What this report is about 

This report assesses how effectively SafeWork NSW, a part of the Department of Customer Service (DCS), has performed its regulatory compliance functions for work health and safety in New South Wales. 

The report includes a case study examining SafeWork NSW's management of a project to develop a realtime monitoring device for airborne silica in workplaces. 

Findings 

There is limited transparency about SafeWork NSW's effectiveness as a regulator. The limited performance information that is available is either subsumed within DCS reporting (or other sources) and is focused on activity, not outcomes. 

As a work health and safety (WHS) regulator, SafeWork NSW lacks an effective strategic and data-driven approach to respond to emerging WHS risks. 

It was slow to respond to the risk of respirable crystalline silica in manufactured stone. 

SafeWork NSW is constrained by an information management system that is over 20 years old and has passed its effective useful life. 

While it has invested effort into ensuring consistent regulatory decisions, SafeWork NSW needs to maintain a focus on this objective, including by ensuring that there is a comprehensive approach to quality assurance. 

SafeWork NSW's engagement of a commercial partner to develop a real-time silica monitoring device did not comply with key procurement obligations. 

There was ineffective governance and process to address important concerns about the accuracy of the real-time silica monitoring device. 

As such, SafeWork NSW did not adequately manage potential WHS risks. 

Recommendations 

The report recommended that DCS should: 

• ensure there is an independent investigation into the procurement of the research partner for the real-time silica detector 
• embed a formal process to review and set its annual regulatory priorities 
• publish a consolidated performance report 
• set long-term priorities, including for workforce planning and technology uplift 
• improve its use of data, and start work to replace its existing complaints handling system 
• review its risk culture and its risk management framework 
• review the quality assurance measures that support consistent regulatory decisions

Read the PDF report.

Parliamentary reference - Report number #390 - released 27 February 2024
 

What this report is about

Extreme rainfall across eastern Australia in 2021 and 2022 led to a series of major flood events in New South Wales.

This audit assessed how effectively the NSW Government provided emergency accommodation and temporary housing in response to the early 2022 Northern Rivers and late 2022 Central West flood events.

Responsible agencies included in this audit were the Department of Communities and Justice, NSW Reconstruction Authority, the former Department of Planning and Environment, the Department of Regional NSW and the Premier’s Department.

Findings

The Department of Communities and Justice rapidly provided emergency accommodation to displaced persons immediately following these flood events.

There was no plan in place to guide a temporary housing response and agencies did not have agency-level plans for implementing their responsibilities.

The NSW Government rapidly procured and constructed temporary housing villages. However, the amount of temporary housing provided did not meet the demand.

There is an extensive waitlist for temporary housing and the remaining demand in the Northern Rivers is unlikely to be met. The NSW Reconstruction Authority has not reviewed this list to confirm its accuracy.

Demobilisation plans for the temporary housing villages have been developed, but there are no long-term plans in place for the transition of tenants out of the temporary housing.

Agencies are in the process of evaluating the provision of emergency accommodation and temporary housing.

The findings from the 2022 State-wide lessons process largely relate to response activities.

Audit recommendations

The NSW Reconstruction Authority should:

• Develop a plan for the provision of temporary housing.
• Review the temporary housing waitlist.
• Determine a timeline for demobilising the temporary housing villages.
• Develop a strategy to manage the transition of people into long-term accommodation.
• Develop a process for state-wide recovery lessons learned.

All audited agencies should:

• Finalise evaluations of their role in the provision of emergency accommodation and temporary housing.
• Develop internal plans for implementing their roles under state-wide plans.

Read the PDF report

Parliamentary reference - Report number #389 - released 22 February 2024

What this report is about

Transport for NSW (TfNSW) uses the Driver vehicle System (DRIVES) to support its regulatory functions. The system covers over 6.2 million driver licences and over seven million vehicle registrations.

DRIVES first went live in 1991 and has been significantly extended and updated since, though is still based around the same core system. The system is at end of life but has become an important service for Service NSW and the NSW Police Force.

DRIVES now includes some services to other parts of government and non-government entities which have little or no connection to transport. There are 141 users of DRIVES in total, including commercial insurers, national regulators, and individual citizens.

This audit assessed whether TfNSW is effectively managing DRIVES and planning to transition it to a modernised system.

Audit findings

TfNSW has not effectively planned the replacement of DRIVES.

It is now working on its third business case for a replacement system but has failed to learn lessons from its past attempts.

In the meantime, TfNSW has not taken a strategic approach to managing DRIVES’ growth.

TfNSW has been slow to reduce the risk of misuse of personal information held in DRIVES. With its delivery partner Service NSW, TfNSW has also been slow to develop and implement automatic monitoring of access.

TfNSW uses recognised processes for managing most aspects of DRIVES, but has not kept the system consistently available for users. TfNSW has lacked accurate service availability information since June 2022, when it changed its technology support provider.

TfNSW needs to significantly prioritise cyber security improvements to DRIVES. TfNSW is seeking to lift DRIVES’ cyber defences, but it will not achieve its stated target safeguard level until December 2025.

Even then, one of the target safeguards will not be achieved in full until DRIVES is modernised.

Audit recommendations

TfNSW should:

• implement a service management framework including insight into the views of DRIVES users, and ensuring users can influence the service
• ensure it can accurately and cost effectively calculate when DRIVES is unavailable due to unplanned downtime
• ensure implementation of a capability to automatically detect anomalous patterns of access to DRIVES
• ensure that DRIVES has appropriate cyber security and resilience safeguards in place as a matter of priority
• develop a clear statement of the future role in whole of government service delivery for the system
• resolve key issues currently faced by the DRIVES replacement program including by:
  • clearly setting out a strategy and design for the replacement
  • preparing a specific business case for replacement.

