspection dates generated by RFS Headquarters are clustered together and RFS Districts need to separate inspection times to manage workloads over the year. Spreading inspection dates is necessary to avoid exceeding the capacity of local council workshops or third party contractors, and to ensure that fleet are available during the bushfire season.

The fleet inspection records at RFS Headquarters are not always updated in a timely manner to reflect actual inspection and service dates of vehicles. District staff are not able to change fleet inspection and service dates in the central management system because they do not have the necessary permissions to access the system. The usual practice is for RFS District staff to notify staff at RFS Headquarters, and ask them to retrospectively update the system. As there is a lag in updating the central database, at a point in time, the actual inspection and service dates of vehicles can be different to the dates entered in the central fleet management system.

Fleet inspection and maintenance records must be accurately recorded in the central RFS management system for operational reasons. RFS Headquarters personnel need to know the location and maintenance status of fleet vehicles at all times in order to dispatch vehicles to incidents and fires. The RFS fleet management system is integrated with a new Computer Aided Dispatch System. The Computer Aided Dispatch System assigns the nearest and most appropriate vehicles to fire incidents. The system relies on accurate fleet locations and fleet condition information in order to dispatch these vehicles.

There is a risk that RFS Headquarters' systems do not contain accurate information about the location and status of vehicles. Some may be in workshops for servicing and repair, while the system may record them as available for dispatch. As there are many thousands of fleet vehicles, all requiring an annual service and inspection, a lack of accurate record keeping has wide implications for State fire operations.

RFS is currently exploring ways to improve the ways in which fleet inspections are programmed into the fleet management system.

RFS provides funds to councils to assist with maintaining the firefighting fleet, but does not receive fleet maintenance cost information from all local councils

Each year the RFS provides local councils with a lump sum to assist with the cost of repairing and maintaining the firefighting fleet. This lump sum funding is also used for meeting the costs of maintaining brigade stations, utilities, and other miscellaneous matters associated with RFS business.

In 2020–21, the RFS provided NSW local councils with approximately $23 million for maintenance and repairs of appliances, buildings, and utilities. Ninety councils were provided with lump sum funding in 2021, receiving on average $257,000. The amounts received by individual councils ranged from $56,200 to $1,029,884.

Some councils provide itemised repairs and maintenance reports to RFS District staff, showing the work completed and the cost of that work. However, not all councils collect this information or provide it to the RFS. Local councils collect fleet maintenance information in their local council systems. In some cases, the responsibility for fleet maintenance is shared across a group of councils, and not all councils have oversight of this process.

The RFS has not taken steps to require local councils to provide itemised maintenance costings for the firefighting fleet. Thus, the RFS does not have a clear understanding of how local councils are spending their annual fleet maintenance funding allocations. The RFS does not know if the funding allocations are keeping pace with the actual cost of repairing and maintaining the fleet.

RFS District staff report that funding shortfalls are impacting on the prioritisation of fleet servicing and maintenance works in some council areas. When fleet servicing and maintenance is not completed routinely or effectively, there is a risk that it can negatively impact the overall condition and lifespan of the vehicle. Poor processes in relation to fleet maintenance and repair risk impacting on the operational capabilities of the fleet during fire events.

The timeliness and effectiveness of fleet servicing and maintenance is affected by resource levels in RFS Districts and local councils

Local councils have a legislated responsibility to service and maintain the firefighting fleet to the service standards set by the RFS. Fleet maintenance is usually done by the entity with the appropriate workshops and resources, and the maintenance arrangements are described in District Service Agreements. RFS District staff conduct annual inspections to ensure that the firefighting fleet has been serviced and maintained appropriately, and is safe for use by brigade volunteers. If the fleet has not been maintained to RFS service standards or timelines, RFS District staff may work with local councils to support or remediate these works.

The effectiveness of this quality control activity is dependent on relationships and communication between the RFS Districts and local councils. While some RFS staff reported having positive relationships with local councils, others said they struggled to get fleet maintenance work done in a timely manner. Some councils reported that funding shortfalls for fleet maintenance activity was impacting on the prioritisation of RFS fleet maintenance works. When fleet maintenance work is not completed routinely or effectively, it can negatively impact on the overall condition and lifespan of the vehicle. It can also reduce the capacity of the RFS to respond to fire events.

Fleet quality control activities are carried out by RFS District staff. In some of the smaller RFS Districts, one person is responsible for liaising with local councils and brigade volunteers about fleet maintenance and repairs. In the regions where resources are limited, there is less ability to maintain ongoing communication. This is impacting on fleet service and maintenance timelines and the timeliness of fleet monitoring activity.

