What the report is about

Result of the Enterprise, Investment and Trade cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

The Machinery of Government changes within the Enterprise, Investment and Trade cluster resulted in the creation of the Department of Enterprise, Investment and Trade and the transfer of $1.0 billion of net assets into the new department.

Unmodified audit opinions were issued for all completed cluster agencies' 2021–22 financial statements audits. Two audits are ongoing.

An 'Other Matter' paragraph was included in the audit opinion for the Jobs for NSW Fund's 30 June 2021 financial report to reflect the non-compliance with the Jobs for NSW Act 2015 (the Act) and Government Sector Finance Act 2018. The Act requires the board to consist of seven members that include the Secretary of the Treasury, the Secretary of the Department of Premier and Cabinet, and five ministerial appointments. The board has consisted of two secretaries since 24 May 2019 when the independent members resigned. The remaining five members have not been appointed by the ministers as required by section 5(2) of the Act.

Three cluster agencies accepted changes to their office leasing arrangements managed by Property NSW. This has resulted in the collective derecognition of $24.8 million of right-of-use assets and $26.7 million in lease liabilities, and recognition of $1.9 million of other gains.

What the key issues were

The number of issues we reported to management decreased from 108 in 2020–21 to 103 in 2021–22. Thirty per cent of issues were repeated from the prior year.

Six high-risk issues were identified across the cluster related to the quality and timeliness of financial reporting, governance processes and internal controls.

Recommendations were made to address these deficiencies.

This report provides Parliament and other users of the Enterprise, Investment and Trade cluster's financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Enterprise, Investment and Trade cluster (the cluster) for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Enterprise, Investment and Trade cluster.

Appendix one – Misstatements in financial statements submitted for audit 

Appendix two – Early close procedures 

Appendix three – Timeliness of financial reporting 

Appendix four – Financial data 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

Result of the Customer Service cluster agencies' financial statement audits for the year ended 30 June 2022.

What we found

Unmodified audit opinions were issued for Customer Service cluster agencies.

What the key issues were

The number and size of Service NSW's administered grant programs have increased significantly in response to emergency events. Improvements are required to address gaps in Service NSW's policies, systems and processes in administering and financial reporting of grant programs.

The Department of Customer Service (the department) reported a retrospective correction of a prior period error of $33.3 million understatement of the land titling database, which is a service concession asset managed by a private operator.

The 2021–22 audits identified five high-risk issues across the cluster:

• the department:
  • control weaknesses in user access to GovConnect systems
  • significant control deficiencies in information technology change management controls
• Rental Bond Board:
  • legislation amendment required to better support the accounting treatment of rental bonds
  • no delegation instrument to government officers authorising them to approve expenditures
• Service NSW:
  • improvements required in the timeliness and quality of grant administration revenue assessment and controls over the recovery of grant administration costs.

Recommendations were made to address these deficiencies.

This report provides Parliament and other users of the Customer Service cluster's financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2022.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service cluster.

Appendix one – Misstatements in financial statements submitted for audit 

Appendix two – Early close procedures 

Appendix three – Timeliness of financial reporting 

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

• Integrity and transparency
• Performance and monitoring
• Governance and oversight
• Cyber security and data
• System planning for disruption
• Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

• Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
• Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
• Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

The results of the Transport cluster agencies’ financial statement audits for the year ended 30 June 2021.

What we found

Unmodified financial statement audit opinions were issued for all Transport cluster agencies. Resolution of issues delayed signing the Transport Asset Holding Entity of NSW (TAHE) until 24 December 2021. Matters relating to TAHE are also reported in the report on State Finances 2021.

Emphasis of Matter - TAHE

An Emphasis of Matter paragraph was included in TAHE's audit opinion to draw attention to uncertainty associated with:

• future access and licence fees that are subject to re-signed agreements
• an additional $4.1 billion of funding that is outside the forward estimates period
• a significant portion of the fair value of TAHE’s non-financial assets is reflected in the terminal value, which is outside the ten-year contract period to 30 June 2031, and the risk that TAHE will not be able to negotiate contract terms to support current projections.

TAHE's transition from RailCorp also changed its valuation of assets to an income approach, resulting in a $20.3 billion decrease to the fair value. The fair value decrease was because the cash flows were not sufficient to support the previous recorded value.

TAHE corrected a misstatement of $1.2 billion relating to the valuation of its assets. This followed significant deliberation on key judgements and assumptions, with TAHE adopting risk assumptions in its valuation that were not in line with comparable benchmarks.

Emphasis of Matter - State Transit Authority of New South Wales

An Emphasis of Matter paragraph was included in the State Transit Authority of NSW's (the Authority) audit opinion to draw attention to the financial statements not prepared on a going concern basis. This was because the NSW Government put the Authority's bus contracts out to competitive tender and accordingly, management assessed the Authority's principal activities are not expected to operate for a full 12 months after 30 June 2021.

The implementation of AASB 1059 ‘Service Concession Arrangements: Grantors’ resulted in a net increase in assets of $23.5 billion across the Transport cluster.

The 2020–21 audits identified six high-risk and 45 moderate risk issues across the cluster. Fourteen of the moderate risk issues were repeat issues, including information technology controls around management of user access for key financial systems and payroll processes.

The high-risk issues, in addition to those related to TAHE and previously reported in the report on State Finances 2021, include:

• absence of conflict of declarations related to land acquisition processes at Transport for NSW
• no evidence of conflict of interest declarations obtained by TAHE from consultants and contractors regarding involvement in other engagements.

What we recommended

TAHE needs to:

• finalise revised commercial agreements to reflect fees detailed in a Heads of Agreement signed on 18 December 2021
• prepare robust projections and business plans to support the required rate of return.

NSW Treasury and TAHE should monitor the risk that control of TAHE assets could change in the future.

Transport for NSW needs to significantly improve its processes to ensure all key information is identified and shared with the Audit Office.

Transport agencies should implement a process to ensure conflicts of interest declarations are completed for land acquisitions and applied consistently across the cluster.

Transport agencies should implement a process to capture all contracts and agreements entered to ensure:

• agencies are aware of contractual obligations
• financial reporting implications are assessed, particularly with respect to leases, revenue and service concession arrangements.

This report provides Parliament and other users of the transport cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the cluster for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Findings reported to management

The number of findings reported to management has increased, and 37 per cent of all issues were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 73 findings raised across the cluster (56 in 2019–20) and 37 per cent of all issues were repeat issues (43 per cent in 2019–20).

In view of the recent performance audit ‘Managing Cyber Risks’ and compliance audit ‘Compliance with the NSW Cyber Security Policy’ involving the cluster, it is noted with concern that the most common repeat issues related to weaknesses in controls over information technology user access administration and password management. Moderate risk issues included completeness and accuracy of contract registers, accounting for assets and management of supplier and payroll masterfiles.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports, and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Control deficiencies may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation, and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating. 

2020–21 audits identified six high-risk findings

High-risk findings were reported at the following cluster agencies.

The number of moderate risk findings increased from prior year

Forty-five moderate risk findings were reported in 2020–21, representing a 73.1 per cent increase from 2019–20. Of these, 14 were repeat findings, and 31 were new issues. 

Key moderate risk findings related to:

• weaknesses in user access management to key financial systems
• management of contracts and agreements register
• management of supplier and payroll masterfiles
• accounting for assets
• control deficiencies at service organisations
• segregation of duties relating to the hiring of employees
• conflict of interest management
• annual leave management
• review of internal audit charter
• disaster recovery planning.

Transport Asset Holding Entity of New South Wales

Background

The establishment of TAHE was originally announced by the NSW Government in the 2015–16 State Budget. On 1 July 2020, the former Rail Corporation New South Wales (RailCorp), a not-for-profit entity, transitioned to the Transport Asset Holding Entity of New South Wales (TAHE), a for-profit statutory state-owned corporation under the Transport Administration Act 1988. There was no change in the structure of TAHE as a new entity was not created. Ownership remains fully with the government. TAHE, and the former RailCorp, were both classified as Public Non-Financial Corporation (PNFC) entities within the Total State Sector Accounts.

Prior to 1 July 2015, the government paid appropriations to Transport for NSW, a General Government Sector (GGS) agency, to construct transport assets. When completed, these assets were granted to the former RailCorp, a not for-profit entity within the PNFC sector. The grants to the former RailCorp were recorded as an expense in the State’s GGS budget result.

From 1 July 2015, the government announced the creation of TAHE (a dedicated asset manager). Funding for new capital projects was to be provided through equity injections and was no longer recorded as an expense to the GGS budget, even though the business model was yet to be determined. The change, as explained in the 2015–16 State Budget, was due to the expectation that the former RailCorp will transition to TAHE, which was intended, over time to provide a commercial return. That Budget also highlighted how the change, which was largely a change in the basis of accounting, was intended to improve the GGS budget result each year. In total, the GGS has contributed approximately $11.1 billion to TAHE since 2015–16. This includes the equity injections from the GGS to TAHE made in the current year of $2.4 billion.

NSW Treasury initially set a timetable for the stand-up of TAHE of 1 July 2019, which included finalising the business model, operating model and contracts for the use of TAHE's assets. The enactment of the Transport Administration Act 1988 resulted in RailCorp transitioning to TAHE on 1 July 2020, 12 months after its originally planned operational date. Contributions paid to the former RailCorp and subsequently to TAHE by the GGS were treated as equity investments from July 2015 forward. This treatment continued, despite delays in settling the business model. In 2020, the Audit Office raised a high-risk finding due to the significance of the financial reporting impacts and business risks for NSW Treasury and TAHE.