Read the PDF report

Parliamentary reference - Report number #388 - released 20 February 2024

What this report is about

The report assesses whether the Department of Customer Service (the department) complied with legislation and NSW government policy when it directly negotiated with Duncan Solutions to procure backend services relating to the Park'nPay app.

The Park'nPay app, developed by the department, enables users to locate and pay for parking remotely using their smart mobile device.

The audit found

The department failed to establish the grounds for entering a direct negotiation procurement strategy, without any competitive tendering, for services for the Park'nPay app. It rushed a decision to trial the app in The Rocks, without considering how this might affect its procurement obligations.

There is no evidence that the procurement achieved value for money. Despite being required by legislation, as well as mandatory NSW government policy, the department did not consider how it would ensure value for money, nor did it demonstrate an adequate understanding of what is meant by value for money on this occasion.

The department failed to implement key probity requirements. There was no effective management of conflicts of interest. Key decisions were not documented. There was a lack of clarity, transparency, and oversight of the relationship between the Minister's office and staff in the department.

The audit made recommendations about

1. making and retaining complete and accurate records, particularly on decisions to commit or expend public money
2. ensuring department staff understand how to exercise their financial delegations and procurement processes
3. ensuring that only staff with appropriate delegations are committing or approving the spending of public money
4. consistency with the contract extension provisions of the NSW Government Procurement Policy Framework, particularly regarding ensuring value for money
5. protocols to guide the interactions between department staff and Minister and Minister's staff
6. the need for proper management and oversight of contingent workers, such as contractors.

On 27 February 2019 the then Minister for Finance, Services and Property announced the commencement of a Park’nPay app trial in The Rocks precinct of Sydney.

The app was intended to enable users to locate and pay for parking remotely, using their smart mobile device such as a phone or tablet, rather than needing to physically be at a parking meter.

In July 2019, following a direct negotiation procurement conducted by the then Department of Finance, Services and Innovation, a contract was executed with Duncan Solutions for an estimated value of $1,260,600 over three-years, with three single-year options to extend. The contract required Duncan Solutions to provide development services to link the Park'nPay app to its Parking Enterprise Management System platform and to provide ongoing software support services.

This audit assessed whether the department complied with the procurement obligations that applied at the time it procured these services from Duncan Solutions.

This audit focussed on the department's processes and decision-making relating to:

• the direct negotiation with Duncan Solutions at the exclusion of any other potential supplier
• the negotiation, execution and management of the contract with Duncan Solutions.

As this audit focusses on the department's procurement and contract management processes, it does not comment on the activities of Duncan Solutions. The detailed audit objective, criteria and audit approach are in Appendix three.

The auditee is the Department of Customer Service. As a result of machinery of government changes, the Department of Finance, Services, and Innovation became the Department of Customer Service from 1 July 2019. To avoid confusion, this report simply uses ‘the department’ to refer to either. Where the report refers to the Minister, it relates to the former Minister in office at the time.

Appendix one – Response from auditee

Appendix two – Key requirements of the department's procurement manual 

Appendix three – About the audit 

Appendix four– Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #387 - released 14 December 2023

What this report is about

Around one-third of the state’s population lives in regional NSW, but deaths on regional roads make up around two-thirds of the state’s road toll.

Transport for NSW (TfNSW) is responsible for managing road safety outcomes across the NSW road network. This audit assessed the effectiveness of TfNSW’s delivery of road safety strategies, plans and policies in regional areas.

The NSW Road Safety Action Plan 2022–2026 has the stated goal of ‘no death or serious injury occurring on the road transport network’ by 2050.

What we found

There is a disproportionate amount of trauma on regional roads, but there are no specific road safety plans or trauma reduction targets for regional NSW.

TfNSW advises that the setting of state-wide road safety targets is consistent with other jurisdictions and international best practice. However, the proportion of road fatalities and serious injuries in regional NSW is almost the same as ten years ago.

There is no regional implementation plan to assist TfNSW to target the Road Safety Action Plan 2026 to regional areas.

TfNSW considers that local road safety outcomes should be managed by councils, but only 52% of regional councils participated in its Local Government Road Safety Program (LGRSP) in 2022–23. This program has not been updated since 2014, despite commitments to do so in 2021 and 2022.

TfNSW has not undertaken a systematic and integrated analysis of the combined impact of its road safety strategies and plans in regional NSW since 2012.

TfNSW reports against the Community Road Safety Fund (CRSF) annually but there is no consolidated, public reporting on total road safety funding allocated to regional NSW. The Fund underspend increased from 12% in 2019–20 to 20% in 2022–23.

What we recommended

We recommended TfNSW:

• develop a regional implementation plan to support the NSW Road Safety Action Plan, including a framework to annually measure, analyse and publicly report on progress
• develop a plan to measure and mitigate risks causing underspend in the CRSF
• expedite the review of the LGRSP including recommendations to increase involvement of regional councils.

Disclosure of confidential information

Under the Government Sector Audit Act 1983 (the Act), the Auditor-General may disclose confidential information if, in the Auditor-General’s opinion, the disclosure is in the public interest, and that disclosure is necessary for the exercise of the Auditor-General’s functions.

Confidential information in the Act means Cabinet information or information subject to legal privilege. This performance audit report contained confidential information.

The NSW Premier has certified that in his opinion the disclosure of the confidential information was not in the public interest.

The confidential information has been redacted from this report.