The RFS has mutual support arrangements with agencies in NSW and interstate, though shared fleet levels are yet to be quantified

The RFS has arrangements with state, federal, and international fire authorities to provide mutual support during fire incidents. In NSW, the RFS has agreements with the three statutory authorities – Fire and Rescue NSW, the Forestry Corporation of NSW, and the NSW National Parks and Wildlife Service. The agreement with Fire and Rescue NSW provides a framework for cooperation and joint operations between the agencies. The agreements with the Forestry Corporation of NSW and the NSW National Parks and Wildlife Service describe the control and coordination arrangements for bush and grass fires across NSW. These arrangements are set out in legislation and incorporated into local Bush Fire Risk Management Plans.

The RFS has agreements with fire authorities in three of the four Australian states and territories that share a border with NSW – the Australian Capital Territory, Queensland, and South Australia. Each agreement sets out the arrangements for mutual assistance and joint operations, including arrangements for sharing aircraft. The agreement between the RFS and Victoria had lapsed. The RFS told the NSW Bushfire Inquiry that the agreement with Victoria would be finalised by June 2020. In June 2022, the RFS reported that the agreement was in the process of being finalised.

The arrangements for mutual aid from Western Australia, Northern Territory and Tasmania, are managed by the National Resource Sharing Centre. These agreements set out the arrangements for interstate assistance between Australian fire services, emergency services, and land management agencies in those states and territories.

These mutual support arrangements may assist during state-based fire events. However, when there are competing demands for resources, such as during the bushfires of 2019–2020, there can be limits on fleet availability. During the 2019–2020 fires, resources were stretched in all jurisdictions as these fires affected NSW, Victoria, and Queensland.

There are opportunities for the RFS and other NSW agencies to quantify fleet resources across the State and identify assets that can be mobilised for different fire activities. This form of fleet planning may be used to enhance surge capabilities during times of high fire activity. There are also opportunities for the RFS and other agencies to match the levels of shared assets to projected bushfire risks.

Appendix one – Responses from agencies 

Appendix two – About the audit 

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #376 - released 27 February 2023

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

• Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
• Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.

Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).

The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

We assessed this objective through two lines of inquiry:

1. Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
2. Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?

The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.

Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.

Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.

The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.

Establishment of Cyber Security NSW

Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.

The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).

The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.

Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.

Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.

NSW Government Cyber Security Strategy

The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:

• lead
• prepare
• prevent
• detect 
• respond 
• recover.

The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:

• increase NSW Government cyber resiliency
• help NSW cyber security businesses grow
• enhance cyber security skills and workforce 
• support cyber security research and innovation.

Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.

NSW Government Cyber Security Policy

The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.

The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including: 

• annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements 
• that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).

The Policy sets out that Cyber Security NSW:

• may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
• will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.

As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.

This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:

• there was a sound, evidence-based rationale for why Cyber Security NSW was established
• the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
•  there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.

This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #374 - released 8 February 2023

What the report is about

This audit assessed nine agencies’ compliance with the NSW Cyber Security Policy (CSP) including whether, during the year to 30 June 2020, the participating agencies:

• met their reporting obligations under the CSP
• reported accurate self-assessments of their level of maturity implementing the CSP’s requirements including the Australian Cyber Security Centre’s (ACSC) Essential 8.

What we found

Key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. The CSP is not achieving the objectives of improved cyber governance, controls and culture because:

• the CSP does not specify a minimum level for agencies to achieve in implementing the 'mandatory requirements' or the Essential 8
• the CSP does not require agencies to report their target levels, nor does it require risk acceptance decisions to be documented or formally endorsed
• each participating agency had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis
• none of the participating agencies had implemented all of the Essential 8 controls
• agencies tended to over-assess their cyber security maturity - all nine participating agencies were unable to support all of their self-assessments with evidence
• there is no monitoring of the adequacy or accuracy of agencies' self-assessments.

What we recommended

In this report, we repeat recommendations made in the 2019 and 2020 Central Agencies reports, that Cyber Security NSW and NSW Government agencies need to prioritise improvements to cyber security resilience as a matter of urgency.

Cyber Security NSW should:

• monitor and report compliance with the CSP
• require agencies to report the target and achieved levels of maturity
• require agencies to justify why it is appropriate to target a low level of maturity
• require the agency head to formally accept the residual risk
• challenge agencies' target maturity levels.

Agencies should resolve discrepancies between their reported level of maturity and the level they are able to support with evidence.

Separately, the agencies we audited requested that we not disclose our audit findings. We reluctantly agreed to anonymise our findings, even though they are more than 12 months old. We are of the view that transparency and accountability to the Parliament of New South Wales are part of the solution, not the problem.

The poor levels of agency cyber security maturity are a significant concern. Improvement requires leadership and resourcing.

This report assesses whether state government agencies are complying with the NSW Cyber Security Policy. The audit was based on the level of compliance reported at 30 June 2020.

