Reports
Managing climate risks to assets and services
What the report is about
This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.
Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.
NSW Treasury estimates these risks could have significant costs.
What we found
DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.
In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.
DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.
There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.
DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.
NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.
In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.
What we recommended
DPIE and NSW Treasury should, in partnership:
- enhance the coordination of climate risk management across agencies
- implement climate risk management across their clusters.
DPIE should:
- update information and strengthen education to agencies, and monitor progress
- review relevant land-use planning, development and building guidance
- deliver a climate change adaptation action plan for the state.
NSW Treasury should:
- strengthen climate risk-related guidance to agencies
- coordinate guidance on resilience in infrastructure planning
- review how climate risks have been assured in agencies’ asset management plans.
Fast facts
4 years
between commitments in the NSW Climate Change Policy Framework, and DPIE and NSW Treasury producing key supports to agencies for climate risk management.
$120bn
Value of physical assets held by nine NSW Government entities we examined that have not completed climate risk assessments.
Low capability to do climate risk assessment has been found across state agencies. The total value of NSW Government physical assets is $365 billion, as at 30 June 2020.
x3
NSW Treasury’s estimates of the annual fiscal and economic costs associated with natural disasters will triple by 2060–61.
According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.
According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.
The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.
In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.
The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:
- use robust climate projection information to understand the potential climate impacts
- undertake sound climate risk assessments, within an enterprise risk management framework
- implement adaptation plans that reduce these risks, and harness opportunities.
Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.
According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.
This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.
Conclusion
The Department of Planning, Industry and Environment (the department) has made climate projections available to agencies since 2014, but provided limited guidance to assist agencies to identify and manage climate risks. NSW Treasury first noted climate change as a contextual factor in its 2012 guidance on risk management. NSW Treasury only clarified requirements for agencies to integrate climate considerations into their risk management processes in December 2020.
The department has not delivered on a NSW Government commitment for a state-wide climate change adaptation action plan, which was meant to be completed in 2017. Currently many state agencies that own or manage assets and provide services do not have climate risk management in place.
Since 2019, the department and NSW Treasury have worked in partnership to develop a coordinated approach to supporting agencies to manage these risks. This includes guidance to agencies on climate risk assessment and adaptation planning published in 2021.
More work is needed to embed, sustain and lead effective climate risk management across the NSW public sector, especially for the state's critical infrastructure and essential services that may be exposed to climate change impacts.
The NSW Government set directions in the 2016 NSW Climate Change Policy Framework to 'manage the impact of climate change on its assets and services by embedding climate change considerations into asset and risk management’ and more broadly into 'government decision-making'.
The department released climate projections and has made information on projected climate change impacts available since 2014, but this has not been effectively communicated to agencies. The absence of a state-wide climate change adaptation action plan has limited the department's implementation of a coordinated, well-communicated program of support to agencies for their climate risk management.
NSW Treasury is responsible for managing the state's finances and providing stewardship to the public sector on financial and risk management, but it did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019. NSW Treasury estimates the financial costs of climate-related physical risks are significant and will continue to grow.
The partnership between the department and NSW Treasury has produced the 2021 Climate Risk Ready NSW Guide and Course, which aim to help agencies understand their exposure to climate risks and develop adaptation responses. The Guide maps out a process for climate risk assessment and adaptation planning and is referenced in NSW Treasury policy on internal audit and risk management. It is also referenced in NSW Treasury guidance to agencies on how to reflect the effects of climate-related matters in financial statements.
There is more work to be done by the department on maintaining robust, accessible climate information and educating agencies in its use. NSW Treasury will need to continue to update its policies, guidance and economic analyses with relevant climate considerations to support an informed, coordinated approach to managing physical climate risks to agencies' assets and services, and to the state's finances more broadly.
The effectiveness of the department and NSW Treasury's support involves the proactive and sustained take-up of climate risk management by state agencies. There is a key role for the department and NSW Treasury in monitoring this progress and its results.
The support delivered to agencies around climate risk management, including risk assessment and adaptation planning, has been slow to start and of limited impact. The department's capacity to implement a coordinated approach to supporting agencies has also been limited by the absence of a state-wide adaptation strategy and related action plan.
In 2021, products were released by the department and NSW Treasury with potential to improve support to agencies on climate risk assessment and adaption planning (that this, Climate Risk Ready NSW Guide and Course, which provides links to key NSW Treasury polices). The department and NSW Treasury are now leading work to develop a more coordinated approach to climate risk management for agencies' assets and services, and building the resilience of the state to climate risk more broadly.
While climate projections have been available to agencies and the community more broadly since 2013–14, the department has not been effective in educating the relevant data users within agencies in how to use the information for climate risk assessments and adaptation planning.
The absence of a strategy focused on this is significant and has contributed to the current low levels of climate risk assessment uptake across agencies (see section 2). Agencies are required to use the climate projections developed by the department when developing long term plans and strategies as part of the NSW Government Common Planning Assumptions.
For the department, key opportunities to embed climate risk management include leveraging land use planning policies and guidance to drive adaptation, which has potential to better protect the state's assets and services. NSW Treasury has a role in continuing to update its policies, guidance and economic analyses with relevant climate change considerations to support an informed, coordinated approach to addressing physical climate risks to agencies' assets and services, and to the state's finances more broadly.