Under section 36A(2) of the Government Sector Audit Act 1983, the Auditor-General may authorise the disclosure of confidential information if, in the Auditor-General’s opinion, the disclosure is in the public interest and necessary for the exercise of the Auditor-General’s functions. Confidential information under the Government Sector Audit Act 1983 means Cabinet information, or information that could be subject to a claim of privilege by the State or a public official in a court of law. This performance audit report contained confidential information which, in the opinion of the Auditor-General, is in the public interest to disclose and that disclosure is necessary for the exercise of the Auditor-General’s functions.

On 26 October 2023, pursuant to section 36A(2)(b) of the Government Sector Audit Act 1983, the Auditor-General notified the NSW Premier of the intention to include this information in the published report, having formed the opinion that its disclosure is in the public interest and is necessary for the exercise of the Auditor-General’s functions.

On 23 November 2023, pursuant to section 36A(2)(c) of the Government Sector Audit Act 1983, the NSW Premier certified that, in his opinion, the proposed disclosure of the confidential information contained in this report was not in the public interest. The Premier’s certificate follows. Section 36A(4) states that a certificate of the Premier that it is not in the public interest to disclose confidential information is conclusive evidence of that fact.

The issuance of the certificate by the NSW Premier prevents the publication of this information. The relevant sections of the report containing confidential information have been redacted.

One-third of the New South Wales population resides in regional areas, but two-thirds of the state’s road crash fatalities take place on regional roads.

Between 2017 and 2021, the average number of fatalities for every 100,000 of the population living in regional New South Wales was 8.33 — approximately four times higher than the equivalent measure for Greater Sydney. Similarly, the average number of serious injuries in regional New South Wales over the same period was 75.24 per 100,000 of the population, compared with 50.53 in Greater Sydney. Further, more than 70% of people who lose their lives in accidents on regional roads are residents of regional areas.

Residents of regional areas face particular transport challenges. They often need to travel longer distances for work, health care, or recreation purposes, yet their public transport options are more limited than metropolitan residents. Vehicle safety is also an issue. According to the NSW Road Safety Progress Report 2021, of the light vehicles registered in New South Wales that were manufactured in or after 2000, 48.4% of light vehicles in regional areas had a five-star Australasian New Car Assessment Program (ANCAP) rating, compared to 54.8% in metropolitan areas. Road conditions in regional areas can also be more challenging for drivers.

Regional New South Wales covers 98.5% of the total area of the state. The road network in New South Wales is vast — spanning approximately 200,000 kilometres.

The road network includes major highways, state roads and local roads. Speed limits range from 10 km/hr in high pedestrian shared zones, up to 110 km/hr on high volume and critical road corridors. Eighty per cent of the network has a 100 km/h speed limit, which is mostly applied as a default speed limit, regardless of the presence of safety features and treatments.

Speed is the primary causal factor in more crashes in New South Wales than any other factor, and car crashes in regional areas are more likely to be fatal because of the higher average speeds involved.

The responsibility for managing road safety outcomes across the entire New South Wales road network lies with Transport for NSW (TfNSW), pursuant to Schedule 1 of the Transport Administration Act 1988.

While its safety responsibilities are state-wide, TfNSW does not own or directly manage all of the road network in regional New South Wales, which spans approximately 200,000 kilometres. Approximately 80% of the roads are classified as Local Roads and are administered and managed by local councils. Local councils also maintain Regional Roads that run through their local government areas. TfNSW is responsible for managing State Roads (approximately 20% of roads), which are major arterial roads. It also provides funding for councils to manage over 18,000 km (approximately 10%) of state-significant Regional Roads.

According to TfNSW, between 2016 and 2020, there were 9,776 people killed or seriously injured on roads in regional New South Wales. Adding to the tragic loss of life, according to TfNSW, the estimated cost to the community between 2016 and 2020 resulting from regional road trauma and fatalities was around $13.7 billion.

TfNSW also noted that the ‘risk of road trauma is pervasive, and a combination of effective road safety measures is required to systematically reduce this risk’.

TfNSW released its first long-term road-safety strategy in December 2012, which introduced the goal of ‘Vision Zero’ — a long-term goal of zero deaths or serious injuries on NSW roads. The terminology was changed to ‘Towards Zero’ in the 2021 Road Safety Plan and has been retained in the NSW Road Safety Action Plan 2022–2026. Towards Zero has the stated goal of ‘no death or serious injury occurring on the road transport network’ by 2050.

The objective of this audit is to assess the effectiveness of TfNSW’s delivery of ‘Towards Zero’ in regional areas.

In making this assessment, the audit examined whether TfNSW:

• is effectively reducing the number of fatalities and serious injuries on regional roads
• has an effective framework, including governance arrangements, for designing and refreshing the NSW Road Safety Strategy 2012–2021 and the NSW Road Safety Action Plan 2022–2026
• effectively makes use of whole-of-government and other relevant sources of data to support decision-making, and to evaluate progress and outcomes
• effectively manages accountabilities, including roles and responsibilities, with respect to road safety outcomes and the use of data.

This audit focused on the policies and strategies used by TfNSW for managing road safety outcomes in regional areas. We did not evaluate individual road safety projects, programs and initiatives as part of this audit.

Whilst Regional Roads and Local Roads (as defined by the Road Network Classifications) are owned and maintained by local councils, we included these roads in this audit as TfNSW may advise and assist councils to promote and improve road safety, as well as manage grant programs that focus on improving road safety outcomes on these roads. Hereafter, unless otherwise stated, references to ‘regional roads’ refer to all classifications of roads in the state which are in regional New South Wales, irrespective of their ownership.