Our audit identified non-compliance and significant weaknesses against the government’s policy.

Audited agencies have requested that we not report the findings of this audit to the Parliament of New South Wales, even though the findings are more than 12 months old, believing that the audit report would expose their weaknesses to threat actors.

I have reluctantly agreed to modify my report to anonymise agencies and their specific failings because the vulnerabilities identified have not yet been remedied. Time, leadership and prioritised action should have been sufficient for agencies to improve their cyber safeguards. I am of the view that transparency and accountability to the Parliament is part of the solution, not the problem.

The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

Cyber security is increasingly a focus of governments around Australia. The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency for cyber security and is part of the Australian Signals Directorate, a statutory authority within the Australian Government’s Defence portfolio. The ACSC has advised that government agencies at all levels, as well as individuals and other organisations were increasingly targeted over the 2021 financial year¹. The ACSC received over 67,500 cybercrime reports, a 13 per cent increase on the previous year. This equates to one reported cyber attack every eight minutes. They also noted that attacks by cyber criminals and state actors are becoming increasingly sophisticated and complex and that the attacks are increasingly likely to be categorised as ‘substantial’ in impact.

High profile attacks in Australia and overseas have included a sustained malware campaign targeted at the health sector², a phishing campaign deploying emotet malware, spear phishing campaigns targeting people with administrator or other high-level access, and denial of service attacks. The continuing trend towards digital delivery of government services has increased the vulnerability of organisations to cyber threats.

The COVID-19 pandemic has increased these risks. It has increased Australian dependence on the internet – to work remotely, to access services and information, and to communicate and continue our daily lives. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and other private networks, and assets the organisation does not manage. This has increased the cyber risks for NSW Government agencies.

In March 2020, Service NSW suffered two cyber security incidents in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these cyber breaches resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information contained in these email accounts. These attacks were the subject of the Auditor-General's report on Service NSW's handling of personal information tabled on 18 December 2020.

This audit also follows two significant performance audits. Managing cyber risks, tabled on 13 July 2021 found Transport for NSW and Sydney Trains were not effectively managing their cyber security risks. Integrity of data in the Births, Deaths and Marriages Register, tabled 7 April 2020 found that although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls.

The NSW Cyber Security Policy (CSP) was issued by Cyber Security NSW, a business unit within the Department of Customer Service, and took effect from 1 February 2019. It applies to all NSW Government departments and public service agencies, including statutory authorities. Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at level three or above (on the five point maturity scale). This means that, according to their own self-assessments, 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or they did not practice the requirement at all. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority.

This audit looks specifically at the compliance of nine key agencies with the CSP. It looks at their achievement implementing the requirements of the policy, the accuracy of their self-assessments and the attestations they made as to their compliance with the CSP.

The CSP outlines the mandatory requirements to which all NSW Government departments and public service agencies must adhere. It seeks to ensure cyber security risks to agencies’ information and systems are appropriately managed. The key areas of responsibility for agencies are:

• Lead - Agencies must implement cyber security planning and governance and report against the requirements outlined in the CSP and other cyber security measures.
• Prepare - Agencies must build and support a cyber security culture across their agency and NSW Government more broadly.
• Prevent - Agencies must manage cyber security risks to safeguard and secure their information and systems.
• Detect/Respond/Recover - Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately.
• Report - Agencies must report against the requirements outlined in the CSP and other cyber security measures.

DCS has only recommended, but not mandated the CSP for state owned corporations, local councils and universities.

NSW Government agencies must include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year stating whether, for the preceding financial year, the agency has:

• assessed its cyber security risks
• appropriately addressed cyber security at agency governance forums
• a cyber incident response plan that is integrated with the security components of business continuity arrangements, and the response plan has been tested during the previous 12 months (involving senior business executives)
• certified the agency’s Information Security Management System (ISMS) or confirmed the agency’s Cyber Security Framework (CSF)
• a plan to continuously improve the management of cyber security governance and resilience.

The purpose of the attestation is to focus the agency's attention on its cyber risks and the mitigation of those risks.

Agencies assess their level of compliance in accordance with a maturity model. The CSP does not mandate a minimum maturity threshold for any requirement, including implementation of the Australian Cyber Security Centre's (ACSC) Essential 8 Strategies to Mitigate Cyber Security Incidents (Essential 8).

Agencies are required to set a target maturity level based on their risk appetite for each requirement, seek continual improvement in their maturity, and annually assess their maturity on an ascending scale of one to five for all requirements (refer to Appendix two for the maturity model). Each control within the Essential 8 is assessed on an ascending scale of zero to three reflecting the agency's level of alignment with the strategy (refer to Appendix three for the maturity model).