There is currently no plan on how the department and NSW Treasury intend to routinely monitor the progress of agencies with implementing the CRR Guide or developing climate risk 'maturity' more broadly. As agencies are responsible for implementing risk management systems that meet NSW Treasury standards, which now clearly includes consideration of climate risk (TPP20-08), establishing effective monitoring, reporting and accountability around this progress should be a priority for the department and NSW Treasury.
Appendix one – Response from agencies
Appendix two – Timeline of key activities
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #355 - released (7 September 2021).
Fast-tracked Assessment Program
What the report is about
This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020.
The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications.
DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:
- deliver jobs
- progress to the next stage of development within six months of determination
- deliver public benefit.
The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.
What we found
Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.
Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.
DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19.
Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments.
What we recommended
DPIE should:
- strengthen controls over conflicts of interest
- evaluate the Fast-tracked Assessment Program.
Fast facts
Construction industry support
- The program aimed at providing immediate support to the construction industry during the COVID-19 crisis
59 fast-tracked projects
- 59 projects and 42 planning proposals projects were assessed in six tranches
89% of all fast-tracked assessments in tranches three to six progressed to the next stage of the planning process within six months of determination
In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.
In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:
- deliver jobs – particularly in the construction industry
- be capable of progressing to the next stage of development within six months of determination
- deliver public benefit.
At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.
This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.
Conclusion
Through tranches three to six of the Fast-tracked Assessment Program, DPIE successfully accelerated the final stages of 53 assessments. DPIE’s internal monitoring indicates that 31 DAs and 16 planning proposals selected in these tranches proceeded to the next stage of development within six months of determination. DPIE achieved this while also successfully managing the risk of non-compliance with planning controls arising from the accelerated process. While DPIE has incorporated components of the Fast-tracked Assessment Program into other longer-term reforms, it has not evaluated the program and is not able to demonstrate the extent to which the program provided support to the construction industry during COVID-19.
Between April and October 2020, DPIE adopted a case management approach to accelerate the final stages of assessment for 42 planning proposals and 59 DAs in six tranches. Tranches three to six were the focus of this audit and included 22 planning proposals and 31 DAs. Applicants involved in the program were expected to progress their projects to the next stage of development within six months of determination. While DPIE had no way of compelling applicants to do this and relied on non-binding commitments obtained from applicants, DPIE’s internal monitoring indicates that 47 of the 53 applicants selected in tranches three to six honoured this commitment.
Fast-tracked assessment only applied to the final stages of assessment and required DPIE staff and other stakeholders to work towards a determination deadline. DPIE effectively used a case management approach to manage the risk that the accelerated timeframe could result in planning controls not being fully compliant with legislation. There is some room for improvement in the process, as four of 28 staff assessing planning proposals and DAs had not lodged current conflict of interest declarations.
Based on the results of and learnings from the Fast-tracked Assessment Program, DPIE has incorporated some elements of the program into other longer-term reforms. There is now increased transparency about when applicants can expect to receive a planning determination and DPIE has also introduced a case management approach for strategic and high priority planning applications. Applicants benefiting from case-managed assessment are now required to commit to a formal service charter that specifies the obligations of both DPIE and the applicant.
DPIE has not evaluated the Fast-tracked Assessment Program to understand the costs and benefits of the program, nor which aspects of the program were most effective as a basis for future reform.
Appendix one – Response from agency
Appendix two – Planning determination pathways
Appendix three – About the audit
Appendix four – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #354 - released (27 July 2021).
Managing cyber risks
What the report is about
This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.
The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’.
The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.
What we found
TfNSW and Sydney Trains are not effectively managing their cyber security risks.
Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.
Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP).
However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.
Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.
TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.
What we recommended
TfNSW and Sydney Trains should:
- develop and implement a plan to uplift the Essential 8 controls to the agency's target state
- as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
- ensure cyber security risk reporting to executives and the Audit and Risk Committee
- collect supporting information for the CSP self assessments
- classify all information and systems according to importance and integrate this with the crown jewels identification process
- require more rigorous analysis to re-prioritise CDP funding
- increase uptake of cyber security training.
TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.
Department of Customer Service should:
- clarify the requirement for the CSP reporting to apply to all systems
- require agencies to report the target level of maturity for each mandatory requirement.
Fast facts
- $42m Total value of the Transport Cyber Defence Rolling Program over three years.
- 7.2% Percentage of staff across the Transport cluster who had completed introductory cyber security training
Response to requests by audited agencies to remove information from this report
In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.
In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.
In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.
TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.
It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.
It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.
That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.
Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.
Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.
The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.
This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.
To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.
This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.
This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:
- Are agencies effectively identifying and planning for their cyber security risks?
- Are agencies effectively managing their cyber security risks?
Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.
Conclusion
Transport for NSW and Sydney Trains are not effectively managing their cyber security risks. Significant weaknesses exist in their cyber security controls, and both agencies have assessed that their cyber risks are unacceptably high. Neither agency has reached its Essential 8 or Cyber Security Policy target levels. This low Essential 8 maturity exposes both agencies to significant risk. Both agencies are implementing cyber security plans to address identified cyber security risks.