Local councils in regional areas are key stakeholders for the purposes of this audit, and we interviewed eight as part of the audit process (noting that this was not intended to be a representative sample). Road asset management by local councils is also out of scope for this audit as it is the focus of a subsequent performance audit by the Audit Office of New South Wales.b

The Audit Office of New South Wales has undertaken several performance audits relating to road safety since 2009 and these have been referenced while undertaking this audit. They include:

• Condition of State Roads (August 2006)
• Improving Road Safety: Heavy Vehicles (May 2009)
• Improving Road Safety: School Zones (March 2010)
• Improving Road Safety: Speed Cameras (July 2011)
• Regional Assistance Programs (May 2018)
• Mobile speed cameras (October 2018)
• Rail freight and Greater Sydney (October 2021).

Appendix one – Response from Transport for NSW

Appendix two – The Safe Systems framework and NSW road safety strategies and plans

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #386 - released 30 November 2023

What the report is about

Effective radio communications are crucial to NSW's emergency services organisations.

The Critical Communications Enhancement Program (CCEP) aims to deliver an enhanced public safety radio network to serve the five emergency services organisations (ESOs), as well as a range of other users.

This report assesses whether the NSW Telco Authority is effectively managing the CCEP.

What we found

Where it has already been delivered (about 50% of the state), the enhanced network meets most of the requirements of ESOs.

The CCEP will provide additional infrastructure for public safety radio coverage in existing buildings agreed to with ESOs. However, radio coverage inside buildings constructed after the CCEP concludes will be at risk because building and fire regulations do not address the need for in-building public safety radio coverage.

Around 98% of radios connected to the network can be authenticated to protect against cloning, though only 42% are.

The NSW Telco Authority has not settled with ESOs on how call encryption will be used across the network. This creates the risk that radio interoperability between ESOs will not be maximised.

When completed, the public safety radio network will be the only mission critical radio network for ESOs. It is unclear whether governance for the ongoing running of the network will allow ESOs to participate in future network operational decisions.

The current estimated capital cost for the NSW Telco Authority to complete the CCEP is $1.293 billion. This is up from an estimated cost of $400 million in 2016. The estimated capital cost was not publicly disclosed until $1.325 billion was shown in the 2021–22 NSW Budget Papers.

We estimate that the full cost to government, including costs to the ESOs, of implementing the enhanced network is likely to exceed $2 billion.

We made recommendations about

• The governance of the enhanced Public Safety Network (PSN) to support agency relationships.
• The need to finalise a Traffic Mitigation Plan for when the network is congested.
• The need to provide advice to the NSW Government about the regulatory gap for ensuring adequate network reach in future buildings.
• The need to clarify how encryption and interoperability will work on the enhanced network.
• The need for the NSW Telco Authority to comply with its policy on Infrastructure Capacity Reservation.
• Expediting measures to protect against the risk of cloning by unauthenticated radios.

Public safety radio networks are critical for operational communications among Emergency Services Organisations (ESOs), which in New South Wales include:

• NSW Ambulance
• Fire and Rescue NSW
• NSW Police Force
• NSW Rural Fire Service
• NSW State Emergency Service.¹

Since 1993, these five ESOs have had access to a NSW Government owned and operated radio communications network, the Public Safety Network (PSN), to support their operational communications. Around 60 to 70 other entities also have access to this network, including other NSW government entities, Commonwealth government entities, local councils, community organisations, and utility companies.

Pursuant to the Government Telecommunications Act 2018 ('the Act'), the New South Wales Government Telecommunications Authority ('NSW Telco Authority') is responsible for the establishment, control, management, maintenance and operation of the PSN.²

Separate to the PSN, all ESOs and other government entities have historically maintained their own radio communication capabilities and networks. Accordingly, the PSN has been a supplementary source of operational radio communications for these entities.

These other radio networks maintained by ESOs and other entities are of varying size and capability, with many ageing and nearing their end-of-life. There was generally little or no interoperability between networks, infrastructure was often co-located and duplicative, and there were large gaps in geographic coverage.

In 2016, the NSW Telco Authority received dedicated NSW Government funding to commence the Critical Communications Enhancement Program (CCEP).

According to NSW Telco Authority's 2021–22 annual report, the CCEP is a transformation program for operational communications for NSW government agencies. The CCEP '…aims to deliver greater access to public safety standard radio communications for the State’s first responders and essential service agencies'. The objective of CCEP is to consolidate the large number of separate radio networks that are owned and operated by various NSW government entities and to enhance the state’s existing shared PSN. The program also aims to deliver increased PSN coverage throughout New South Wales.

The former NSW Government intended that as the enhanced PSN was progressively rolled-out across NSW, ESOs would migrate their radio communications to the enhanced network, before closing and decommissioning their own networks.

About this Audit

This audit assessed whether the CCEP is being effectively managed by the NSW Telco Authority to deliver an enhanced PSN that meets ESOs' requirements for operational communications.

We addressed the audit objective by answering the following two questions:

1. Have agreed ESO user requirements for the enhanced PSN been met under day-to-day and emergency operational conditions?
2. Has there been adequate transparency to the NSW Government and other stakeholders regarding whole-of-government costs related to the CCEP?

In answering the first question, we also considered how the agreed user requirements were determined. This included whether they were supported by evidence, whether they were sufficient to meet the intent of the CCEP (including in considering any role for new or alternative technologies), and whether they met any relevant technical standards and compliance obligations (including for cyber security resilience).

While other NSW government agencies and entities use the PSN, we focused on the experience of the five primary ESOs because these will be the largest users of the enhanced PSN.