Scope of this audit

We assessed whether agencies had provided accurate reporting on their level of maturity implementing the requirements of the CSP in a documented way and covering all their systems.

The scope of this audit covered nine agencies (the participating agencies). These agencies were selected because they are the lead agency in their cluster, or have a significant digital presence within their respective cluster. The list of participating agencies is in section 1.2. The audit aimed to determine whether, during the year to 30th June 2020, the participating agencies:

• met their reporting obligations under the CSP
• provided accurate reporting in self-assessments against the CSP’s mandatory requirements, including their implementation of the Australian Cyber Security Centre’s (ACSC) Essential 8
• achieved implementation of mandatory requirements at maturity levels which meet or exceed the ‘level three - defined’ threshold (i.e. are documented and practiced on a regular and consistent basis).

While the audit does assess the accuracy of agency self-assessed ratings, the audit did not assess the appropriateness of the maturity ratings.

1. Key findings

The CSP allows agencies to determine their own level of maturity to implement the 'mandatory requirements', which can include not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified

Agencies can decide not to implement requirements of the CSP, or they can decide to implement them only in an informal or ad-hoc manner. The CSP allows agencies to determine their desired level of maturity in implementing the requirements on a scale of one to five - level one being 'initial – not practiced' and level five being 'optimised'. The desired level of maturity is determined by the agency based on their own assessment of the risk of the services they provide and the information they hold.

The reporting template for the 2019 version of the CSP stated that level three maturity - where a policy requirement is practiced on a regular and consistent basis and its processes are documented - was required for compliance with the CSP. This requirement was removed in the 2020 revision of the reporting template.

This CSP does not require the decisions on risk tolerance, or the timeframes agencies have set to implement requirements to be documented or formally endorsed by the agency head. There is no requirement to report these decisions to Cyber Security NSW.

Some comparable jurisdictions require formal risk acceptance decisions where requirements are not implemented. The NSW CSP does not have a similar formal requirement

Some jurisdictions, with a similar policy framework to NSW, require agencies to demonstrate reasons for not implementing requirements, and require agency heads to formally acknowledge the residual risk. The NSW CSP does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk by the agency head or Cyber Security NSW. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All of the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis

All of the participating agencies had implemented one or more of the mandatory requirements at level one or two. Maturity below level three typically means not all elements of the requirement have been implemented, or the requirements have been implemented on an ad-hoc or inconsistent basis.

None of the participating agencies has implemented all of the Essential 8 controls at level one – that is, only partly aligned with the intent of the mitigation strategy

Eight of the nine agencies we audited had not implemented any of the Essential 8 strategies to level three – that is, fully aligned with the intent of the mitigation strategy. At the time of this audit the ACSC advised that:

as a baseline organisations should aim to reach to reach Maturity Level Three for each mitigation strategy³.

The Australian Signals Directorate⁴ currently advises that, with respect to the Essential 8:

[even] level three maturity will not stop adversaries willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual

All agencies failed to reach even level one maturity for at least three of the Essential 8.

Cyber Security NSW modified the ACSC model for implementation of the Essential 8

The NSW maturity model used for the Essential 8 does not fully align with the ACSC’s model. At the time of this audit the major difference was the inclusion of level zero in the NSW CSP maturity scale. Level zero broadly means that the relevant cyber mitigation strategy is not implemented or is not applied consistently. Level zero had been removed by the ACSC in February 2019 and was not part of the framework at the time of this audit. It was re-introduced in July 2021 when the ACSC revised the detailed criteria for each element of the essential 8 maturity model. The indicators to reach level one on the new ACSC model are more detailed, specific and rigorous than those currently prescribed for NSW Government agencies. Cyber Security NSW asserted the level zero on the CSP maturity scale:

is not identical to the level zero of the ACSC’s previous Essential 8 maturity model, but is a NSW-specific inclusion designed to prevent agencies incorrectly assessing as level one when they have not achieved that level.

Attestations did not accurately reflect whether agencies implemented the requirements

Of the nine participating agencies, seven did not modify the proforma wording in their attestation to reflect their actual situation. Despite known gaps in their implementation of mandatory requirements, these agencies stated that they had 'managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy'. Only two agencies modified the wording of the attestation to reflect their actual situation.

Attestations should be accurate so that agencies’ and the government’s response to the risk of cyber attack is properly informed by an understanding of the gaps in agency implementation of the policy requirements and the Essential 8. Without accurate information about these gaps, subsequent decisions as to prioritisation of effort and deployment of resources are unlikely to effectively mitigate the risks faced by NSW Government agencies.

Participating agencies were not able to support all of their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk management approaches

Seven of the nine participating agencies reported levels of maturity against both the mandatory requirements and the Essential 8 that were not supported by evidence.

Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential 8 controls.

Where agency staff over-assess the current state of their cyber resilience, it can undermine the effectiveness of subsequent decision making by Agency Heads and those charged with governance. It means that actions taken in mitigating cyber risks are less likely to be appropriate and that gaps in implementing cyber security measures will remain, exposing them to cyber attack.

Agencies' self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential 8 controls

We reviewed the data 104 NSW agencies provided to Cyber Security NSW. The 104 agencies includes nine audited agencies referred to in more detail in this report. Our review of the 104 agency self-assessment returns submitted to Cyber Security NSW highlighted that, consistent with previous years, there remains reported poor levels of cyber security maturity. We reported the previous years’ self-assessments in the Central Agencies 2019 Report to Parliament and the Central Agencies 2020 Report to Parliament.

Only five out of the 104 agencies self-assessed that they had implemented all of the mandatory requirements at level three or above (against the five point scale). Fourteen agencies self-assessed that they had implemented each of the Essential 8 controls at level one maturity or higher (using Cyber NSW’s four point scale). The remainder reported at level zero for implementation of one or more of the Essential 8 controls, meaning that for the majority of agencies the cyber mitigation strategy has not been implemented, or is applied inconsistently.

Where agencies had reported in both 2019 and 2020, agencies’ self-assessments showed little improvement over the previous year’s self-assessments:

• 14 agencies reported improvement across both the Essential 8 and the mandatory requirements
• 8 agencies reported a net decline in both the Essential 8 and the mandatory requirements.

The poor levels of maturity in implementing the Essential 8 over the last couple of years is an area of significant concern that requires better leadership and resourcing to prioritise the required significant improvement in agency cyber security measures.

2. Recommendations

Cyber Security NSW should:

1. monitor and report compliance with the CSP by:

• obtaining objective assurance over the accuracy of self-assessments
• requiring agencies to resolve inaccurate or anomalous self-assessments where these are apparent

2. require agencies to report:

• the target level of maturity for each mandatory requirement they have determined appropriate for their agency
• the agency head's acceptance of the residual risk where the target levels are low

3. identify and challenge discrepancies between agencies' target maturity levels and the risks of the information they hold and services they provide

4. more closely align their policy with the most current version of the ACSC model.

Participating agencies should:

5. resolve the discrepancies between their reported level of maturity and the level they are able to demonstrate with evidence, and:

• compile and retain in accessible form the artefacts that demonstrate the basis of their self-assessments
• refer to the CSP guidance when determining their current level of maturity
• ensure the attestations they make refer to departures from the CSP
• have processes whereby the agency head and those charged with governance formally accept the residual cyber risks.

Repeat recommendation from the 2019 Central Agencies report and the 2020 Central Agencies report

6. Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security and resilience as a matter of urgency.

The objective of the CSP is to ensure cyber security risks are appropriately managed. However, meeting this objective depends on the requirements being implemented at all agencies to a level of maturity that addresses their specific cyber security risks. Agency systems and data are increasingly interconnected. If an agency does not implement the requirements, or implements them only in an ad-hoc or informal way, an agency is more susceptible to their systems and data being compromised, which may affect the confidentiality of citizens' data and the reliability of services, including critical infrastructure services.

Agencies determine their own target level of maturity, which may mean the requirement is not addressed, or is addressed in an ad hoc or inconsistent way

While the CSP is mandatory for all agencies, it does not set a minimum maturity threshold for agencies to meet.

The reporting template issued in 2019 stated that agencies were required to reach level three maturity in order to comply with the CSP. The 2020 revision⁶ of the CSP and guidance indicates that level three maturity may not be sufficient to mitigate risks. It advises the agency may determine the level to which it believes it is suitable to implement the requirements, and allows for an agency to aim for a target level of maturity less than level three. The agency can set its optimal maturity level with reference to its risk tolerance with the objective that that aim ‘to be as high as possible’. However, ‘as high as possible’ does not necessarily mean ‘fully implemented’. The CSP contemplates that a lower level of maturity is sufficient if it aligns with the agency's risk tolerance.

The Department of Customer Service asserts that while the quotes above were part of their annual templates and policy documents, their documents were incorrect. They assert that the policy has never required a minimum level of maturity to be reached. They have responded to our enquiries that:

…a level three maturity was not a requirement of the Policy or Maturity Model’ and ‘it is misleading to suggest it was a requirement of the Policy.

This audit found that, based on the 2020 reporting template there is no established minimum baseline. Consequently, because the Department of Customer Service had not established a minimum baseline agencies are able to target lower levels (providing they were within the agency’s own risk appetite), which includes targeting to not practice a CSP policy requirement, or to practice a CSP policy requirement on an ad hoc basis.