The business model adopted and the flow of funds between transport agencies in the GGS and PNFC sectors is shown in the diagram below. For further details refer to the Report on State Finances 2021.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

The results of the consolidated General Government Sector (GGS) and Total State Sector (TSS) financial statements audits for the year ended 30 June 2021.

What we found

The Independent Auditor’s Report on the 2020–21 GGS and TSS financial statements was unqualified but contained an emphasis of matter. The resolution of significant issues delayed signing until 24 December 2021.

The emphasis of matter draws attention to significant uncertainties associated with key assumptions related to the recognition by the GGS of a $2.4 billion investment in the Transport Asset Holding Entity (TAHE).

The Audit Office advised NSW Treasury that it intended to issue a qualified audit opinion, but actions by the NSW Government avoided this outcome. All evidence provided prior to 14 December indicated that the GGS’s return on the $2.4 billion cash contributed to TAHE was insufficient to support accounting for it as an investment. Projected returns were below the long term inflation rate and were insufficient to recover:

• TAHE's revaluation loss of $20.3 billion in 2020–21
• an average rate of return of at least 2.5 per cent of equity invested in TAHE.

In these circumstances, the $2.4 billion contributed to TAHE should have been expensed. This could have impacted the GGS’s budget result.

The NSW Government’s actions to avoid a qualified audit opinion included:

• a government decision made on 14 December approving TAHE’s shareholding ministers communicating that their expectation of a return had increased to 2.5 per cent
• reflecting the revised shareholding ministers’ expectations in the 2021–22 ‘NSW Half-Yearly Review’ on 16 December. The NSW Government provided an additional $1.1 billion to fund increased access and license fees to TAHE from the public sector operators (Sydney Trains and NSW Trains)
• signing a Heads of Agreement (HoA) on 18 December between Transport for NSW (TfNSW),TAHE and the public sector operators. The HoA reflected the parties’ intent to renegotiate contracts to increase TAHE’s licence and access fees by $5.2 billion.

The uncertainty raised in our emphasis of matter relates to:

• TAHE’s future estimated access and licence fees, which remain subject to re-negotiation and must meet or exceed the indicative future access and licence fees set out in the HoA
• continued funding for TAHE's key customers (Sydney Trains and NSW Trains) to meet the price increases outlined in the HoA
• the 2021–22 'NSW Budget Half Yearly Review', which provides for $1.1 billion of the additional funding over the forward estimates period to 2024–25. A further $4.1 billion is required over the following six years (2026–31), which are outside the forward estimates period
• further significant cash flows required to support the funding model are outside the 10-year contract period. That is, beyond 30 June 2031.

There remains a risk that:

• TAHE will not be able to re-contract with the rail operators for access and licence fees at a level that is consistent with current projections
• future government's funding to TAHE’s key customers, the rail operators, may not be consistent with the current shareholding ministers’ expectations
• TAHE will be unable to grow its non-government revenues.

The audit found a risk of undue reliance on consultants, a need to improve quality controls on materials submitted to audit and an extreme risk finding raised with respect to providing key information on a timely basis.

The GGS Budget Result for the 2020–21 financial year was a deficit of $7.1 billion compared to an original forecast budget deficit of $16 billion.

The State did not achieve its fiscal target of maintaining annual expenditure growth below the long-term revenue growth target of 5.6 per cent. In 2020–21, the GGS expenditure grew by 6.9 per cent mainly due to grants and subsidies paid from the COVID-19 stimulus packages received from the Commonwealth.

What we recommended

Significant matters concerning TAHE

We recommend NSW Treasury:

• implement effective quality review processes over key accounting information
• establish a policy to determine the minimum expected rate of return on its equity injections into public sector entities
• report on the performance of investments in TAHE and all other public sector entities
• ensure the revised commercial agreements between TAHE and NSW rail operators reflect access and licence fees set out in the Heads of Agreement
• with TAHE, prepare robust projections and business plans to support returns beyond FY2031
• liaise with the Australian Bureau of Statistics (ABS) and reconfirm the sector classifications of TAHE, NSW Trains and Sydney Trains
• with TAHE, monitor the risk that control of TAHE assets could change in future reporting periods
• significantly improve its processes to ensure all key information is identified and shared on a timely basis
• consider whether there is sufficient competent oversight of its use of consultants and assess the risk of an overdependence on consultants at the cost of internal capability.

A number of other non-TAHE related recommendations have been raised in Section 6 ‘Key Audit Findings’.

Image

Pursuant to the Government Sector Audit Act 1983 I present my report on State Finances 2021. My independent auditor’s opinion on the State’s consolidated financial statements, albeit delayed, is unqualified. My independent auditor’s report however, does include an emphasis of matter drawing attention to significant uncertainties remaining in relation to the State’s equity investment in the Transport Asset Holding Entity (TAHE).

The 2020–21 year was challenging from many perspectives, not least being the continuing impact of and response to the COVID-19 pandemic. Once again, NSW Treasury provided government agencies extensions of time to submit financial statements for audit. Finance staff and management right across government must be congratulated for their responsiveness in meeting their financial reporting obligations in such challenging circumstances.

The General Government’s 2020–21 budget result, reflected within the Total State Sector Accounts, was a deficit of $7.1 billion. This compares with the original budgeted deficit of $16 billion. The factors that contributed to this outcome are presented in this Report to Parliament along with other significant matters related to the audit of the Total State Sector Accounts.

One section of my report is dedicated to issues related to the accounting for TAHE. This year’s audit was significantly delayed by protracted disagreement over the treatment of the government’s cash contribution to TAHE. This matter was further frustrated by the fact that information was withheld and not shared with my Office on a timely basis. This has warranted an extreme risk finding for NSW Treasury to significantly improve governance processes to ensure complete and timely sharing of information. This is key to preserving trust, which is one of the foundations that underpins my Office’s engagement with agencies in the conduct of their audits.

The challenges encountered in completing this year’s audit were extraordinary and tested the constructive partnership between the Audit Office and NSW Treasury. I want to acknowledge the enormous efforts of staff of both agencies to correct material errors and ultimately achieve my unmodified audit opinion. I saw first-hand the professionalism, resilience and dedication of my staff. A commitment to accurate and transparent financial reporting is a key basis upon which confidence in the financial management of New South Wales’ resources can be assured.

Margaret Crawford

Auditor-General for New South Wales

9 February 2022

The Independent Auditor's Report, which includes an emphasis of matter was issued on 24 December 2021

While the audit opinion on the State's 2020–21 financial statements was ultimately unmodified, NSW Treasury delayed signing the NSW Total State Sector Accounts (TSSA) in order to resolve significant accounting issues that were material to the TSSA, in particular the treatment of the General Government Sector's (GGS) investment in the Transport Asset Holding Entity (TAHE) during 2020–21.

The Treasurer and NSW Treasury signed the consolidated financial statements on 24 December 2021, eleven weeks later than the 2018–19 pre-pandemic timetable.

The Audit Office advised NSW Treasury that the 2020–21 TSSA would be qualified with respect to TAHE

Our review of all evidence received prior to 14 December indicated the GGS's expected returns were below the long-term inflation rate and that there was no expectation it should recover a significant asset revaluation loss. The levels of projected returns did not support the accounting treatment of the GGS's cash contribution of $2.4 billion to TAHE as an equity injection.

The TSSA are prepared in accordance with Australian Accounting Standards and particularly AASB 1049 ‘Whole-of-Government and General Government Sector Financial Reporting’. This standard requires contributions from owners to comply with the Australian Bureau of Statistics (ABS) Government Finance Statistics Manual 2015¹ (GFSM) where it would not conflict with Australian Accounting Standards.

The ABS GFSM states that an equity contribution is recognised unless there is no reasonable expectation that a sufficient rate of return can be generated by that investment, in which case the transfer is expensed. A realistic rate of return is defined in the ABS GFSM as the intention to earn a rate of return that is sufficient to generate dividends (including income tax equivalents) and holding gains or losses at a later date. Holding losses include the final asset revaluation decrement of $20.3 billion, which TAHE incurred on its property plant and equipment assets when it became a for-profit entity and was required to value its assets on the basis of the cash flows they are expected to generate. The lower the commercial returns (cashflows), the greater the potential valuation losses of a for-profit entity's assets. This $20.3 billion valuation loss is disclosed within notes 1 'Significant Accounting policies - TAHE Reform in 2020–21', Note 11 'Equity Investments in Other Public Sector Entities' and Note 14 'Property, Plant & Equipment of the Total State Sector and GGS' financial statements.

Multiple versions of models estimating the GGS's expected rate of return were submitted to the Audit Office by NSW Treasury attempting to demonstrate the commerciality of the GGS's investment in TAHE. Until 14 December 2021, our review of all calculations indicated the existing access and licence fees set up under commercial arrangements effective 1 July 2021 did not support a reasonable expectation that a sufficient rate of return would be earned on the equity injections to TAHE. The existing revenue arrangements reflected a shareholders' expected rate of return of only 1.5 per cent per annum of contributed equity and did not include recovery of the revaluation loss of $20.3 billion incurred in 2020–21.

Having reviewed all evidence provided, the Audit Office communicated to NSW Treasury that unless corrected, the State's accounts would be qualified as the $2.4 billion transfer made by the GGS to TAHE should have been reported as a grant expense instead of an investment. The GGS's estimated rate of return was not sufficient to cover:

• TAHE's final revaluation loss of $20.3 billion in 2020–21
• a dollar value equal to, or exceeding a 2.5 per cent rate of return on the equity invested in TAHE (ie: at least equal to the long term inflation rate).