This audit identified other weaknesses, such as low numbers of staff receiving basic cyber security awareness training. Cyber security training is important for building and supporting a cyber security culture. Not all of the weaknesses identified in this audit had previously been identified by the agencies, indicating that their cyber security risk identification is only partially effective.
Agency executives do not receive regular detailed information about cyber risks and how they are being managed, such as information on mitigations in place and the effectiveness of controls for cyber risk. As a result, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of executive decision-making.
TfNSW and Sydney Trains are partially effective at identifying their cyber security risks and both agencies have cyber security plans in place
Both agencies regularly carry out risk assessments and have identified key cyber security risks, including risks that impact on the agencies' crown jewels. These risks have been incorporated into the overall enterprise risk process. However, neither agency regularly reports detailed cyber risk information to agency executives to adequately inform them about cyber risk. The Cyber Security Policy (CSP) requires agencies to foster a culture where cyber security risk management is an important and valued aspect of decision-making. By not informing agency executives in this way, TfNSW and Sydney Trains are not fulfilling this requirement.
Agencies' cyber security risk assessment processes are not sufficiently comprehensive to identify all potential risks. Not all of the weaknesses identified in this audit had previously been identified by the agencies.
To address identified cyber security risks, both agencies have received funding approval to implement cyber security plans. TfNSW first received approval for its cyber security plan in 2017. Sydney Trains received approval for its cyber security plan in February 2020. In 2020–21 TfNSW and Sydney Trains combined their plans into the Transport Cyber Defence Rolling Program business case valued at $42.0 million over three years. This is governed as part of a broader Cyber Defence Portfolio (CDP). The CDP largely takes a risk-based approach to annual funding. The Cyber Defence Portfolio Steering Committee and Board can re-allocate funds from an approved project to a different project. This re-allocation process could be improved by making it more risk-based.
TfNSW and Sydney Trains are not effectively managing their cyber security risks
Neither agency has fully mitigated its cyber security risks. These risks are significant. Neither TfNSW nor Sydney Trains have reduced their cyber risk to levels acceptable to the agencies. Both agencies have set a risk tolerance for cyber security risks, and the identified enterprise-level cyber security risks remain above this rating. Both agencies' self-attested maturity against the Essential 8 remains low in comparison to the agencies' target levels, and in relation to the significant risks and vulnerabilities that are exposed. Little progress was made against the Essential 8 in 2020.
Neither agency has reached its target levels of maturity for the CSP mandatory requirements. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles. The Transport Cyber Defence Rolling Program has a KPI to achieve a target rating of three for all CSP requirements where business appropriate. TfNSW considers this target rating to be its target for all the CSP requirements. However TfNSW has not undertaken analysis to determine whether this target is appropriate to its business.
The CSP makes agencies accountable for the cyber risks of their ICT service providers. While both agencies usually included their cyber security expectations in contracts with third-party suppliers, neither agency was routinely conducting audits to ensure that these expectations were being met.
The CSP requires agencies to make staff aware of cyber security risks and deliver cyber security training. TfNSW is responsible for delivering cyber security training across the Transport cluster, including in Sydney Trains. TfNSW was not effectively delivering cyber security training across the cluster because training was not mandatory for all staff at the time of the audit and completion rates among those staff assigned the training was low. As such, only 7.2 per cent of staff across the Transport cluster had completed introductory cyber security training as at January 2021.
Agencies have assessed their cyber risks as being above acceptable levels
An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.
Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.
Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.
Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.
Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.
Agencies have assessed their current cyber risk mitigations as requiring improvement
In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.
Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.
Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.
Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020
CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.
Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.
None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.
Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.
Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.
TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate
Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.
Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.
Sydney Trains has not met its target ratings across the mandatory requirements.
The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.
TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.
Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.
Both agencies operate ISMS in line with the CSP
CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.
As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.
Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.
There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.
Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations
CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.
The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.
TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.
Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.
The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.
Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so
It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.
Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.
TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit
TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.
The Transport cluster is not effectively implementing cyber security awareness training
Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.
TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.
Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.
In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.
The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low
Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.
TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.
In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.
| In both 2019 and 2020, TfNSW performed a ‘Spot the Scammer’ exercise in which they sent out over 25,000 emails to staff based on a real phishing attack in order to measure awareness and response. The exercise tested staff 'click through rate', the percentage of staff who clicked on the fake phishing link. In 2019, these results were then compared to industry benchmarks, with over a 20 per cent click through rate being considered 'very high'. Both TfNSW and Sydney Trains were considered to have a ‘very high’ click through rate in comparison to these benchmarks in both 2019 and 2020. This indicates that staff awareness of phishing emails was low. The click through rate for TfNSW was 24 per cent in 2020, an increase from 22 per cent in 2019. For Sydney Trains, the click through rate in 2020 was 32 per cent, which was a decrease from 40 per cent in 2019. |
Appendix one – Response from agencies
Appendix two – Cyber Security Policy mandatory requirements
Appendix three – About the audit
Appendix four – Performance auditing
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #353 - released (13 July 2021).
Water management and regulation
Water regulation aims to achieve sustainable environmental, economic and social outcomes from the management of water resources, consistent with the Water Management Act 2000. Following recommendations from reviews into water theft, reforms were made to strengthen water regulation, compliance and enforcement – including the establishment of the Natural Resources Access Regulator (NRAR) in 2018. The Department of Planning and Environment shares responsibility for issuing water access licences and approvals with the state-owned corporation, WaterNSW.