Where requirements are not implemented, documentation of formal acceptance of the residual risks by the agency head is not required

The New Zealand Government has an approach that is not dissimilar to NSW, in that it also identifies 20 mandatory requirements and allows for a risk based approach to implementation. However, the New Zealand approach puts more rigor around risk acceptance decisions.

The New Zealand Government requires that agencies that do not implement the requirements must demonstrate that a measure is not relevant for them. It requires agencies to document the rationale for not implementing the measure, including explicit acknowledgement of the residual risk by the agency head. They require these records to be auditable.

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory security measures unless you can demonstrate that a measure is not relevant in your context.

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

The NSW CSP does not require these considerations to be documented or auditable and does not require an explicit acknowledgement or acceptance of the residual risk by the agency head.

None of the participating agencies achieved level three implementation for all mandatory risk prevention and mitigation requirements

Maturity level three is the minimum level whereby an agency has implemented documented processes that are practiced on a regular basis across their environment. An agency has not reached level three if the requirement is implemented on an ad-hoc or inconsistent basis, or if not all elements of the requirement have been implemented.

None of the participating agencies achieved level three implementation for all mandatory requirements.

The requirements of the CSP are organised into five sections. Agency implementation of these requirements is discussed in the next five sections of this report.

• Lead: Planning and governance requirements. Section 2.1
• Prepare: Cyber security culture requirements. Section 2.2
• Prevent: Managing cyber incident prevention requirements. Section 2.3
• Detect/Respond/Recover: Resilience requirements. Section 2.4
• Report: Reporting requirements. Section 2.5.

Appendix one – Response from agencies

Appendix two – The maturity model for the mandatory requirements

Appendix three – Essential 8 maturity model

Appendix four – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

This report outlines whether the Department of Customer Service (the department) has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register (the register), and to prevent unauthorised access and misuse.

The audit found that the department has processes in place to ensure that the information entered in the register is accurate and that any changes to it are validated. Although there are controls in place to prevent and detect unauthorised access to, and activity in the register, there were significant gaps in these controls. Addressing these gaps is necessary to ensure the integrity of information in the register.

The Auditor-General made nine recommendations to the department, aimed at strengthening controls to prevent and detect unauthorised access to, and activity in the register. These included increased monitoring of individuals who have access to the register and strengthening security controls around the databases that contain the information in the register.

The NSW Registry of Births Deaths and Marriages is responsible for maintaining registers of births, deaths and marriages in New South Wales as well as registering adoptions, changes of names, changes of sex and relationships. Maintaining the integrity of this information is important as it is used to confirm people’s identity and unauthorised access to it can lead to fraud or identity theft.

Read full report (PDF)

The NSW Registry of Births Deaths and Marriages (BD&M) is responsible for maintaining registers of births, deaths and marriages in New South Wales. BD&M is also responsible for registering adoptions, changes of name, changes of sex and relationships. These records are collectively referred to as 'the Register'. The Births, Deaths and Marriages Registration Act 1995 (the BD&M Act) makes the Registrar (the head of BD&M) responsible for maintaining the integrity of the Register and preventing fraud associated with the Register. Maintaining the integrity of the information held in the Register is important as it is used to confirm people's identity. Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information.

BD&M staff access, add to and amend the Register through the LifeLink application. While BD&M is part of the Department of Customer Service, the Department of Communities and Justice (DCJ) manages the databases that contain the Register and sit behind LifeLink and is responsible for the security of these databases.

This audit assessed whether BD&M has effective controls in place to ensure the integrity of data in the Births, Deaths and Marriages Register, and to prevent unauthorised access and misuse. It addressed the following:

• Are relevant process and IT controls in place and effective to ensure the integrity of data in the Register and the authenticity of records and documents?
• Are security controls in place and effective to prevent unauthorised access to, and modification of, data in the Register?

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #330 - released 7 April 2020.

The Department of Family and Community Services (FACS) has not adequately supported or resourced its staff to manage antisocial behaviour in public housing according to a report released today by the Deputy Auditor-General for New South Wales, Ian Goodwin. 

In recent decades, policy makers and legislators in Australian states and territories have developed and implemented initiatives to manage antisocial behaviour in public housing environments. All jurisdictions now have some form of legislation or policy to encourage public housing tenants to comply with rules and obligations of ‘good neighbourliness’. In November 2015, the NSW Parliament changed legislation to introduce a new approach to manage antisocial behaviour in public housing. This approach is commonly described as the ‘strikes’ approach. 

When introduced in the NSW Parliament, the ‘strikes’ approach was described as a means to:

• improve the behaviour of a minority of tenants engaging in antisocial behaviour 
• create better, safer communities for law abiding tenants, including those who are ageing and vulnerable.