Action was required by the NSW Government to avoid a qualified audit opinion

NSW Government actions avoided a qualified audit opinion related to the GGS’s cash contribution of $2.4 billion to TAHE. To support the TAHE structure as a commercial arrangement earning a sufficient rate of return, the NSW Government agreed to provide additional future funding to TAHE's key government customers (Sydney Trains and NSW Trains) to support increases in access and licence fees to be paid to TAHE.

Shareholding ministers increased their expectations as to TAHE's target average return to the expected long-term inflation rate of 2.5 per cent

On 14 December 2021, a government decision was made resulting in the TAHE shareholding ministers requesting that TAHE re-negotiate the access fees and license fees payable under the Operating Agreements between TAHE and the public operators (Sydney Trains and NSW Trains). The renegotiation was to target an average return to the GGS of 2.5 per cent on the equity contributed. TAHE's existing ten year agreements with the operators provide a mechanism by which the parties meet annually and consult in order to determine the amount of the access fees and licence fees that will be payable in the following financial year.

The revised shareholder expectations for TAHE were published in the 2021–22 'NSW Budget Half Yearly Review' on 16 December 2021. The revised expectations changed the basis of the expected returns on equity from the 10-year Commonwealth bond rate of only 1.5 per cent, to the expected long-term inflation rate of 2.5 per cent. This is consistent with the Reserve Bank's target band and the Commonwealth's Department of Finance's expected return on government investments in other sectors.

The revised shareholder expectations were confirmed in a signed Heads of Agreement

On 18 December 2021, Transport for NSW (TfNSW), TAHE and the operators, Sydney Trains and NSW Trains entered into a Heads of Agreement (HoA). This HoA forms the basis of negotiations to revise the pricing within the existing 10-year contracts and deliver upon the shareholders' expectation of a return of 2.5 per cent per annum of contributed equity. This revised return includes:

• income earned over the estimated weighted average remaining useful lives of TAHE’s assets
• recovery of the revaluation losses in 2020–21 on TAHE’s property, plant and equipment assets incurred when TAHE commenced operations as a for-profit entity, albeit the recovery of the revaluation loss is projected to take up to 2052.

The HoA reflects an intention between all parties to revise the contractual agreements to increase future access and license fees by $5.2 billion. This included $1.1 billion for the period FY2023–25, which is reflected in the 2021–22 'NSW Budget Half Yearly Review'. Further detail on the HoA is reported in Section 3 of this report ‘Investment in the Transport Asset Holding Entity’.

NSW Treasury revised its calculations to reflect the increased future returns

Following these changes, NSW Treasury revised its calculations of estimated returns to reflect a cumulative return equivalent to the expected long-term inflation rate, and recovery of the 2021 valuation loss by 2052. The rate of return period is consistent with the weighted average remaining useful life of TAHE's assets. The changes supported the financial reporting treatment of the $2.4 billion transfer from the GGS to TAHE as an investment rather than an expense, even though TAHE is currently heavily reliant on revenues from the public rail operators, Sydney Trains and NSW Trains. If the cash contribution had to be treated as a capital grant expense, it would have reduced the GGS's budget result by $2.4 billion.

The Independent Auditor’s Report includes an emphasis of matter drawing attention to uncertainty relating to the General Government Sector's investment in the Transport Asset Holding Entity (TAHE)

Despite the investment in TAHE being better supported, and the independent auditor's opinion being unqualified, the Independent Auditor’s Report includes an emphasis of matter, which draws attention to the significant uncertainties remaining in relation to the GGS’s equity investment in TAHE. The significant uncertainty is associated with key assumptions that support the recognition by the GGS of its $2.4 billion investment in TAHE during 2020–21.

As at the time of signing the Independent Auditor's Report, there was significant uncertainty with regards to judgements around the commerciality of TAHE's operations because:

• TAHE’s future estimated access and licence fees, which are critical to its ability to earn a realistic rate of return, remain subject to re-negotiation and re-signing of the current access agreements. The proposed indicative future access and licence fees, which are set out in the HoA are intended to form the basis of the re-negotiation.
• $1.1 billion in additional funding for TAHE's key customers, Sydney Trains and NSW Trains, was provided in the 2021–22 'NSW Budget Half Yearly Review' consistent with the terms in the HoA. However, this funding only extends to the end of the forward estimates period in 2024–25. There is an additional $4.1 billion required over the following six years, which falls outside of the forward estimates period (up to the end of the 10-year contract period). While this has been communicated to the government's Expenditure Review Committee, it is yet to be provided for in government's budget figures. As TAHE's projections are currently highly dependent on its government customers, it is critical that the government continue to provide sufficient funding to the GGS to support increases in the prices government customers will pay for access to TAHE's assets.
• A further significant portion of the required returns is earned outside of the 10-year contract period (terminating 30 June 2031). NSW Treasury has estimated $37.9 billion in returns from its investment in TAHE over the period from 1 July 2022 to 30 June 2052, but has not identified the source or means of these returns beyond 2031. Currently, TAHE derives the majority of its revenue from access and licence fee agreements with Sydney Trains and NSW trains, who in turn are both funded by grants to Transport for NSW from the GGS. The projected returns calculated by NSW Treasury beyond 2031 are calculated by assuming a 2.5 per cent growth rate. About 87 per cent of these estimated returns are being earned beyond the ten years, with $32.9 billion estimated over the period 2032–52. There remains risk that:
  • TAHE will not be able to re-contract for access and licence fees at a level that is consistent with current projections
  • future governments' funding to TAHE's key customers will not be sufficient to fund payment of access and licence fees at a level that is consistent with current projections
  • TAHE will be unable to grow its non-government revenues.

Significant accounting issues relating to TAHE are detailed in Section 3 to this report titled ‘Investment in the Transport Asset Holding Entity’. Other significant matters related to the TSSA audit are covered in section 6 to this report titled ‘Key Audit findings’.

Other financial reporting matters

The State extended the date for submission of agency financial statements for audit to provide relief to agencies impacted by the New South Wales' COVID-19 lockdowns

All agencies were given a one-week extension (two weeks in 2019–20) to prepare their financial statements and submit them for audit by 2 August 2021. Further extensions were subsequently approved for the following ten agencies and funds (11 in 2019–20) to submit completed financial statements for audit:

• Department of Communities and Justice (9 August 2021 for disclosures related to cloud computing costs)
• Investment NSW (13 August 2021)
• Jobs for NSW (13 August 2021)
• TCorp IM Funds (19 August 2021)
• Lord Howe Island Board (22 October 2021)
• Department of Customer Service (31 August 2021 for disclosures related to AASB 1059 'Service Concession Arrangements: Grantors')
• Department of Transport (20 August 2021)
• Sydney Olympic Park Authority (12 August 2021)
• Planning Ministerial Corporation (12 August 2021)
• Transport Asset Holding Entity (16 August 2021).

Additional extensions provided agencies with more time to resolve accounting issues relating to:

• asset valuations
• first time implementation of AASB 1059
• asset transfers and treatment of software as service costs.

The extensions outlined above resulted in a two-week delay submitting the State’s draft consolidated financial statements for audit.

In 2020–21, agency financial statements presented for audit contained 24 errors exceeding $20 million (19 in 2019–20). The total value of these errors was $6.6 billion, a significant increase from the previous year ($1.4 billion in 2019–20)

The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.

The errors resulted from:

• incorrect application of Australian Accounting Standards and NSW Treasury Policies
• incorrect judgements and assumptions when valuing non-current physical assets and liabilities
• human error or lack of oversight.

The completion of the 2020–21 Total State Sector Accounts was significantly delayed as material accounting issues were resolved. These issues related to how the General Government Sector’s (GGS)² investment in the Transport Asset Holding Entity was accounted for. The key areas of audit concern, which required considerable effort to satisfactorily resolve, included our assessment of:

• the accounting treatment of funds transferred to TAHE from the GGS, specifically:
  • whether funds transferred to TAHE from the GGS should be considered an equity investment or capital grant expense, with the latter having implication to the presentation of the NSW Government Budget positions. Funds are expensed unless, as an investment, there is a reasonable expectation to generate a sufficient rate of return
  • forming a view as to what a ‘reasonable expectation of a sufficient rate of return on investment³’ should be with respect to the Australian Bureau of Statistics' Government Finance Statistics Manual 2015 (GFSM)
  • the valuation of TAHE’s property, plant and equipment at 30 June 2021
• whether TAHE was correctly classified as a Public Non-Financial Corporation (PNFC) entity
• whether, under the agreements in place for the use and price of TAHE's assets, TAHE controlled its property, plant and equipment.

Our assessments were hindered by errors and omissions in information and models provided by NSW Treasury to demonstrate expected returns from TAHE, as well as a lack of timeliness and completeness in their responses to requests for documentation to support NSW Treasury's proposed accounting of government's contributions to TAHE.

Up until 13 December 2021, evidence provided by NSW Treasury to support the treatment of a $2.4 billion equity transfer from the GGS to TAHE did not demonstrate a sufficient rate of return on the State's investment. Instead, the evidence suggested the transfer was of the nature of a capital grant expense, which would impact the GGS budget result. Unless corrected, by either reversing the equity investment to a capital grant expense (impacting the GGS budget result) or providing additional resources to the rail operators to support additional TAHE access and licence fees (adding additional expenses to future GGS budget results), this matter would have caused the State's accounts to have been qualified.