Both the cost and time required to complete the CCEP roll-out have increased since 2016. While it was originally intended to be completed in 2020, this is now forecast to be 2027. Infrastructure NSW has previously assessed the reasons for the increases in time and cost. A summary of the findings made by Infrastructure NSW is presented in Chapter 1 of this report. Accordingly, as these matters had already been assessed, we did not re-examine them in this performance audit.

The auditee for this performance audit is the NSW Telco Authority, which is a statutory authority within the Department of Customer Service portfolio.

In addition to being responsible for the operation of the PSN, section 5 of the Act also prescribes that the NSW Telco Authority is:

• to identify, develop and deliver upgrades and enhancements to the government telecommunications network to improve operational communications for government sector agencies
• to develop policies, standards and guidelines for operational communications using telecommunications networks.

The NSW Telco Authority Advisory Board is established under section 10 of the Act. The role of the board is to advise the NSW Telco Authority and the minister on any matter relating to the telecommunications requirements of government sector agencies and on any other matter relating to the functions of the Authority. As of 2 June 2023, the responsible minister is the Minister for Customer Service and Digital Government.

The five identified ESOs are critical stakeholders of the CCEP and therefore they were consulted during this audit. However, the ESOs were not auditees for this performance audit.

The NSW Telco Authority established and tracked its own costs for the CCEP

Over the course of the program from 2016, the NSW Telco Authority prepared a series of business cases and program reviews that estimated its cost of implementing the program in full, including those shown in Exhibit 6 below.

In response to the 2016 CCEP business case, the then NSW Government approved the NSW Telco Authority implementing the CCEP in full, with funding provided in stages. The NSW Telco Authority tracked its costs against approved funding, with monthly reports provided to the multi-agency Program Steering Committee

Throughout the program, the NSW Government was informed of increasing costs being incurred by the NSW Telco Authority for the CCEP

The various business cases, program updates, and program reviews prepared by the NSW Telco Authority were provided to the NSW Government through the required Cabinet process when seeking approval for the program proceeding and requests for both capital and operational funding. These provided clear indication of the changing overall cost of the CCEP to the NSW Telco Authority, as well as the delays that were being experienced.

There was no transparency to the Parliament and community about changes in the capital cost of the CCEP until the 2021–22 NSW Budget

As the business cases for the CCEP were not publicly available, the only sources of information about capital cost were NSW Budget papers and media releases. The information provided in the annual Budget papers prior to the 2021–22 NSW Budget provided no visibility of the estimated full capital cost to complete all stages of the CCEP. As shown in Exhibit 7 below, this information was fragmented and complex.

Media releases about the progress of the CCEP did not provide the estimated total cost to the NSW Telco Authority of $1.325 billion to complete all stages of the CCEP until June 2021. Prior to this date, media releases only provided funding for the initial stages of the program or for the stages subject to a funding announcement.

Even during the September 2019 and March 2020 Parliamentary Estimate Committee hearings where the costings and delays to the CCEP were raised, the estimated full cost of the CCEP was not revealed.

The original business case for the CCEP included estimated ESO costs, though these costs were not tracked throughout the program

Estimates for ESO costs for operating and maintaining their own radio networks over the four years from 2016–17 were included in the original March 2016 business case. They included $75.2 million for capital expenditure and $95 million for one-off operating costs. These costs, as well as costs incurred by ESOs due to the delay in the program, were not subsequently tracked by the NSW Telco Authority.

In January 2017, Infrastructure NSW reviewed the CCEP business case of March 2016. In this review, Infrastructure NSW recommended that the NSW Telco Authority identify combined and apportioned costs and cashflow for all ESOs over the CCEP funding period reflecting all associated costs to deliver the CCEP. These to include additional incidental capital costs accruing to ESOs, transition and migration to the new network and the cost (capital and operational) of maintaining existing networks. This recommendation was implemented in the November 2017 program review, with ESO capital costs estimated as $183 million.

In 2019, Infrastructure NSW conducted a Deep Dive Review on the progress of the CCEP. In this review, Infrastructure NSW made what it described as a 'critical recommendation' that the NSW Telco Authority:

It should be noted that the delay to CCEP completion now is seven years and that further ‘operational bridging solutions’ have been needed by the ESOs.

'Stay Safe and Keep Operational' costs incurred by ESOs will be significantly higher than originally estimated

Stay Safe and Keep Operational (SSKO) funding was established to provide funding to ESOs to maintain their legacy networks while the CCEP was refreshing and enhancing the PSN. This recognised that much of the network infrastructure relied on by ESOs had reached – or was reaching – obsolescence and would either require extensive maintenance or replacement before the PSN was available for ESOs to migrate to it. ESOs may apply to NSW Treasury for SSKO funding, with their specific proposals being reviewed (and endorsed, where appropriate) by the NSW Telco Authority. Accordingly, SSKO expenditure does not fall within the CCEP budget allocation.

As shown in the table below, extracted from the March 2016 CCEP business case, the total expected cost for SSKO purposes over the course of the CCEP was originally $40 million, assuming the enhanced PSN would be fully available by 2020.

In October 2022, the expected completion date for the CCEP was re-baselined to August 2027. Accordingly, ESOs will be required to continue to maintain their radio networks using legacy equipment for seven years longer than the original 2020 forecast. This will likely become progressively more expensive and require additional SSKO funding. For example, NSW Telco Authority endorsed SSKO bids for 2022–23 exceeded $35 million for that year alone.

Compared to the original forecast made in the March 2016 CCEP business case of $40 million, we found ESOs had estimated SSKO spending to 2027 will be $292.5 million.