FACS has a number of tasks as a landlord, including a responsibility to collect rent and organise housing maintenance. FACS also has a role to support tenants with complex needs and manage antisocial behaviour. These roles have some inherent tensions. The FACS antisocial behaviour management policy aims are: 

to balance the responsibilities of tenants, the rights of their neighbours in social housing, private residents and the broader community with the need to support tenants to sustain their public housing tenancies.

This audit assessed the efficiency and effectiveness of the ‘strikes’ approach to managing antisocial behaviour in public housing environments.

We examined whether:

• the approach is being implemented as intended and leading to improved safety and security in social housing environments
• FACS and its partner agencies have the capability and capacity to implement the approach
• there are effective mechanisms to monitor, report and progressively improve the approach.

Parliamentary reference - Report number #306 - released 10 August 2018

The Department of Family and Community Services has managed the risks of the transition to the National Disability Insurance Scheme (NDIS) in New South Wales effectively by increasing the overall capacity of the non-government sector and investing in provider capability.

The National Disability Insurance Scheme (NDIS) is a major reform that aims to change the way disability support is provided and received. Responsibility for overseeing the system to support people with disability in New South Wales will transfer from the NSW Government to the National Disability Insurance Agency (NDIA), an independent statutory agency of the Australian Government. Eligible people with disability will receive individual funding from the NDIA and purchase support from their chosen service providers, rather than being referred to services funded or provided by government. The NSW Government will transfer all disability services it currently provides to the non-government sector.

Approximately 78,000 people received NSW Government-funded disability support in 2015–16 at a cost of around $3.3 billion. An estimated 142,000 people will have an individual NDIS support plan in New South Wales, with total funding rising to around $6.8 billion in 2018–19. NDIS trials began in New South Wales in 2013. The full scheme was introduced in July 2016 and is scheduled to be operating across the state by July 2018.

This audit assessed the effectiveness of the NSW Department of Family and Community Services' (the Department's) management of the risks of the NDIS transition in New South Wales. It focused on the Department's work to build the readiness of the non-government sector for the NDIS. To make this assessment, we asked whether:

1. the Department supported the non-government sector to build capacity to meet the expected increase in demand under the NDIS
2. the Department supported disability service providers in NSW to improve their capability to deliver NDIS services
3. the Department's work to prepare for the NDIS has been coordinated with the Australian Government's NDIS readiness work.

In addition to the audit questions above, this audit identified principles governments should consider when building the capacity and capability of the non-government sector to deliver human services.

Building the capacity of the non-government sector

The Department supported an increase in the capacity of non-government providers

The Department started building the capacity of the non-government sector before the NDIS was developed. This included moving services provided by government into the non‑government sector, funding early intervention and community-based disability support, and introducing some individual support packages. The Department checks that the business and operational systems of non-government disability providers are adequate. However, its understanding of the outcomes for people using the services is limited.

Service gaps are possible for people with more complex support or access needs

There are risks to the supply of services to people who have more complex support or access needs, including people who need specialist clinical support, people in remote areas, Aboriginal and Torres Strait Islander communities and culturally and linguistically diverse communities. The Department has supported the NDIA's initial market development work and funded some programs to help providers build their capacity to support these groups.  However, there is a risk the market will not expand quickly enough to meet the increase in demand for services.

Sector sustainability depends on support from outside the disability services sector

The sustainability of funded disability services provided by the non-government sector depends on support from outside the sector. Most people with disability receive significant unpaid support from family members, so carers will play a key role in the sustainability of the NDIS. There are opportunities for organisations that do not provide specific disability services to contribute to sector sustainability by providing some NDIS services. To do this, many will need help to make their services more accessible and inclusive to people with disability.

Helping non-government providers develop their capability

The Department invested in capability building programs for providers

The Department has spent more than $30 million over six years on programs that aim to improve the capability of disability support providers. This work began before the NDIS was established and was adjusted to focus on NDIS readiness from December 2012. It was guided by an industry development strategy that was developed after consultation with the sector and delivered in partnership with sector peak bodies. This approach gave the sector some responsibility for developing its own capability, which is important because the sector will not receive support from the NSW Government after the transition to the NDIS.

The overall impact of the programs on the capability of providers is not clear

The overall effectiveness of the Department's spending on provider capability is not clear. The Department had some information on the general financial health and organisational capability of providers from previous industry development work. However, baseline information on provider capability was not collected before programs commenced and targets for improvements in provider capability were not set. Without this information, the Department cannot demonstrate clearly that the capability building programs it funded represent good value for money.