After the Audit Office communicated the likely audit outcome to NSW Treasury, significant changes were made by government from 14 December 2021. Government decisions that avoided qualification of the TSSA included:

• On 14 December, a government decision approved communicating revised shareholders' expectations of rate of return of 2.5 per cent being the long-term inflation rate, and increased grants to Transport for NSW for the rail operators to pay increased access and licence fees to TAHE to support of the new rate of return (previously 1.5 per cent).
• On 16 December, the 2021–22 'NSW Budget Half Yearly Review' included an increase in expected returns to be derived through higher access and license fees charged by TAHE. To facilitate these returns, an increased allocation of funds of $1.1 billion was made to Transport for NSW (TfNSW) from 1 July 2022 as part of the forward estimates for the period 2022–25. This was to pay for the proposed increased access and licence fees the operators would be required to pay TAHE.
• On 18 December, TfNSW, TAHE and the operators Sydney Trains and NSW Trains signed a Heads of Agreement (HoA) forming the basis of negotiations to revise annual operating agreements to facilitate the shareholders’ expected returns of 2.5 per cent of contributed equity. The HoA included indicative access and licence charges to be used as a basis of renegotiation, increasing access fees and licence fees to be paid by Sydney Trains and NSW Trains over the 10-year period from 2022–2031 by a further $5.2 billion. Most of this increase occurs outside the forward estimates. The majority of the additional funding may need to be funded by future governments.

NSW Treasury has projected returns to be earned to 2052 (a period covering the weighted average remaining useful lives of TAHE's assets) as sufficient to recover the revaluation loss of $20.3 billion which arose when TAHE revalued its assets under the income approach. These assets were valued on a discounted cash flow basis as at 30 June 2021.

These key decisions and the circumstances leading up to these changes are detailed later in this section.

Background

On 1 July 2020, the former Rail Corporation of New South Wales (RailCorp), a not-for-profit entity, was renamed the Transport Asset Holding Entity of New South Wales (TAHE) transitioning to a for-profit statutory State-Owned Corporation under the Transport Administration Act 1988. There was no change in the structure of TAHE as a new entity was not created. Ownership remains fully with the government. TAHE, and the former RailCorp, were both classified as Public Non-Financial Corporation (PNFC) entities within the Total State Sector Accounts. TAHE was not a newly created entity, nor was it the result of a change in administrative re-arrangements (such as Machinery of Government change).

Prior to 1 July 2015, the government paid appropriations to TfNSW, a GGS agency, to construct transport assets. When completed, these assets were granted to RailCorp, a not for-profit entity within the PNFC sector. The grants to RailCorp were recorded as an expense in the State’s GGS budget result and in the NSW Total State Sector Accounts (TSSA).

From 1 July 2015, the government announced the creation of TAHE (a dedicated asset manager). Funding for new capital projects was to be provided through equity injections, even though the business model was yet to be determined. NSW Treasury initially set a timetable for finalising the business model, operating model and contracts for the use of TAHE's assets of 1 July 2019.

Contributions paid to TAHE by the GGS were treated as equity investments from July 2015 forward. This treatment continued, despite delays in settling the business model. In 2020, the Audit Office raised a high risk finding due to the significance of the financial reporting impacts and business risks for NSW Treasury and TAHE.

The business model eventually adopted was one whereby:

• The GGS invests in TAHE with an expectation of a sufficient rate of return.
• TAHE charges the operators (predominantly Sydney Trains and NSW Trains) to use network and rolling stock to deliver services. The operators remain responsible for both the delivery of the services and the maintenance and safe operation of the assets. The operators are primarily funded by TfNSW through grants.
• The GGS grants funds to operators, which allows them to pay access fees to TAHE. The amount of these grants impacts the budget result.
• TAHE pays a return back to GGS by way of dividends and tax equivalents. The return may also include holding gains and losses on the fair value of the net assets of TAHE.

TAHE earns relatively small amounts of income from transactions with the private sector. While the TAHE Board envisages that, over time, they will enhance the commerciality of TAHE’s operations, it is currently highly dependent on revenues from government contracts (over 80 per cent). The circularity in flow of funds between transport agencies in the GGS and PNFC sectors is shown in the diagram below:

The government continues to respond to the impacts of the COVID-19 pandemic on New South Wales through its economic stimulus measures

The COVID-19 pandemic continues to significantly impact the State’s finances, reducing revenue and increasing expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health. Over 2020–21, the government allocated an additional $5.6 billion to agencies as part of its economic stimulus and pandemic response. Measures included:

• $1.8 billion in health measures including essential medical equipment purchases, vaccine distribution, quarantine, contract tracing and maintaining clinical health capacity (such as intensive care units)
• $508 million in additional cleaning services primarily to the Department of Education and Transport for NSW
• $500 million as part of the ‘Dine & Discovery NSW’ voucher program to the Department of Customer Service
• $350 million in combined land tax relief and small business recovery grants to Department of Customer Service and NSW Treasury respectively.

Around $4.5 billion of this package was spent in 2020–21, leaving $1.1 billion unspent and carried forward into 2021–22. The graph below shows the total allocation and spend by cluster for 2021 compared to their target spend.

Deficit of $7.1 billion compared with a budgeted deficit of $16 billion

The outcomes of the government’s overall activity and policies are reflected its net operating balance (Budget Result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.

The General Government Sector, which comprises 204 entities, generally provides goods and services funded centrally by the State.

In addition to the 204 entities within the General Government Sector, a further 98 government controlled businesses are included within the consolidated Total State Sector financial statements. These businesses generally provide goods and services, such as water, electricity and financial services for which consumers pay for directly.

The Budget Result for the 2020–21 financial year was a deficit of $7.1 billion compared to an original forecast of a budget deficit of $16 billion.

Revenues increased $5.6 billion to $91.8 billion

In 2020–21, the State’s total revenues increased by $5.6 billion to $91.8 billion, 6.5 per cent higher than previous year. A decrease of 0.3 per cent was recorded in 2019–20. The main contributors to the increase in the State's revenues were an increase in taxation revenue of $4.6 billion and an increase in grants and subsidies of $1.4 billion when compared to the prior financial year.

Taxation revenue increased by 15.3 per cent

Taxation revenue increased by $4.6 billion, mainly due to:

• $2.9 billion higher stamp duties collected from property sales driven by:
  • $2.7 billion increase in contracts and conveyance duties (transfer duties) from both higher transaction volumes and strong property price growth during 2020–21
  • $200 million increase in motor vehicle registration duty driven by increases in new vehicle sales
• $520 million higher Gambling and Betting Taxes was earned as 2019–20. The previous year's revenues were impacted by club and hotel closures due to COVID-19. The operation of these venues in 2020–21 returned to normal for most of the year resulting in higher club gaming tax revenue of $216 million and hotel gaming taxes of $265 million
• $439 million higher collections of payroll taxes. The previous year's revenues were impacted by tax relief measures implemented by the government in response to COVID-19. Lower payroll tax was collected in 2019–20 as employment levels dropped during the State’s first lock down
• $416 million higher land tax revenues, driven by an average 3.2 per cent increase in valuer general land values, which are the basis for determining land tax values.

Stamp duties of $11.7 billion remains the largest source of taxation revenue, $2.9 billion higher than payroll tax of $8.8 billion, the second-largest source of taxation revenue.

Expenses increased $4.1 billion to $101 billion

The State’s expenses increased 4.3 per cent compared with 2019–20. Most of the increase was due to higher employee expenses, depreciation and amortisation, other operating costs and grants and subsidies expense.

Employee expenses, including superannuation, increased 3.6 per cent to $44.1 billion

Salaries and wages increased to $36.3 billion ($34.8 billion in 2019–20). This was mainly due to increases in staff numbers and an average increase of approximately three per cent in the cost of NSW's employees across the sector. Salaries and wages for the Education and Health sectors increased by $511 million and $619 million respectively.

The Health sector employed an additional 4,893 full time staff in 2020–21 (2,763 in 2019–20) and incurred an extra $28 million in overtime mainly in response to COVID-19. Education increased staff numbers by 2,418 full time equivalents in 2020–21 (4,866 in 2019–20). This year, the health and education sectors received a 0.3 per cent award increase in pay rates.

The Public Service Commission (PSC) noted in the ‘State of the NSW Public Sector Report, 2021’ that the government sector senior executive headcount increased by 347 to 3,680 (3,333 in 2019–20). The Transport cluster represented the majority of the increase in the government sector's senior executive headcount, with an increase of 182. The PSC report noted the increase was due to the growing portfolio of major transport infrastructure projects.

Historically, the government wages policy aims to limit growth in employee remuneration and other employee related costs to no more than 2.5 per cent per annum.

Depreciation and amortisation expense increased 7.6 per cent to $10.3 billion

Depreciation and amortisation increased to $10.3 billion in 2020–21 ($9.6 billion in 2019–20). This increase was mainly driven by the depreciation of completed infrastructure projects including the State’s WestConnex M8 and M5 East Motorways, and other road projects such as Woolgoolga to Ballina project. This year also includes twelve months of depreciation relating to the CBD and South-East Light Rail versus six months in the previous financial year.