This audit could assess how effectively the Department, WaterNSW and NRAR are undertaking relevant planning, licensing and regulatory functions to ensure secure, sustainable and transparent water sharing in New South Wales. This topic could also consider how effectively the Department has implemented reforms to enhance water metering technology and rules, and the efficacy of NRAR’s activities to support this program.
Acquisition of 4–6 Grand Avenue, Camellia
The Auditor-General for New South Wales, Margaret Crawford, has today released a report on Transport for NSW’s (TfNSW) acquisition of 4–6 Grand Avenue in Camellia.
This audit, which was requested on 17 November 2020 by the Hon. Andrew Constance MP, the Minister for Transport and Roads, examined:
- whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
- whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.
The audit found that TfNSW conducted an ineffective process when it purchased 4–6 Grand Avenue, Camellia. The audit also found that TfNSW’s internal policies and procedures to guide the transaction were, and continue to be, insufficient.
The Auditor-General has made seven recommendations to address the issues identified in the report.
On 17 November 2020, the Hon. Andrew Constance MP, the Minister for Transport and Roads, requested this audit under section 27B(3)(c) of the Public Finance and Audit Act 1983.
On 15 June 2016, Transport for New South Wales (TfNSW) acquired 6.3 hectares of land at 4–6 Grand Avenue, Camellia, by agreement from Grand 4 Investments Pty Ltd. Grand 4 Investments was a business entity established by the owners of Billbergia Pty Ltd, a property development and investment company.
TfNSW paid Grand 4 Investments $53.5 million and assumed liability for addressing environmental issues and contamination associated with the site. This took place seven months after the vendor acquired the land as part of a competitive Expression of Interest process, in which TfNSW also participated, for $38.15 million.
TfNSW is the NSW Government agency responsible for most major transport infrastructure projects in New South Wales. TfNSW acquired the Camellia site for use as a stabling and maintenance depot to support the Parramatta Light Rail (PLR) project.
Consistent with the minister’s request, this audit assessed:
- whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
- whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.
In considering the effectiveness of the processes for this purchase, the audit considered:
- the requirements of the Land Acquisition (Just Terms Compensation) Act 1991 (the Act)
- the application of sound processes to manage risk to the NSW Government and to achieve value for money
- the application of disciplines associated with complex procurement, such as probity, in a NSW Government context.
The acquisition of the 4–6 Grand Avenue site in Camellia was consistent with a 2014 feasibility study for the PLR, but occurred before the completion of detailed project planning or an acquisition strategy.
TfNSW made two attempts to acquire the 4–6 Grand Avenue site in Camellia, and was successful on the second attempt. TfNSW recognised the risks associated with early acquisition and had high-level strategies in place should the site not be required.
The specific site had been identified in a feasibility study for the PLR commissioned by TfNSW in 2014 as one of several options in Camellia for a stabling and maintenance depot. However, TfNSW had not done any substantive analysis of the various options to identify a preferred location before the two opportunities to acquire 4–6 Grand Avenue were brought to TfNSW’s attention by the landowners (or their agents). On both occasions, TfNSW chose to actively pursue acquisition in advance of any such analysis.
The acquisition was also not informed by a Property Acquisition Strategy, which TfNSW policy recommends in order to guide the process and manage acquisition specific risks.
In 2015, TfNSW identified that it would require a stabling and maintenance depot in the Camellia area for the Parramatta Light Rail
In 2014, TfNSW commissioned an external engineering consultancy to undertake a feasibility design study for the Parramatta Light Rail - the Parramatta Transport Corridor Strategy Feasibility Design study (herein referred to as ‘the feasibility study’). In early 2015, TfNSW received the feasibility study, which was one of several key sources that informed the development of business cases for the PLR.
The feasibility study recommended that TfNSW should consolidate the maintenance and cleaning operations with overnight stabling facilities on one site. The study noted that the optimal location for any such site would be in close proximity to the proposed network, and noted that the site must have access to road connections to accommodate access for cars and trucks.
The study found that a centrally located stabling and maintenance facility would be required for all routes serving the Parramatta CBD, and that the Camellia industrial area was a preferred location for such a facility. The study noted that the Camellia area was contaminated.
The feasibility study notes that its conclusions were based on assumptions about the light rail system adopted and decisions made by the future operator of the system, who had not yet been selected or appointed.
TfNSW's decision to progress a potential acquisition in 2015 considered the risk that the site may not be required
TfNSW's FIC was responsible for making decisions on funding allocations at a whole of program level within TfNSW. FIC was also responsible for approving ‘high-risk/high-value’ variations to program budgets. Members of the FIC included:
- Secretary of Transport for NSW
- Deputy Secretary, Infrastructure and Services
- Deputy Secretary, Freight, Strategy and Planning
- Deputy Secretary, Customer Services
- Deputy Secretary Finance and Investment
- Deputy Secretary People and Corporate Services.
An April 2015 submission, from the then Deputy Director-General to the agency’s FIC, sought authorisation and funding approval to participate in an Expression of Interest sale process. It noted the risk that the project may not go ahead. The submission advised that:
By acquiring a strategic site now, it reduces the risk of having to pay an improved value or a value that may be subject to rapidly improving land values due to changes in land use and rezoning.