Most providers will need more support to transition to the NDIS effectively

In late 2015, the Department assessed the transition progress of providers in New South Wales. This assessment indicates almost one third of providers are highly likely to need additional assistance to transition to the NDIS successfully, with only 14 per cent unlikely to need further assistance. We conducted a survey of 299 providers in New South Wales in August 2016. Most reported that they feel they are on track to transition to the NDIS successfully. Sixty-two per cent said the Department-funded programs and resources they had used had improved their readiness for the NDIS. Fifty-four per cent said the changes made because of using these programs and resources had a lasting impact on their organisation.

Coordinating sector development

Governance systems and planning processes for the NDIS transition were established

The Department developed governance arrangements for the transition in New South Wales. It contributed actively to the development of national policy and strategy documents including a strategy for national market development.

The Department shared sector readiness lessons with the Australian Government

Two NDIS sector readiness programs funded by the NSW Government were later expanded to national programs through funding from the Australian Government. New South Wales only received around five per cent of the total Australian Government funding for NDIS sector readiness initiatives. A report by the Australian National Audit Office in 2016 found there was limited evidence of a strategic approach by the Australian Government when allocating this funding to states and territories.

The Department has monitored transition issues and mitigated these where possible

The Department has monitored administrative issues for providers, which have included the changes in funding arrangements and registering for the NDIS. It has taken action to mitigate these where possible, although some issues, such as the operation of NDIA administrative systems, are beyond its control.

The National Disability Insurance Scheme (NDIS)

The NDIS is a fundamental change to the disability support system

The NDIS is a major reform that aims to make significant changes to the way disability support is provided and received. Under the NDIS, the administration of funding for disability support in New South Wales will transfer from the NSW Government to the National Disability Insurance Agency (NDIA), an independent statutory agency of the Australian Government. The NSW and Australian Governments will both contribute to funding the NDIS. The size of the disability services sector in New South Wales is expected to more than double when the NDIS is fully operational (Exhibit 1).

One of the main objectives of the NDIS is to increase the choice and control that people with disability have over the support they receive. Under the NDIS, people with disability receive individual funding packages which they can use to pay their chosen providers for the support they need, instead of being referred to services that are deemed appropriate for their needs. This is a fundamental change to the nature of disability support. Before the NDIS, people with disability were moved around the system according to decisions made by government or other organisations providing disability support. Under the NDIS, the funding will move around the system based on the choices people with disability make. The development of the new market for NDIS disability services is expected to take up to ten years because the changes to the system are so extensive.

In addition to increasing choice and control for participants, the NDIS aims to:

• improve outcomes for people with disability by intervening early to help reduce the need for support later in life
• increase integration by helping people with disability access mainstream government services such as health and education
• increase the involvement of people with disability in the community by making it easier to access community services such as sports clubs and community groups.

The transition to the NDIS is underway

The transition to the NDIS is underway in most Australian states and territories, following trials over the last three years. In New South Wales, a trial site was established in the Hunter area in July 2013. Early roll out of the NDIS began in July 2015 for people aged under 18 in the Nepean Blue Mountains area. On 30 June 2016, about 7,800 people had an NDIS plan in the Hunter trial site and around 1,800 people had a plan in the Nepean Blue Mountains area.

The full roll out of the NDIS began in about half of New South Wales in July 2016. The NDIS will start operating in the rest of the state from July 2017 and the transition is scheduled to be completed by July 2018 (Exhibit 2).

For the rest of the transition, the Department of Family and Community Services should:

1. Work with the Australian Government, NDIA and other NSW Government agencies to identify gaps and develop the capacity of specialist clinical services, focusing on regional and rural areas.
2. Continue to implement projects to increase the number of organisations that can support Aboriginal and Torres Strait Islander and culturally and linguistically diverse communities.
3. Target remaining capability building assistance to less prepared providers, including via one-to-one support and mentoring in identified areas of weakness.
4. Continue working with the Australian Government and the NDIA to ensure lessons from sector capability programs are shared.

Principles for developing the non-government sector

1. Commence work to increase the capacity of the non-government sector early to allow time for service capacity to be built in a sustainable way.
2. Decide whether to increase the capacity of the sector by supporting existing providers to expand their operations, attracting new organisations from outside the existing provider group, or some combination of these.
3. Tailor approaches to supporting groups that have additional support or access needs because of cultural or geographic factors.
4. Define the desired outcomes for people using services and, where possible, include outcomes in service delivery contracts.
5. Invest in the sector by partnering with sector peak bodies to deliver capability programs.
6. Include one-to-one support and mentoring in capability building programs where possible to improve the targeting of support to the specific needs of providers.
7. Collect baseline information on provider capability before commencing programs and build robust tracking and evaluation into their design.
8. Establish whole-of-government governance arrangements to ensure roles, responsibilities and accountability for delivery are clear.

Parliamentary reference - Report number #280 - released 23 February 2017