Furthermore, the first time adoption of AASB 1059 ‘Service Concession Arrangements’ resulted in the State recognising $45.4 billion of service concession assets in its capacity as grantor under arrangements with operators. More than 87 per cent of this balance was recognised by the Transport cluster. These assets are valued at current replacement cost and are depreciated on an annual basis. A service concession arrangement is an arrangement whereby the government as grantor, contracts with an operator to develop (or upgrade), operate and maintain the grantor's public service assets such as roads, bridges or hospitals. The grantor controls or regulates what services the operator must provide using the assets, to whom, and at what price. The grantor also retains any significant residual interest in the assets at the end of the arrangement. Further details about AASB 1059 are included in the ‘Implementation of new accounting standards’ section of this report.

Grants and subsidies increased $1.5 billion to $15.6 billion

The increase in grants and subsidies is due to payments made by the State in supporting businesses and local communities in response to COVID-19. These mainly included $240 million in Dine & Discover voucher payments, $156 million in land tax relief assistance, $160 million increase in grants to non-government schools (including $31 million to support Covid intensive learning support programs), and $109 million relating to small business grant payments.

The State also transferred $592 million in newly constructed assets to local councils. These mainly related to $378 million in assets transferred following completion of WestConnex stage 2 and $180 million from Northern Roads.

Other operating expenses increased two per cent to $27.5 billion

Operating expenses increased to $27.5 billion in 2020–21 ($26.9 billion in 2019–20) due to higher operating activities as agencies responded to the pandemic.

Supplies and Other Services increased by $1.7 billion. This was mainly due to funding of $533 million in hotel quarantine and associated services, and $495 million in medical equipment for the health sector.

Inventories consumed increased by $266 million. This included $217 million in COVID-19 medical equipment that was written off because it had expired or did not meet the TGA regulatory standards. Contractor expenses increased by $306 million because of increased capital works activity, primarily in the Transport sector.

The increase was offset by $1.6 billion in lower insurance claims expense. In 2019–20 financial year, higher claims were made in respect to natural disaster events, including bush fires.

Health costs remain the State’s highest expense

Total expenses of the State were $101 billion ($96.4 billion in 2019–20). In 2020–21, Health remains the highest contributor of expenses for the State with $25.7 billion ($24.2 billion in 2019–20). Education remains the second highest contributor of expenses reporting $18.4 billion in 2020–21 ($17.5 billion in 2019–20).

The following sectors have the highest expenses as a percentage of total State expenses:

• Health – 25.6 per cent (25.1 per cent in 2019–20)
• Education – 18.3 per cent (18.2 per cent in 2019–20)
• Transport – 14.5 per cent (13.3 per cent in 2019–20).

Assets grew by $12.3 billion to $526 billion

The State’s assets include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $12.3 billion to $526 billion. This was a 2.4 per cent increase compared with 2019–20, mostly due to changes in asset carrying values.

Valuing the State’s physical assets

State’s physical assets valued at $391 billion

The value of the State’s physical assets increased by $1.7 billion to $391 billion in 2020–21 ($37.9 billion increase in 2019–20). The State’s physical assets include land and buildings ($172 billion), infrastructure systems ($202 billion) and plant and equipment ($16.7 billion).

The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include assets reclassified to held for sale and other opening balance adjustments.

Liabilities increased $16.4 billion to $291 billion

The State borrowed additional funds in response to COVID-19

The State’s borrowings rose by $15.8 billion to $134 billion at 30 June 2021. This accounted for most of the increase in the State’s total liabilities.

The value of TCorp bonds on issue increased by $16.8 billion to $114 billion, which largely funded the State's capital expenditure and response to the COVID-19 pandemic.

TCorp bonds are traded in financial markets and are guaranteed by the NSW Government.

Over 2020–21, TCorp continued to take advantage of lower interest rates, buying back short-term bonds and replacing them with longer dated debt. This lengthens the portfolio matching liabilities with the funding requirements for infrastructure assets.

The State’s fiscal objective published in the 2021–22 Budget Papers is to repair the operating position by returning the budget to surplus by 2024–25 and rebuilding balance sheet capacity by bringing net debt down towards seven per cent of Gross State Product (GSP) over the medium-term. The State measures net debt as the sum of deposits held, government securities, loans payable and other borrowings, less the sum of cash and deposits, advances paid and investments, loans receivable and placements.

The chart below shows the actual net debt to GSP for NSW compared to the Commonwealth net debt to Gross Domestic Product (GDP) over the past six years. The trend shows an increase in net debt, particularly in the past two years, which is mainly driven by additional borrowings needed to fund stimulus measures when responding to COVID-19 and natural disaster relief.

GSF Act and GSF Regulation

Financial reporting provisions in the Government Sector Finance Act 2018 (GSF Act) have now commenced

From 1 July 2021, the Public Finance and Audit Act 1983 (PF&A Act) financial reporting provisions were repealed. Agencies prepared their 2020–21 financial statements under Part 7 of the GSF Act. They were audited under the Government Sector Audit Act (GSA Act). The GSF Act requires the timeframe for annual financial statement submission be specified in the Treasurer’s Directions.

Under the GSF Act, all reporting GSF agencies are required to prepare annual financial statements, unless exempt from the definition of a reporting agency under the Government Sector Finance Regulation 2018 (GSF Regulation). Those agencies exempt from preparing financial statements include certain small agencies, Crown Land Managers, special purpose staff agencies and retained State interests. These agencies must meet prescribed requirements or thresholds and self-assess each year to determine whether they remain exempt against the criteria in the GSF Regulation.

Most of the financial reporting provisions of the GSF Act have now commenced except for requirements concerning special deposit accounts (SDA) and special purpose financial reports, which are scheduled to commence on 1 July 2023, subject to approval from the Governor.

The GSF Act now includes most of the provisions applicable to GSF agencies, as requirements for appropriations, expenditure, financial services, and other matters were enacted on 1 December 2018 and 1 July 2019.

Once fully commenced, the GSF Act will consolidate and replace reporting provisions of four Acts:

• PF&A Act
• Public Authorities (Financial Arrangements) Act 1987
• Annual Reports (Departments) Act 1985
• Annual Reports (Statutory Bodies) Act 1984.

GSA Act and GSA Regulation

The PF&A Act was renamed the GSA Act on 1 July 2021 and now only contains provisions relating to the Auditor-General and the Audit Office, the audit of government sector finances and governance of the Public Accounts Committee.

Of note in the renamed GSA Act is that:

• a new principal object was added that specifically provides the Auditor-General is an independent and accountable statutory officer
• the previous financial reporting provisions in the PF&A Act were repealed as the financial reporting provisions are contained in Part 7 of the GSF Act. As a result, there are no longer financial reporting provisions in the GSA Act
• a new section 34 was added, which contains the requirements for the audit of State sector agencies’ financial statements. These were previously contained in two separate sections.

The GSA Regulation commenced on 1 July 2021, replacing the Public Finance and Audit Regulation 2015 (PF & A Regulation). The GSA Regulation contains the list of entities, funds and accounts prescribed for the purpose of audits under the GSA Act.

Inconsistencies exist in the GSF Act and GSA Act related to key statutory timeframes

There are inconsistencies between key statutory timeframes imposed on the Treasurer and Auditor-General in the GSF Act and GSA Act which has been brought to the attention of NSW Treasury. The inconsistencies identified include:

• Section 34(3)(a) of the GSA Act defines the audit period for the Statements be as soon as practicable after the Auditor-General is given the Statements. This appears to be inconsistent with section 49(3) of the GSA Act, which requires that the Auditor-General, on or before 22 October transmit the Statements and audit report to the Treasurer. Neither provision is a paramount provision.
• Section 49(3) of the GSA Act also appears to be inconsistent with section 52(1) of the GSA Act which provides that the Statements are to be given to the Auditor-General in accordance with section 7.17 of the GSF Act. Section 7.17 of the GSF Act requires that the Statements are to be prepared and given to the Auditor-General by an agreed date to enable the audit of the Statements. Part 7 of the GSF Act is a paramount provision under section 1.8 of the GSF Act, which means the requirements in section 7.17 of the GSF Act prevail.

There are also inconsistencies in key statutory reporting timeframes imposed on the Treasurer under the GSF Act.

The audited Statements are a key accountability mechanism that provides information on the State’s financial performance and position. Ambiguity in the statutory reporting timeframes could impact on the future timely provision of this information to Parliament. As noted at the beginning of this report, the delay in issuing the audit report for the 30 June 2021 Statements was due to NSW Treasury’s resolution of accounting issues that were material to the Statements, in particular the treatment of the General Government Sectors investment in TAHE during 2020–21. NSW Treasury's management letter will include a high risk finding with regards to the inconsistencies between the GSF Act and GSA Act.

Appropriations framework

NSW Treasury lacks a framework to monitor and provide assurance to ministers that they are in compliance with their appropriation authority

The GSF Act requires that money not be paid out of the Consolidated Fund except under the authority of an Act, such as the annual Appropriation Act or GSF Act. This means a minister is only authorised to spend out of the Consolidated Fund the amount they have been appropriated by the relevant Act(s).

Generally, money is authorised to be paid out of the Consolidated Fund either through:

• The Annual Appropriation Act - this is an act to appropriate out of the Consolidated Fund sums for the services of the government for the relevant financial year. These appropriations are made to the responsible ministers of principal departments, Special Offices and certain SDAs.
• The GSF Act - this act allows the responsible minister of a GSF agency to be given an appropriation out of the Consolidated Fund, at the time the agency receives or recovers any deemed appropriation money. Deemed appropriation money is defined in section 4.7(3) of the GSF Act.

Ministers can delegate and sub-delegate appropriation expenditure functions to accountable authorities and officers of GSF agencies. Any spending by accountable authorities and officers of GSF agencies in excess of the amount appropriated to their relevant minister would be made contrary to section 4.6(1) of the GSF Act.