A refresh of paging network used by ESOs and the decommissioning of redundant sites were both removed from the original 2016 scope of the CCEP

Paging

A paging network is considered an important user requirement by the Fire and Rescue NSW, NSW Rural Fire Service, and NSW State Emergency Service. The 2016 CCEP business case included a paging network refresh within the program scope of works. This was reiterated in the November 2017 internal review of the program. These documents did not estimate a cost for this refresh. The March 2020 and October 2020 business cases excluded paging from the program scope. The audit is unable to identify when, why or by whom the decision was made to remove paging from the program scope, something that was also not well communicated to the affected ESOs.

In 2021, after representations from the affected ESOs, the NSW Telco Authority prepared a separate business case for a refresh of the paging network at an estimated capital cost of $60.31 million. This program was subsequently approved by the NSW Government and included in the 2022–23 NSW Budget.

In determining an estimated full whole-of-government cost of delivering the enhanced PSN, we have included the budgeted cost of the paging network refresh on the basis that:

• it was expressly included in the original approved March 2016 business case
• the capability is deemed essential to the needs of three ESOs.

Decommissioning costs

The 2016 CCEP business case included cost estimates for decommissioning surplus sites (whether ‘old’ GRN sites or sites belonging to ESOs’ own networks). These estimates were provided for both the NSW Telco Authority ($38 million) and for the ESOs ($55 million). However, while these estimates were described, they were not included as part of the NSW Telco Authority's estimated capital cost ($400 million) or (more relevantly) operating cost ($37.3 million) for the CCEP. This is despite decommissioning being included as one of eight planned activities for the rollout of the program.

In the October 2020 business case, an estimate of $201 million was included for decommissioning agency networks based on a model whereby:

• funding would be coordinated by the NSW Telco Authority
• scheduling and reporting through an inter-agency working group and
• where appropriate, agencies would be appointed as the most appropriate decommissioning party.

This estimated cost is not included in the CCEP budget.

In determining an estimated full whole-of-government cost of the enhanced PSN, we have included the estimated cost of decommissioning on the basis that:

• decommissioning was included in the 2016 CCEP business case as one of eight 'planned activities for the rollout of the program'
• effective decommissioning of surplus sites and equipment (including as described in the business case as incorporating asset decommissioning, asset re-use, and site make-good) is an inherent part of the program management for an enhanced PSN
• costs incurred in decommissioning are entirely a consequence of the CCEP program.

The estimated minimum cost of building an enhanced PSN consistent with the original proposal is over $2 billion

We have derived two estimated minimum whole-of-government costs for delivering an enhanced PSN. These are:

• $2.04 billion when calculated from NSW Telco Authority data – shown as estimate A in Exhibit 9 below.
• $2.26 billion when calculated from ESO supplied data – shown as estimate B in Exhibit 9.

Both totals include:

• budgeted amounts for both CCEP capital expenditure ($1,292.8 million) and operating expenditure ($139 million)
• the NSW Telco Authority's 2020 estimated cost for decommissioning ($201 million)
• the NSW Telco Authority's approved funding for paging refresh ($60.3 million).

The two estimated totals primarily vary around the capital expenditure of ESOs (particularly SSKO funding). To determine these costs, we used ESO provided actual SSKO costs to date, as well as their estimates for maintaining their legacy radio networks through to 2027.

The equivalent cost estimates from the NSW Telco Authority were sourced from the November 2017 internal review and the October 2020 business case for CCEP. It should be noted that the amounts for both estimates are not audited, or verified, but do provide an indication of how whole-of-government costs have grown over the course of the program.

The increase in and reasons for the increase in total CCEP costs (capital and one-off operating) incurred or forecast by the NSW Telco Authority (from $437.3 million in 2016 to $1,431.8 million in 2022) have been provided to the NSW Government through various business cases and reviews prepared by the NSW Telco Authority, as well as by reviews conducted by Infrastructure NSW as part of its project assurance responsibilities.

However, the growth in ESO costs and other consequential costs, such as paging and decommissioning, from around $263 million in the 2016 CCEP business case to between $600 million and $800 million, has to a large degree remained invisible and unexplained to the NSW Government and other stakeholders

Appendix one – Response from agency

Appendix two – Trunked public safety radio networks

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #383 - released 23 June 2023

What the report is about

The Government Advertising Act 2011 requires the Auditor-General to undertake a performance audit on government advertising activities each financial year.

This audit examined whether TAFE NSW's annual advertising campaign in 2021–22:

1. was carried out effectively, economically, and efficiently
2. complied with regulatory requirements and the Government Advertising Guidelines.

What we found

TAFE NSW complied with Section 6 of the Act, prohibiting political content.

It also complied with most other advertising requirements.
 
An important exception was that the Managing Director certified that the campaign complied with regulatory requirements and was an efficient and cost-effective means of achieving its public purpose, before a cost-benefit analysis (CBA) was completed.

We have found issues with agencies complying with CBA requirements in previous government advertising audits. This includes the failure to complete them before signing compliance certificates.

The policy owner, the Department of Customer Service (DCS), does not consider oversight of CBAs to be within the scope of their peer review process.  

TAFE NSW evaluated this advertising campaign by surveying a population significantly broader than the target audience. As such, survey results may not accurately reflect the views of the intended audience.

What we recommended

By 30 June 2023, TAFE NSW should:

1. implement processes that ensure:
   1. CBAs are completed before the launch of campaigns over $1 million
   2. compliance certificates are completed only after all regulatory requirements are met
2. consider adding to its current evaluation methods by surveying a population which closely reflects the age profile of its intended target audience.