The property can be acquired for the project, held strategically and income generated by leasing the site as hardstand 1 space until the project requires the land for the Parramatta Light Rail project.
If the project does not proceed in the medium to longer term, the property can be sold at a premium to what has been paid today as property fundamentals improve.
This submission acknowledged the risks associated with environmental contamination and proposed that these risks would be managed by negotiating a contract where the remediation and associated expenses would be at the landowner’s cost.
TfNSW assessed the 4–6 Grand Avenue site as one of several sites in Camellia that was a feasible location for a stabling and maintenance facility
The Departmental feasibility study assessed six potential sites for a stabling and maintenance facility, including 4–6 Grand Avenue, noting strengths and weaknesses of each site. A different site on Grand Avenue was assessed as the ‘base case’ option (1 Grand Avenue). The study’s comments on the 4–6 Grand Avenue site included the following:
With an area of approximately 63,000m2, this site has sufficient space for a depot with the required stabling yard and maintenance facilities. The location allows for good road access and LRT [light rail transit] access would be from Grand Avenue, which may require a road crossing or signalised intersection. The site has been used for general industrial uses; however the land has been cleared and is currently undergoing remediation 2. The site is not affected by flooding based on one in 100-year flood data.
In early 2015, once the opportunity to acquire 4–6 Grand Avenue emerged, TfNSW commissioned a specific feasibility study of the 4–6 Grand Avenue site. The feasibility studies clearly documented the existence of environmental contamination. In April 2015, the report concluded:
Given the limitations of this report and within the parameters that have been set it is concluded that from a spatial and geographic perspective the site at 6 Grand Avenue would be suitable as a stabling and maintenance depot for the Parramatta light rail project. There are few engineering and environmental constraints that would affect the feasibility level analysis of this site and all issues identified, within this desk study, are considered to be resolvable. However this being said there is a significant amount of work necessary to reach the final layout and definition of the stabling and maintenance depot. There are numerous items which require further consideration and conformation; planning approvals could impose restrictions on building heights, noise mitigation measures, light and visual impact requirements all of which can have significant impacts on the spatial requirements of any stabling and maintenance depot.
The acquisition of 4–6 Grand Avenue was not informed by a Property Acquisition Strategy
For major projects, TfNSW typically requires the project team to complete a Property Acquisition Strategy, which is intended to guide both process as well as specific acquisition issues expected to be faced during the project. The Property Acquisition Strategy is not a mandated document but is a recommended tool to support property acquisition as part of major projects.
TfNSW did not have a Property Acquisition Strategy in place to guide the 2015 Expression of Interest process. On 6 November 2015, the then Project Director for the PLR project emailed the property team, noting a need to develop a Property Acquisition Strategy to close off the scoping design and preliminary business case.
In January 2016, TfNSW developed a draft Property Acquisition Strategy for the Parramatta Light Rail Project, although it was silent on the potential sites for the stabling and maintenance facility.
TfNSW focussed on 4–6 Grand Avenue because it was available and aligned to TfNSW's strategic interests
In early 2015, officials commenced monitoring the market for industrial real estate in the Camellia area and surrounds for possible sites for a stabling and maintenance facility.
In March 2015, then owner of the site, Akzo Nobel Pty Limited released the 4–6 Grand Avenue site through an Expression of Interest process managed by CBRE.
TfNSW’s then Deputy Director-General, Planning, sought approval from FIC to lodge an Expression of Interest up to $30.0 million. Approval was sought on the basis that it would ‘provide certainty for the Parramatta Light Rail project by allowing for a depot site in a suitable location and potentially avoid higher costs or longer timeframes associated with compulsory acquisition following completion of the project’s business case’. FIC approved the request at its meeting on 9 April 2015.
At this time, TfNSW had not conducted any analysis of financial or operational benefits and costs of the potential sites identified in earlier feasibility studies. TfNSW staff advised us that the decision to participate in the Expression of Interest process for 4–6 Grand Avenue was because it was available. There is no documentation substantiating this statement, which TfNSW staff provided verbally as part of this audit.
In November 2015, TfNSW was advised that it was unsuccessful in the Expression of Interest process and that Grand 4 Investments (a related entity of Billbergia) had purchased 4–6 Grand Avenue. TfNSW did not conduct any further analysis of alternative potential sites in Camellia between this date and commencing discussions with Grand 4 Investments in April 2016. In that time there had been some movement on other properties that were included in the feasibility study, including 37–39a Grand Avenue being under offer in September 2015.
In March 2016, TfNSW approached CBRE to organise a meeting with Grand 4 Investments. On 1 April 2016, TfNSW met with Grand 4 Investments.
TfNSW advises that a perceived benefit of the 4–6 Grand Avenue site was that it was not subject to other uses or leaseholds that would increase the cost of compulsory acquisition. Officers involved in the acquisition advised that other nominated sites in the feasibility study were subject to other uses or leaseholds.
2 Officers familiar with the acquisition could not confirm the nature of remediation being undertaken, but noted that the previous landowner had cleared buildings from the site, which may have been considered part of remediation.
TfNSW's independent valuation, which it commissioned and received after the acquisition, specifically excluded consideration of environmental contamination risk. As a result, TfNSW is exposed to the risk that the acquisition was not fully compliant with the Land Acquisition (Just Terms Compensation) Act 1991 (the Act) because it did not use an accurate estimate of market value during negotiations. That said, the acquisition of 4–6 Grand Avenue by agreement was consistent with preferred processes described in the Act.