The Budget Papers are an additional mechanism by which the government controls the level of expenditure by agencies both at the individual and departmental administrative cluster level. The Budget Papers set an administrative limit imposed by the government. Separately, the Treasurer can issue a Budget control authority under section 5.1 of the GSF Act. A Budget control authority can regulate expenditure of money by GSF agencies in a variety of ways, as set out in section 5.1(2) of the GSF Act.

In July 2021, NSW Treasury advised the Audit Office that it had received advice from the Crown Solicitor's Office, in January 2021, that payments between agencies in different administrative clusters would not meet the definition of a 'deemed appropriation' under the GSF Act by the receiving agency. This applies to money paid and received by two agencies across different administrative clusters that continue to hold the money in the Consolidated Fund. These intra-government receipts increase the amount an agency has available to spend, without there being a corresponding increase in the responsible minister’s appropriated expenditure limits, thus increasing the risk an agency’s expenditure could cause a minister to exceed their appropriated expenditure authority.

After being made aware of the issue, the Audit Office worked with NSW Treasury officers to clarify potential implications. The Audit Office also obtained further advice from the Crown Solicitor’s Office to clarify certain aspects of the appropriations framework more broadly. In the advice to the Audit Office, the Crown Solicitor advised that an agency is not subject to its own legally appropriated expenditure limit (assuming it is not subject to any annual spending limit imposed through an instrument of delegation or a budget control authority issued by the Treasurer under section 5.1 of the GSF Act). In effect, because responsible ministers are given appropriations, these legal expenditure limits, rest in aggregate, with the principal department and agencies the minister is responsible for. The advice also confirmed:

• a deemed appropriation for the services of an agency would ordinarily be available for the services of other agencies, if the officers of the other agencies had a delegation from the minister(s) to expend the deemed appropriation and funds remained available under those deemed appropriations
• that the ‘exhaustion’ of a minister’s appropriation may be precipitated by one agency’s level of expenditure in the financial year, but the effect is that the relevant appropriation is exhausted for all agencies (and their officers) that may otherwise rely on it
• whether expenditure by an agency occurred beyond the scope of its authority would require a progressive examination of the total amounts expended from the minister’s appropriation
• amounts expended from the Consolidated Fund without the authority of an appropriation are spent contrary to section 4.6(1) of the GSF Act
• a minister is responsible to Parliament for (i) the manner in which appropriations are expended, and (ii) any ‘overspends’ (that is, expenditure without authority) by agencies for which they are responsible.

Determining whether expenditure has occurred without the authority of an appropriation is complex and it is not possible for an individual agency to monitor or determine at what ‘point in time’ expenditure has been incurred in excess of the minister’s appropriation authority. As noted earlier, there are mechanisms in place to manage agencies' administrative expenditure limits set by the Budget Papers, but there is no mechanism in place to ensure expenditure by agencies does not exceed a minister’s appropriation authority received under the annual Appropriations Act and GSF Act.

In addition, principal departments and agencies that hold money in the Consolidated Fund are required by Australian Accounting Standard AASB 1058 'Income of Not-for-Profit Entities' and NSW Treasury Circular TC20/08 'Mandates of options and major policy decisions under Australian Accounting Standards' to prepare a Summary of Compliance in their financial statements. The Summary of Compliance applies to agencies that obtain part or all of their spending authority from a Parliamentary appropriation. It is intended to provide information on the amounts appropriated or authorised for an agency’s use and whether those expenditures were authorised. There remains uncertainty around how the Crown Solicitor’s Office advice received by the Audit Office impacts these disclosures, as the total spending authority given by Parliamentary appropriations and expenditure against these appropriations cannot generally be attributed to an individual agency. Such a scenario is not contemplated by the relevant Australian Accounting Standard. NSW Treasury's management letter will include high risk findings about improving mechanisms in place to manage agencies administrative expenditure limits, uncertainties related to appropriation spending authority on agencies summary of compliance disclosures.

Delegations to incur expenditure

Further to last year's reporting, some agencies have again spent monies without an authorised delegation

The delegation to incur expenditure is an important accountability mechanism of responsible government.

Last year’s Report on State Finances reported instances where government agencies did not understand or correctly apply the requirements of the GSF Act for deemed appropriations, resulting in some agencies spending deemed appropriations money without an authorised delegation from the relevant minister(s) as required by sections 4.6(1) and 5.5(3) of the GSF Act.

This year’s financial audits identified that further agencies: TAFE Commission, Multicultural NSW and the Office of the Ageing and Disability Commissioner spent money received from an annual Appropriation and/or deemed appropriation money without an authorised delegation from the relevant minister(s), as required by sections 4.6(1) and 5.5(3) of the GSF Act. NSW Treasury's management letter will include high risk issues about improving mechanisms in place to ensure agencies have appropriate delegations in place to spend Appropriation and/or deemed appropriation money.

In addition, the audit of the Jobs for NSW Fund (the Fund) special purpose statements identified that five payments from the Fund were authorised by an officer without the necessary delegation from the minister as required by section 14 of the Jobs for NSW Act 2015 and sections 5.5(2) and 5.5(3) of the GSF Act.

Implementation of new accounting standards

This year, the State implemented the requirements of AASB 1059

AASB 1059 ‘Service Concession Arrangements: Grantors’

AASB 1059 is an Australian Accounting Standard that requires public sector entities (grantors) that enter service concession arrangements with private sector operators for the delivery of public services recognise service concession assets and liabilities in their financial statements. The standard was effective from 1 July 2020.

AASB 1059 requires a grantor to:

• recognise an asset provided by the operator as a service concession asset if the grantor controls the asset
• initially measure the service concession asset at current replacement cost (CRC) in accordance with AASB 13 ‘Fair Value Measurement’
• recognise a corresponding liability measured initially at the fair value (CRC) of the service concession asset, adjusted for any consideration between the grantor and the operator
• make sufficient disclosure in the financial statements so that users can understand the nature, amount and timing of assets, liabilities, revenue and cash flows arising from these.

The adoption of AASB 1059 increased the State’s total assets and liabilities by $19.5 billion and $19.6 billion respectively, with net worth reducing by $131 million at 1 July 2019

The State adopted a modified retrospective approach when adopting AASB 1059 and recognised and measured service concession assets and liabilities at the date of initial application of 1 July 2019, with any net adjustments recognised in accumulated funds at that date. This means comparatives were restated to reflect the impact of AASB 1059.

Most of the service concession assets recognised by the State related to Property, Plant & Equipment, in particular infrastructure assets.

Agencies had to devote significant effort to implement AASB 1059 and ensure their 2020–21 financial statements materially complied with the standard's requirements. Last year, the Audit Office highlighted advance preparation was key to ensuring agencies effectively transitioning to this new standard. Despite the new standard being issued well in advance of its commencement date, Sydney Water Corporation, Department of Customer Service, Transport for NSW (TfNSW) and TAHE did not prepare sufficiently for their respective implementations.

Whilst most agencies in 2019–20 had commenced assessing their existing commercial arrangements to determine whether they were within the scope of AASB 1059, calculating and posting the accounting entries to support the implementation of this standard was delayed for TfNSW. TfNSW had not finalised its opening balance adjustments in time for the Audit Office’s early close review. Critical assessments of AASB 1059 to identify the accounting implications for the Transport sector, in particular TfNSW and TAHE were still being considered as late as 30 September 2021.

Restart NSW

Restart NSW was established in 2011 to fund the State’s major infrastructure projects

Restart NSW funds Rebuilding NSW, the government’s 10-year plan to invest $23 billion in new infrastructure. Its infrastructure projects, including Sydney Metro West and Parramatta Light Rail, are primarily funded by proceeds from the government’s asset recycling program. The Restart Fund had a balance of $12.4 billion at 30 June 2021 ($15 billion in 2019–20).

The Fund paid $3.8 billion for infrastructure projects in 2020–21 ($4.3 billion in 2020–21). The largest payments were for transport projects, including Sydney Metro West, Parramatta Light Rail, and contributed $319 million of the $2.4 billion equity contribution to the Transport Asset Holding Entity (TAHE).

The funds are invested in the NSW Infrastructure Future Fund (NIFF), which is allowed under the Restart NSW Fund Act 2011 (Restart Act). The NIFF is an investment vehicle for the fund to help the NSW Government meet its infrastructure objectives and this fund is managed by TCorp. In 2020–21, the fund earned a net return of 7.9 per cent, higher than its annual benchmark return of 4.2 per cent, benefiting from improved returns in financial markets over 2020–21.

The fund directed 30.1 per cent of its payments towards rural and regional infrastructure projects in 2020–21

The Restart Act requires the fund to report on the percentage of payments directed to rural and regional infrastructure projects and whether this represents at least 30 per cent of the total payments from the fund. The Restart NSW Fund Amendment (Rural and Regional Infrastructure Funding) Bill 2020 introduced in Parliament in 2020 would amend the Restart Act by requiring at least 30 per cent of the total payments each financial year and for the life of the Restart NSW Fund be made on infrastructure projects in rural and regional areas.

This year the fund exceeded its target of directing at least 30 per cent of funding towards rural and regional infrastructure projects. However, since the funds’ commencement, only 23 per cent of total payments went towards rural and regional infrastructure projects. Current projections for the life of the fund indicate only 27.5 per cent of funding will be spent on rural and regional projects, which is below the funds target of 30 per cent target for the life of the fund.