By June 2023, DCS should:

3. improve whole‑of‑government reporting and monitoring processes to provide the NSW Government with a central view of compliance, including the completion of CBAs by agencies.

The Government Advertising Act 2011 (the Act) sets out requirements that must be followed by a government agency when it carries out a government advertising campaign. The requirements include an explicit prohibition on political advertising, as well as a need to complete a peer review and cost-benefit analysis before the campaign commences. The accompanying Government Advertising Regulation 2018 (the Regulation) and Government Advertising Guidelines (the Guidelines) address further matters of detail.

The Act also requires the Auditor-General to conduct a performance audit on the activities of one or more government agencies in relation to government advertising campaigns in each financial year. The performance audit must assess whether a government agency (or agencies) has carried out activities in relation to government advertising campaigns in an effective, economical and efficient manner. It also assesses compliance with the Act, the Regulation, other laws and the Guidelines.

This audit examined TAFE NSW's advertising campaign for the 2021–22 financial year. TAFE NSW is the NSW Government's public provider of vocational education and training. TAFE NSW carries out an advertising campaign every year. In 2021–22, it spent $15.16 million on developing and implementing advertising. TAFE NSW used channels such as television, radio, internet and social media, press, and out of home advertising in public settings such as bus stops. The advertising aimed to increase the percentage of people considering TAFE NSW for training or education, grow the percentage of people who consider TAFE NSW to be the preferred education provider in NSW, and maintain the proportion of people who are aware of TAFE NSW more generally.

There are a range of private service providers helping to deliver vocational education and training in NSW.

This part of the report sets out key aspects of TAFE NSW's compliance with the government advertising regulatory framework. It considers whether TAFE NSW complied with the:

• Government Advertising Act 2011
• Government Advertising Regulation 2018
• NSW Government Advertising Guidelines 2012 and other relevant policy.

This part of the report considers whether TAFE NSW's advertising program for 2021–22 was carried out in an effective, efficient, and economical manner.

Appendix one – Responses from agencies

Appendix two – About the campaign

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #377 - released 28 February 2023

What the report is about

Sydney Metro is Australia’s largest public transport project. It requires the acquisition of many private properties, including residential and business properties.

This audit assessed the effectiveness of the acquisition of private properties for the Sydney Metro project. The audited agencies were Sydney Metro, the Department of Planning and Environment (Valuer General NSW) and Transport for NSW (the Centre for Property Acquisition).

The audit assessed agencies against the framework for property acquisitions in New South Wales. It did not re-perform the valuations done for individual properties that were acquired by Sydney Metro.

What we found

Acquisitions of private property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. We found Sydney Metro:

• complied with legislative and policy requirements for compensation and communication with people subject to property acquisitions
• kept accurate records of its acquisitions and applied probity controls consistently
• did not complete detailed plans or negotiation strategies for the high-risk and high-value acquisitions we reviewed
• did not comply with legislative timelines for most compulsory acquisitions because of delays in receiving the required information from the Valuer General in these cases.

The Centre for Property Acquisition has overseen the implementation of reforms to residential acquisition processes, but its assessment of the effectiveness of these reforms has not been comprehensive.

What we recommended

The audit made four recommendations to the audited agencies to improve:

• plans and strategies for the acquisition of high-risk and high-value properties
• timeliness of issuing compensation determinations for compulsory acquisitions
• data quality on the experience of people subject to property acquisitions.

The NSW Government has the power to acquire land that is owned or leased by individuals or businesses, if it is needed for a public purpose. The power arises from the Land Acquisition (Just Terms Compensation) Act 1991 (the Just Terms Act). Government agencies that have the power to compulsorily acquire private property are referred to as ‘acquiring authorities’. People who are subject to acquisitions are referred to as ‘affected parties’ and include property owners (business or residential), businesses with a commercial lease on a property, or individuals with residential tenancy leases. In recent years, the vast majority of acquisitions by the NSW Government have been for public transport or road projects.

Sydney Metro is a NSW Government agency with responsibility for building the Sydney Metro railway project. Sydney Metro is Australia’s largest public transport project. The project requires the acquisition of a large number of private properties. Sydney Metro has been one of the largest acquirers of private property in recent years, completing over 500 acquisitions between 2020 and mid-2022, with a total acquisition value of over $2 billion. Other agencies and statutory officers involved in the acquisition of property for the Sydney Metro project include:

• the Department of Planning and Environment (DPE), which supports the minister responsible for the Just Terms Act. DPE also provides staff to the Valuer General of NSW
• the Valuer General of NSW, an independent statutory officer that determines compensation in cases where the acquiring authority and the affected party cannot agree on compensation for property that has been acquired
• Transport for NSW, which includes the Centre for Property Acquisition (CPA). The CPA does not have a direct role in acquiring properties, but its responsibilities include developing guidance for acquiring agencies and monitoring and reporting on their activities.

About this audit

The objective of this audit was to assess the effectiveness of acquisitions of private properties for Sydney Metro projects. The audit assessed agencies against the legislative and policy requirements in place for government acquisitions of private property in New South Wales. In line with the Audit Office's legislative mandate, the audit does not comment on the merits of the policy objectives reflected in the Just Terms Act.

The audit examined a sample of 20 property acquisitions. This was not a statistically representative sample. While our report provides comments on Sydney Metro’s overall acquisition processes, it does not provide assurance regarding the acquisitions that were not examined for this audit.

The audit did not re-perform the valuations done for individual properties that were acquired by Sydney Metro. Affected parties who disagree with the valuation of their property have the right to seek independent assessment of this via the Valuer General and the Land and Environment Court.