TfNSW acquired the site from the landowner by agreement, and this is consistent with provisions in the Act. Obtaining approval for compulsory acquisition should negotiations for agreement break down is also consistent with the Act. That said, TfNSW did not at any time assess whether a compulsory acquisition could have resulted in acquisition at a lower cost than what was negotiated by agreement.
Despite the high risks associated with the acquisition, TfNSW did not commission a formal valuation in time to inform the negotiation and purchase. Instead, TfNSW relied on internal advice to estimate market value, but did not obtain a formal valuation from those advisors. For high-risk transactions, the greater expertise and arm's-length independence of an external specialist valuer should be preferred over an agency's own staff.
On 15 June 2016, the settlement date for the acquisition, TfNSW commissioned a formal independent valuation of the site. On 23 November 2016, TfNSW received the final formal valuation report. By not obtaining a formal independent valuation of the property in advance of acquisition to inform the acquisition value, TfNSW exposed itself to non-compliance with the Act by not establishing the market value as the basis for the acquisition price. TfNSW also breached its own internal policies.
TfNSW instructed the valuer to conduct its valuation within the following parameters:
- Market valuation on an ‘as is’ basis – market value based on the methodology described in the Act. This approach valued the site at $25.0 million.
- Market valuation on a speculative development basis – market value based on the financial value of the vendor's intended use of the site which, in this case, involved leasing the site for industrial use. This approach valued the site at $52.0 million, and TfNSW advised us this valuation supported the purchase price.
- Disregard the impact of environmental contamination – TfNSW specifically instructed the independent valuer to disregard any known (or unknown) site contamination. As TfNSW knew of the significant environmental contamination affecting the site, this parameter resulted in a valuation that overstated the value of the site as it did not consider the cost of environmental remediation. The valuer applied this assumption for both market valuation approaches.
Additionally, as the independent valuer completed the valuation after the purchase was finalised, there is a risk that the valuation may have been influenced by the known purchase price.
TfNSW's failure to acquire a formal valuation and an assessment of the financial impact of environmental remediation before it purchased 4–6 Grand Avenue represents ineffective administration and governance.
TfNSW acquired the site at a time when there was demand and increasing prices for industrial property in the area. However, TfNSW did not effectively assess and manage the risks associated with the acquisition, and gaps in process led to increased risk. Briefings to decision-makers did not contain important information, and we found no evidence that gaps in advice were queried or explored by decision-makers.
TfNSW did not have plans or advice in place to assist in managing risk, such as:
- a property acquisition plan
- a comprehensive and up-to-date risk management plan
- a negotiation strategy, or any authorisation limit or minimal acceptable position
- an independent professional evaluation
- external expert advice (with the exception of legal advice relating to the contract of sale).
TfNSW was aware of contamination issues affecting the land and had access to considerable information about the environmental conditions, such as site environmental audit reports and information on the NSW Environment Protection Authority's contaminated land register. However, TfNSW had not analysed specific technical information about the contamination and therefore was not aware of the risk implications and cost for remediation. Despite this, TfNSW changed its position from not accepting the risks and costs of contamination, to acquiring the site unconditionally. The basis for this decision is unclear and undocumented.
Briefing to senior leaders on the acquisition was silent on a number of important matters that would have been important for approvers to consider, including:
- an explanation of the 40 per cent increase in purchase price between November 2015 and May 2016, and a 165 per cent increase from TfNSW’s offer in April 2015
- the contamination risks associated with the site and an evidence-based estimate of potential costs to remediate the site
- advice that an independent valuation had not been obtained, inconsistent with TfNSW policy.
Consideration of the acquisition by FIC was based on a summary business paper and was managed out-of-session, thereby removing the ability for comprehensive consideration of the acquisition proposal and its risks.
The probity management controls and assurances in place for the acquisition of the 4–6 Grand Avenue site were insufficient. These insufficiencies were exacerbated by the probity risk profile of the transaction.
The 4–6 Grand Avenue acquisition was a high-risk/high-value transaction, undertaken in a volatile property market in a short timeframe under pressure from Grand 4 Investments. TfNSW was engaging in a direct negotiation in advance of detailed planning for the acquisition, or the PLR as a whole. These circumstances contribute to heightened probity risk.
TfNSW did not establish a probity plan and sought no probity support throughout the acquisition. Also, with one exception, the staff involved in the acquisition did not complete conflict of interest declarations.
TfNSW was aware of the potential for probity or integrity issues with the transaction when it commissioned an internal audit in connection with the transaction in 2019. Internal discussions considered whether a misconduct investigation may be more appropriate, however no such investigation was undertaken.
TfNSW's insufficient probity practices, in addition to its failure to keep complete or comprehensive records of negotiations or decisions, reduce transparency of the process and its outcome and expose TfNSW to a greater risk of misconduct, corruption and maladministration.
At the time of the transaction, the TfNSW policy framework was not sufficiently risk-focussed and did not provide clarity on when officers ought to apply specific guidance or procedures. TfNSW's policies and procedures are more focussed on acquiring land to meet project needs and timeframes, and less on assuring value for money and managing risks.