Audit Office’s work plan for 2021–22

The Audit Office’s 2021–22 work plan focuses on the State’s response, recovery and impact from the COVID-19 pandemic and natural disaster emergencies

The COVID-19 pandemic continues to have a significant impact on the people and the public sector of New South Wales. Government continues to assist communities in their recovery from the 2019–20 bushfires and subsequent flooding. The scale of government responses to these events has been significant and has required a wide-ranging response involving emergency response coordination, service delivery, governance and policy.

Significant resources have been directed toward these responses, and in assisting rebuilding and economic recovery. Some systems and processes have changed to reflect the need for quick responses to immediate needs. The increasing and changing risk environment presented by these events has meant that we have recalibrated and focused our efforts on providing assurance on how effectively aspects of these emergency responses have been delivered. This includes financial and governance risks arising from the scale and complexity of government responses to these events.

While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. We will take a phased approach to ensuring that our work addresses the following elements of the emergencies and government responses:

Appendix one – Prescribed entities

Appendix two – Legal opinions

Appendix three – TSS sectors and entities
 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Customer Service cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the ‘Report on State Finances’ focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the ‘Report on State Finances’ has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Customer Service cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Customer Service cluster agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Customer Service cluster agencies.

The number of monetary misstatements decreased from 48 in 2019–20 to 46 in 2020–21.

Seven out of eight agencies did not complete all mandatory early close procedures.

What the key issues were

Upon the implementation of AASB 1059 'Service Concession Arrangements: Grantors', the Department of Customer Service (the department) recognised a service concession asset, the land titling database, totalling $845 million for the first time at 1 July 2019.

The department reported several retrospective corrections of prior period errors.

The 2020–21 audits identified three high-risk and 59 moderate risk issues across the cluster. The high-risk issues were related to:

• the Department of Customer Service – internal control qualifications and control deviations in GovConnect service providers
• the Department of Customer Service – significant control deficiencies in information technology change management controls
• Rental Bond Board – uncertainties in the accounting treatment of rental bonds.

The percentage of repeat issues we report to management and those charged with governance in management letters increased from 29 per cent in prior year to 42 per cent in 2020–21 while the number of items decreased from 94 to 93.

The magnitude and number of internal control exceptions in GovConnect service providers increased resulting in additional audit procedures to address the risks of fraud and errors in the financial statements.

What we recommended

The department should improve the validation process of key valuation assumptions and inputs provided by the private operator NSW Land Registry Services. It should revisit its accounting treatment of new land titling records.

The department should ensure GovConnect service providers prioritise the remediation of control deficiencies in information technology services.

The department should continue to improve controls in cyber security management.

Cyber Security NSW and NSW Government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency.

The New South Wales Government Telecommunications Authority should improve its fixed assets management and financial reporting process to accommodate its growing fixed assets profile.

This report provides Parliament and other users of the Customer Service cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Customer Service cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Customer Service.

Findings reported to management

Forty-two per cent of findings reported to management were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 93 findings raised across the cluster (94 in 2019–20). Forty-two per cent of all issues were repeat issues (29 per cent in 2019–20).

The most common repeat issues related to weaknesses in controls over information technology user access administration.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating. 

2020–21 audits identified three high-risk findings

High-risk findings, including repeat findings, were reported at the following cluster agencies. One of the 2019–20 high-risk findings were not resolved.

The number of moderate risk findings increased from prior year

Fifty-nine moderate risk findings were reported in 2020–21, which was a 11.3 per cent increase from 2019–20. Of these, 26 were repeat findings, and 33 were new issues.

Moderate risk findings include:

• weaknesses in user access management, such as untimely access removal for terminated staff, and a lack of periodic user access review
• accounting for leases such as the review of extension options, assessing indicators of impairment and reviewing the lease reports for completeness and accuracy
• formalising arrangements between agencies including corporate service arrangements, funding arrangements, leases, use of SAP system and computer assets
• use of purchasing cards where our data analytics performed indicated potential gaps and controls and non-compliance with government policies.

The magnitude and number of internal control exceptions in GovConnect service providers have increased

In 2015, the NSW Government selected Unisys Australia Pty Limited’s (Unisys) as an information technology (IT) outsourced service provider and Infosys Limited (Infosys) as a business process outsourced service provider. The outsourced services arrangement was branded GovConnect NSW (GovConnect). The Department of Customer Service (the department) is the contract authority for the NSW Government. In 2019, the NSW Government transitioned a number of Unisys’ IT services progressively to the department and ceased all Unisys's IT services in May 2021. In 2020-21, Infosys, Unisys and the Department were co-providers of business processes and information technology services that constitute the GovConnect environment.

The role of the department has changed significantly from a coordinating agency on behalf of GovConnect customers to a GovConnect IT service provider. The department is responsible for the remediation of control deficiencies and continuous improvement in GovConnect internal control environment.

The department leads the project management of GovConnect services, including the arrangement to provide internal control assurance reports to customers in 2020–21. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at GovConnect service providers in accordance with Australian Standard on Assurance Engagements 3402 'Assurance Reports on Controls at a Service Organisation' (ASAE 3402). The service auditor reports on the internal controls at a service organisation, which are relevant to a user entity's internal control environment.

The service auditor issued eight ASAE 3402 reports covering business processes controls and information technology general controls (ITGC) provided by the service providers. Four out of eight reports were qualified, a significant increase from previous years.

The table below shows the service auditor's ASAE 3402 opinions issued in various business processes and information technology services provided by service providers for the last five years.

In 2020–21, the information technology services controls reports issued to the department, Infosys and Unisys were qualified. Infosys' accounts receivable business process controls report was also qualified. The audit qualifications were because:

• the service auditor did not get access to the complete set of records processed during the financial year for several ITGC controls. The system that stored these records was hosted at Unisys. From December 2019 to 28 May 2021, the services at Unisys were progressively migrated to the department's IT environment but this system could not be migrated to the department in the required format, resulting in audit scope limitation for service auditors
• of the deviations identified during sample testing of ITGC controls
• the monthly follow up of outstanding receivables was not performed regularly, which was the only key control to address the timely collection of accounts receivable.

Internal control exceptions in GovConnect information and technology services require urgent remediations

The relevant controls over user access, system changes and password controls failed in all three ASAE 3402 GovConnect ITGC reports. These control failures can lead to unauthorised system access, system and configuration changes (workflow approvals, three-way match, etc.) and modifications to key reports. It increases the risk of:

• fraud and error in the financial statements
• ineffective segregation of duties controls
• accuracy and completeness of system generated reports for the agencies using the SAPConnect system.

The table shows the number of ITGC control deviations compared to prior year:

Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

The service auditor identified significant areas for remediation:

• governance arrangement of the IT services
• user access management controls
• SAP database controls
• logical access
• incident management.

In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable. The data analytics identified several terminated employees that were paid long after their termination dates which resulted in salary overpayments during 2020–21. While management had put processes in place to recover these overpayments, the payroll processing controls need to be improved to prevent such overpayments.

The Department of Customer Service advised that it established a ‘Control Reframe Project’ (the project) to address the internal control exceptions at GovConnect service providers. The objective of the project is to ensure the GovConnect assurance model is aligned with clear lines of responsibility and remediation actions are in place to support the delivery of services and achieve an improved outcome for future years.

The NSW Public Sector's cyber security resilience needs urgent attention

The 2020 'Central Agencies' Report to Parliament highlighted the need for Cyber Security NSW, a business unit within the Department of Customer Service, and NSW Government agencies to prioritise improvements to their cyber security resilience as a matter of urgency. A status update of the 2020 recommendation is included in Appendix five of this report.

The Audit Office's Annual Work Program identifies cyber security as a focus area for the Audit Office in 2021–24. It outlines a three-pronged approach to auditing cyber security in this period:

• considering how agencies are responding to the risks associated with cyber security across our financial audits across the NSW public sector
• examining the effectiveness of cyber security planning and governance arrangements for large NSW state government agencies for our Internal Controls and Governance report
• conducting deep-dive performance audits of the effectiveness of specific agency activities in preparing for, and responding to cyber security risks.

A performance audit 'Managing cyber risks' was tabled in Parliament in July 2021. The audit made several recommendations to audited agencies to uplift their cyber security management. It also recommended the Department of Customer Service to:

• clarify the requirement of the NSW Cyber Security Policy (CSP) reporting to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

A compliance audit 'Compliance with the NSW Cyber Security Policy' was tabled in October 2021. The audit examined whether agencies are complying with the NSW Cyber Security Policy to ensure all NSW Government departments and public service agencies are managing cyber security risks to their information and systems.

The report found that key elements to strengthen cyber security governance, controls and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW Government agencies. The poor levels of cyber security maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy agencies will have to invest in technical uplift and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

The report noted that the CSP was not achieving the objective of improved cyber governance, controls and culture. The compliance audit made several recommendations to Cyber Security NSW and other NSW Government agencies.

The 2021 maturity self-assessment results against the Australian Cyber Security Centre Essential 8 for the 25 largest NSW State Government agencies are reported in the 2021 'Internal Control and Governance' Report to Parliament.

Management of cyber security risk

Our 2020-21 financial audit assessed whether cyber security risks represent a risk of material misstatement to the department's own financial statements. A request performance audit 'Service NSW's handling of personal information' was tabled on 18 December 2020. The audit followed two cyber security incidents that resulted in data breaches of customer information. As part of our audit procedures, we obtained an understanding of the controls the department has in place to address the risk of cyber security incidents and respond to any incidences which may have occurred during the year, including its impact on the audit.