This chapter presents our findings on Sydney Metro's acquisition of industrial and commercial properties. Industrial properties include construction businesses and manufacturing facilities. Commercial properties were mostly properties such as shopping centres and office towers. Many of these acquisitions involve businesses and properties that are relatively complex and have high values. This means the valuation process can require multiple experts and can be lengthy and contested. Adherence to governance and probity requirements is important for these acquisitions in order to demonstrate that the acquiring authority has achieved value for money.

This chapter presents our findings on Sydney Metro's acquisition of residential properties, which include apartments and houses, and small business leases, which mostly affected businesses in small shopping centres or arcades. Most of these acquisitions were lower value compared to industrial and commercial property acquisitions and did not require as much expert advice on complex technical issues. However, residential property acquisitions can be personally distressing for the affected parties and require staff from the acquiring authority to provide support and show empathy while ensuring legislative compliance and value for money.

Appendix one – Responses from agencies

Appendix two – About the audit 

Appendix three – Performance auditing 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #375 - released 9 February 2023

What the report is about

Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.

This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:

• Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives? 
• Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?

What we found

Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.

Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.

Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.

What we recommended

By 30 June 2023 the Department of Customer Service should:

1. implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
2. ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
3. ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
4. develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders. 

The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.

Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).

The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

We assessed this objective through two lines of inquiry:

1. Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
2. Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?

The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.

Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.

Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.

The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.

Establishment of Cyber Security NSW

Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.

The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).

The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.

Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.

Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.

NSW Government Cyber Security Strategy

The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:

• lead
• prepare
• prevent
• detect 
• respond 
• recover.

The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:

• increase NSW Government cyber resiliency
• help NSW cyber security businesses grow
• enhance cyber security skills and workforce 
• support cyber security research and innovation.

Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.

NSW Government Cyber Security Policy

The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.

The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including: 

• annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements 
• that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).

The Policy sets out that Cyber Security NSW:

• may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
• will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.

As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.

This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:

• there was a sound, evidence-based rationale for why Cyber Security NSW was established
• the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
•  there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.

This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.

Appendix one – Response from agency

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #374 - released 8 February 2023

What the report is about

The Transport Asset Holding Entity (TAHE) is the State's custodian of rail assets. It is a state owned corporation and commenced operating on 1 July 2020.

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. We audited TAHE, Transport for NSW (TfNSW) and NSW Treasury.

Separate and related audits on TAHE are reported in 'State Finances 2022', 'State Finances 2021' and 'Transport and Infrastructure 2022' reports.

What we found

The design and implementation of TAHE, which spanned seven years, was not effective.

The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.

The benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose.

Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed.

Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.

What we recommended

We recommended that the audited agencies should:

• improve accountability and transparency for major new fiscal transformation initiatives
• ensure entities do not reflect the financial impact of significant initiatives in the Budget when there is uncertainty, or it creates perverse incentives
• review record keeping practices, systems and policies to ensure compliance with the State Records Act 1998, and the NSW Government Information Classification, Labelling and Handling Guidelines
• review procurement policies to ensure that consultant use complies with all NSW Government policy requirements.

The NSW Government established the Transport Asset Holding Entity (TAHE), a statutory State Owned Corporation (SOC), on 1 July 2020 to replace the former rail infrastructure owner – RailCorp. It is the State's custodian of rail network assets, including rail tracks and other infrastructure, rolling stock, land, train stations and facilities, retail space, and signal and power systems, within metropolitan and regional New South Wales. It is responsible for $2.8 billion of major capital projects in 2022–23.

TAHE was established under Part 2 of the Transport Administration Act 1988 and is governed by a decision-making board. The Treasurer and the Minister for Finance and Employee Relations are the Shareholding Ministers of TAHE, and they annually agree performance expectations articulated in a Statement of Corporate Intent.

Whereas TAHE is the custodian of rail assets, Sydney Trains and NSW Trains operate public rail services. TAHE does not have responsibility for the operation of the heavy rail network or train services, nor does it have network control functions. TAHE, Sydney Trains and NSW Trains are in the Transport and Infrastructure cluster in the public sector (formerly the Transport cluster and renamed in April 2022), which also includes Sydney Metro and Transport for NSW (TfNSW).

TfNSW leads the Transport and Infrastructure cluster. Its role is to set the strategic direction for transport across the State. This involves the shaping of planning, policy, strategy, regulation, resource allocation and other service and non-service delivery functions for all modes of transport.

TAHE's Operating Licence is granted by the Portfolio Minister and authorises the entity to perform the functions required to acquire, develop, finance, divest and hold assets, pursuant to the Transport Administration Act 1988. The Portfolio Minister also issues a Statement of Expectations which outlines the government’s expectation for the business for the next three to five years.

TAHE's original Portfolio Minister was the Minister for Transport who approved, on 30 June 2020, the issuing of an interim 12-month Operating Licence to enable TAHE to commence operating on 1 July 2020. The Portfolio Minister then granted TAHE's current Operating Licence in 2021. After TAHE requested a 12-month extension to its current Operating Licence, its next Operating Licence is due on 1 July 2024. The current Portfolio Minister is the Minister for Infrastructure, Cities and Active Transport.

About this audit

This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. In making this assessment, we considered whether: 

• the process of designing and implementing TAHE was cohesive and transparent, and delivered an effective outcome
• agencies' roles and responsibilities were clear in the planning of TAHE
• agencies effectively identified and managed certain risks.

Appendix one – Responses from audited agencies, and Audit Office clarification of matters raised in the TAHE formal response 

Appendix two – Classification of government entities 

Appendix three – About the audit 

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #372 - released 24 January 2023