Our assessment of the department’s own cyber risk management shows that:

• an approved security incident response plan was not in place during the reporting period. There was a lack of testing over incident detection and monitoring process
• a formal process over patch management that includes assessment, determining relevance and priority, timely rollout and escalation and reporting of long outstanding patches to senior management is being established.

The department provides information security services including cyber security management to cluster agencies. We found that there were insufficient communications within the Customer Service cluster over the controls and assurance over cyber security risk management. Some cluster agencies had put in place limited controls over cyber security risk management.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Status of 2020 recommendations

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

The Auditor-General for New South Wales, Margaret Crawford, has today released a report on Transport for NSW’s (TfNSW) acquisition of 4–6 Grand Avenue in Camellia.

This audit, which was requested on 17 November 2020 by the Hon. Andrew Constance MP, the Minister for Transport and Roads, examined:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

The audit found that TfNSW conducted an ineffective process when it purchased 4–6 Grand Avenue, Camellia. The audit also found that TfNSW’s internal policies and procedures to guide the transaction were, and continue to be, insufficient.

The Auditor-General has made seven recommendations to address the issues identified in the report.

On 17 November 2020, the Hon. Andrew Constance MP, the Minister for Transport and Roads, requested this audit under section 27B(3)(c) of the Public Finance and Audit Act 1983.

On 15 June 2016, Transport for New South Wales (TfNSW) acquired 6.3 hectares of land at 4–6 Grand Avenue, Camellia, by agreement from Grand 4 Investments Pty Ltd. Grand 4 Investments was a business entity established by the owners of Billbergia Pty Ltd, a property development and investment company.

TfNSW paid Grand 4 Investments $53.5 million and assumed liability for addressing environmental issues and contamination associated with the site. This took place seven months after the vendor acquired the land as part of a competitive Expression of Interest process, in which TfNSW also participated, for $38.15 million.

TfNSW is the NSW Government agency responsible for most major transport infrastructure projects in New South Wales. TfNSW acquired the Camellia site for use as a stabling and maintenance depot to support the Parramatta Light Rail (PLR) project.

Consistent with the minister’s request, this audit assessed:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

In considering the effectiveness of the processes for this purchase, the audit considered:

• the requirements of the Land Acquisition (Just Terms Compensation) Act 1991 (the Act)
• the application of sound processes to manage risk to the NSW Government and to achieve value for money
• the application of disciplines associated with complex procurement, such as probity, in a NSW Government context.

In 2015, TfNSW identified that it would require a stabling and maintenance depot in the Camellia area for the Parramatta Light Rail

In 2014, TfNSW commissioned an external engineering consultancy to undertake a feasibility design study for the Parramatta Light Rail - the Parramatta Transport Corridor Strategy Feasibility Design study (herein referred to as ‘the feasibility study’). In early 2015, TfNSW received the feasibility study, which was one of several key sources that informed the development of business cases for the PLR.

The feasibility study recommended that TfNSW should consolidate the maintenance and cleaning operations with overnight stabling facilities on one site. The study noted that the optimal location for any such site would be in close proximity to the proposed network, and noted that the site must have access to road connections to accommodate access for cars and trucks.

The study found that a centrally located stabling and maintenance facility would be required for all routes serving the Parramatta CBD, and that the Camellia industrial area was a preferred location for such a facility. The study noted that the Camellia area was contaminated.

The feasibility study notes that its conclusions were based on assumptions about the light rail system adopted and decisions made by the future operator of the system, who had not yet been selected or appointed.

TfNSW's decision to progress a potential acquisition in 2015 considered the risk that the site may not be required

TfNSW's FIC was responsible for making decisions on funding allocations at a whole of program level within TfNSW. FIC was also responsible for approving ‘high-risk/high-value’ variations to program budgets. Members of the FIC included:

• Secretary of Transport for NSW
• Deputy Secretary, Infrastructure and Services
• Deputy Secretary, Freight, Strategy and Planning
• Deputy Secretary, Customer Services
• Deputy Secretary Finance and Investment
• Deputy Secretary People and Corporate Services.

An April 2015 submission, from the then Deputy Director-General to the agency’s FIC, sought authorisation and funding approval to participate in an Expression of Interest sale process. It noted the risk that the project may not go ahead. The submission advised that:

By acquiring a strategic site now, it reduces the risk of having to pay an improved value or a value that may be subject to rapidly improving land values due to changes in land use and rezoning.

The property can be acquired for the project, held strategically and income generated by leasing the site as hardstand ¹ space until the project requires the land for the Parramatta Light Rail project.

If the project does not proceed in the medium to longer term, the property can be sold at a premium to what has been paid today as property fundamentals improve.

This submission acknowledged the risks associated with environmental contamination and proposed that these risks would be managed by negotiating a contract where the remediation and associated expenses would be at the landowner’s cost. 

TfNSW assessed the 4–6 Grand Avenue site as one of several sites in Camellia that was a feasible location for a stabling and maintenance facility

The Departmental feasibility study assessed six potential sites for a stabling and maintenance facility, including 4–6 Grand Avenue, noting strengths and weaknesses of each site. A different site on Grand Avenue was assessed as the ‘base case’ option (1 Grand Avenue). The study’s comments on the 4–6 Grand Avenue site included the following:

With an area of approximately 63,000m², this site has sufficient space for a depot with the required stabling yard and maintenance facilities. The location allows for good road access and LRT [light rail transit] access would be from Grand Avenue, which may require a road crossing or signalised intersection. The site has been used for general industrial uses; however the land has been cleared and is currently undergoing remediation ². The site is not affected by flooding based on one in 100-year flood data.

In early 2015, once the opportunity to acquire 4–6 Grand Avenue emerged, TfNSW commissioned a specific feasibility study of the 4–6 Grand Avenue site. The feasibility studies clearly documented the existence of environmental contamination. In April 2015, the report concluded:

Given the limitations of this report and within the parameters that have been set it is concluded that from a spatial and geographic perspective the site at 6 Grand Avenue would be suitable as a stabling and maintenance depot for the Parramatta light rail project. There are few engineering and environmental constraints that would affect the feasibility level analysis of this site and all issues identified, within this desk study, are considered to be resolvable. However this being said there is a significant amount of work necessary to reach the final layout and definition of the stabling and maintenance depot. There are numerous items which require further consideration and conformation; planning approvals could impose restrictions on building heights, noise mitigation measures, light and visual impact requirements all of which can have significant impacts on the spatial requirements of any stabling and maintenance depot. 

The acquisition of 4–6 Grand Avenue was not informed by a Property Acquisition Strategy

For major projects, TfNSW typically requires the project team to complete a Property Acquisition Strategy, which is intended to guide both process as well as specific acquisition issues expected to be faced during the project. The Property Acquisition Strategy is not a mandated document but is a recommended tool to support property acquisition as part of major projects.

TfNSW did not have a Property Acquisition Strategy in place to guide the 2015 Expression of Interest process. On 6 November 2015, the then Project Director for the PLR project emailed the property team, noting a need to develop a Property Acquisition Strategy to close off the scoping design and preliminary business case.

In January 2016, TfNSW developed a draft Property Acquisition Strategy for the Parramatta Light Rail Project, although it was silent on the potential sites for the stabling and maintenance facility.

TfNSW focussed on 4–6 Grand Avenue because it was available and aligned to TfNSW's strategic interests

In early 2015, officials commenced monitoring the market for industrial real estate in the Camellia area and surrounds for possible sites for a stabling and maintenance facility.

In March 2015, then owner of the site, Akzo Nobel Pty Limited released the 4–6 Grand Avenue site through an Expression of Interest process managed by CBRE.

TfNSW’s then Deputy Director-General, Planning, sought approval from FIC to lodge an Expression of Interest up to $30.0 million. Approval was sought on the basis that it would ‘provide certainty for the Parramatta Light Rail project by allowing for a depot site in a suitable location and potentially avoid higher costs or longer timeframes associated with compulsory acquisition following completion of the project’s business case’. FIC approved the request at its meeting on 9 April 2015.

At this time, TfNSW had not conducted any analysis of financial or operational benefits and costs of the potential sites identified in earlier feasibility studies. TfNSW staff advised us that the decision to participate in the Expression of Interest process for 4–6 Grand Avenue was because it was available. There is no documentation substantiating this statement, which TfNSW staff provided verbally as part of this audit.

In November 2015, TfNSW was advised that it was unsuccessful in the Expression of Interest process and that Grand 4 Investments (a related entity of Billbergia) had purchased 4–6 Grand Avenue. TfNSW did not conduct any further analysis of alternative potential sites in Camellia between this date and commencing discussions with Grand 4 Investments in April 2016. In that time there had been some movement on other properties that were included in the feasibility study, including 37–39a Grand Avenue being under offer in September 2015.

In March 2016, TfNSW approached CBRE to organise a meeting with Grand 4 Investments. On 1 April 2016, TfNSW met with Grand 4 Investments.

TfNSW advises that a perceived benefit of the 4–6 Grand Avenue site was that it was not subject to other uses or leaseholds that would increase the cost of compulsory acquisition. Officers involved in the acquisition advised that other nominated sites in the feasibility study were subject to other uses or leaseholds. 

Appendix one – Response from agency 

Appendix two – About the audit 

Appendix three – Performance auditing

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #349 - released (18 May 2021).

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations
• the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statement audits of agencies in the Transport cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

• financial and information technology controls
• business continuity and disaster recovery planning arrangements
• procurement, including emergency procurement
• delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.