At the time of its acquisition of 4–6 Grand Avenue, TfNSW had property acquisitions policies and procedures in place. Each of these were broadly sound in their content and intent. However, they lacked specificity on how or when to apply guidance, and when risk levels should elevate the importance of recommended guidance.
TfNSW's key guidance was principles based and relied on agency staff using their experience and expertise to apply guidance according to the circumstances of an individual transaction. This guidance was not duly applied in the acquisition of 4–6 Grand Avenue, Camellia. In addition, TfNSW does not have quality or control assurance to identify when TfNSW officers did not apply important policies or processes.
The primary focus of the TfNSW’s property acquisition guidance is to achieve vacant possession of land in a timeframe that meets the need of the relevant transport project. There is less specific focus on the need to meet the requirements of the NSW Government financial management framework.
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright Notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #349 - released (18 May 2021).
Central Agencies 2020
This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
| Audit opinions and timeliness of reporting |
Unqualified audit opinions were issued on the 2019–20 financial statements of central agencies and the Legislature. The audit opinion on the Social and Affordable Housing NSW Fund's compliance with the payment requirements of the Social and Affordable Housing NSW Fund Act 2016 was qualified. All agencies met statutory deadlines for submitting |
| Agencies were financially impacted by recent emergency events | The NSW Government allocated $1.4 billion to provide small business support and bushfire recovery relief, support COVID-19 quarantine compliance management, recruit more staff to respond to increased customer demand, and meet additional COVID-19 cleaning requirements. Agencies spent $901 million (64 per cent of the allocated funding) for the financial year ended 30 June 2020. NSW Self Insurance Corporation reported an increase of $850 million in its liability for claims related to emergency events. |
| AASB 16 'Leases' resulted in significant changes to agencies' financial position | The implementation of new accounting standards was challenging for many agencies. The New South Wales Government Telecommunications Authority was not well-prepared to implement AASB 16 'Leases' and had not completely assessed contracts that contained leases. This resulted in understatements of leased assets and liabilities by $56 million which were subsequently corrected. |
| Implementation of new revenue standards | NSW Treasury did not adequately implement the new revenue standard AASB 1058 ‘Income of Not-for-Profit Entities’ for the Crown Entity. This resulted in understatements of $274 million in opening equity and $254 million to current year revenue, which have been corrected in the final financial statements. |
2. Audit observations
| Management letter findings and repeat issues | Our 2019–20 audits identified nine high risk and 122 moderate risk issues across central agencies and the Legislature. The high risk issues were identified in the audits of:
High risk findings include:
Of the 122 moderate risk issues, 36 per cent were repeat issues. The most common repeat issue related to weaknesses in controls over information technology user access administration, which increases the risk of inappropriate access to systems and records. |
| Grants administration for disaster relief | Service NSW delivers grants responding to emergency events on behalf of other NSW Public Sector agencies. Since the first grant program commenced in January 2020, Service NSW processed approximately $791 million to NSW citizens and businesses impacted by emergency events for the financial year ended 30 June 2020. A performance audit of grants administration for disaster relief is planned for 2020–21. It will assess whether grants programs administered under the Small Business Support Fund were effectively designed and implemented to provide disaster relief. |
| Internal controls at GovConnect NSW service providers require enhancement |
GovConnect NSW provides transactional and information technology services to central agencies. It engages an independent service auditor (service auditor) from the private sector to perform annual assurance reviews of controls at service providers, namely Infosys, Unisys and the Department of Customer Service (DCS). The service auditor issued:
These may impact on the ability of agencies to detect and respond to a cyber incident. Recommendation: We recommend DCS work with GovConnect service providers to resolve the identified control deficiencies as a matter of priority. |
| The NSW Public Sector's cyber security resilience needs to improve |
The NSW Cyber Security Policy requires agencies to provide a maturity self-assessment against the Australian Cyber Security Centre (ACSC) Essential 8 to the head of the agency and Cyber Security NSW annually. Completed self-assessment returns highlighted limited progress in implementing the Essential 8. Repeat recommendation: Cyber Security NSW and NSW government agencies need to prioritise improvements to their cyber security resilience as a matter of urgency |
| Three Insurance and Care NSW (icare) entities had net asset deficiencies at 30 June 2020 | The Workers Compensation Nominal Insurer, NSW Self Insurance Corporation and the Lifetime Care and Support Authority of NSW all had negative net assets at 30 June 2020. These icare entities did not hold sufficient assets to meet the estimated present value of all of their future payment obligations at 30 June 2020. The deterioration in net assets was largely due to increases in outstanding claims liabilities. Notwithstanding the overall net asset deficiencies, the financial statements for these entities were prepared on a going concern basis. This is because future payment obligations are not all due within the next 12 months. Settlement is instead expected to occur over years into the future, depending on the nature of the benefits provided by each scheme. |
| icare has not been able to demonstrate that its allocation of costs reflects the actual costs incurred by the Workers Compensation Nominal Insurer and other schemes |
Costs are incurred by icare as the 'service entity' of the statutory scheme it administers, and then subsequently recovered from the schemes through 'service fees'. In the absence of documentation supported by robust supporting analysis, there is a risk of the schemes being overcharged, and the allocation of costs being in breach of legislative requirements. Recommendation: icare should ensure its approach to allocating service fees to the Workers Compensation Nominal Insurer and the other schemes it manages, is transparent and reflects actual costs. |
| icare did not comply with GIPA requirements | icare did not comply with the Government Information (Public Access) Act 2009 (GIPA) contract disclosure requirements in 2019–20 and has not complied for several years. A total of 417 contracts were identified by management as not having been published on the NSW Government’s eTendering website. The final upload of these past contracts occurred on 20 August 2020. |
| Implementation of Machinery of Government (MoG) changes | MoG changes impacted the governance and business processes of some agencies. Our audits identified and reported areas for improvement in the consolidation of corporate functions following MoG implementation processes at Infrastructure NSW and in the Customer Service cluster. |
This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.
Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.
Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines:
- our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
- our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.
Section highlights
|
Health 2020
This report analyses the results of our audits of financial statements of the Health cluster for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
| Financial reporting |
Unqualified financial audit opinions The financial statements of NSW Health and its 25 controlled entities received unqualified opinions. The number of corrected and uncorrected misstatements increased from the prior year. Misstatements related predominantly to the implementation of new accounting standards, asset revaluations and accounting for new revenue streams to cover the cost of HSW Health’s response to the COVID-19 pandemic. Qualified compliance audit opinion We issued a qualified audit opinion for the Ministry of Health’s Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. We identified 18 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2019–20 (30 in 2018–19). |
| Financial performance |
NSW Health received an additional $3.3 billion in funding to cover costs associated with its response to the COVID-19 pandemic. The impacts of the COVID-19 pandemic on the cluster were significant for health entities and included changes to operations, increased revenues, expenditure, assets and liabilities. Cancellation of elective surgery and decreased emergency department presentations meant that despite the pandemic, activity levels at many health entities decreased. Health Pathology and HealthShare were notable exceptions. In the period to the 30 June 2020, NSW Health reported that over 900,000 COVID-19 tests were conducted. Health Pathology conducted over 500,000 of these tests. Health Pathology's surge requirements were enhanced through arrangements with 13 private sector providers. HealthShare purchased $864.2 million of personal protective equipment. Overall, NSW Health recorded an operating surplus of $3.1 billion in 2019–20, an increase of $2.0 billion from 2018–19. As in previous years, the surplus largely resulted from additional revenue received to fund capital projects including the construction of new facilities, upgrades and redevelopments. In 2019–20 additional Commonwealth and State funding for the purchase and stockpiling of personal protective equipment also contributed to the operating surplus. |
| Overtime payments | The Ambulance Service of NSW’s (NSW Ambulance) reduced their overtime payments to $79.7 million in 2019–20 ($83.1 million in 2018–19). Overtime payments in 2019–20 included $6.8 million related to the response to the 2019–20 bushfire season. NSW Ambulance overtime payments represent 16.8 per cent of total overtime payments in the cluster. |
2. Audit observations
| Internal control deficiencies |
We identified more internal control deficiencies in 2019–20. The number of repeat issues from prior years also remains high. NSW Health addressed 18 out of the 25 information system control deficiencies during the year. Several key agreements lacked formal documentation. This included agreements between the Ministry and health entities, between health entities and agencies in other clusters and between the Ministry and health departments in other jurisdictions. |
| Infrastructure delivery | NSW Health had 44 ongoing major capital projects at 30 June 2020 with a total revised budget of $12.3 billion. The revised total budget of $12.3 billion is $2.0 billion more than the original budget. NSW Health revises budgets when it combines project stages. |
This report provides parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
The impacts of the COVID-19 pandemic on the cluster were significant and included changes to the operations of the health entities and increased revenue, expenditure, assets and liabilities.
As a part of this year's audits of health entities, we have considered:
- financial implications of the COVID-19 emergency at both health entity and cluster levels
- changes to agencies' operating models
- agencies' access to technology and the maturity of systems and controls to prevent unauthorised and fraudulent access to data.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The response to the COVID-19 pandemic primarily impacted the financial reporting of NSW Health through:
- additional revenue from the State government in the form of grants and stimulus payments
- additional revenue from the Commonwealth government under the National Partnership Agreement for COVID-19 to cover part of the cost of responding to the COVID-19 pandemic
- increased expenses, largely due to increased payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists and increased cleaning costs
- increased purchases of personal protective equipment.
Chapter one outlines the impacts of NSW Health’s response to the COVID-19 pandemic. This chapter outlines our other audit observations related to the financial reporting of agencies in the Health cluster for 2020.
Section highlights
- Unqualified audit opinions were issued for all health entities’ financial statements, although more misstatements were identified than last year.
- NSW Health recorded an operating surplus of $3.1 billion, an increase of $2.0 billion from 2018–19. This is largely due to additional capital grants for new facilities, upgrades and redevelopments and additional Commonwealth and State funding for the purchase of personal protective equipment.
- NSW Health’s expenses increased by 5.5 per cent in 2019–20 (7.0 per cent in 2018–19) despite the impact of the COVID-19 pandemic. The primary causes for the growth in expenses are increases in:
- employee related expenses due to higher employee numbers, increased overtime and a 2.5 per cent award increase
- payments to private health operators to maintain their viability during the COVID-19 pandemic and later to assist with public patient elective surgery waitlists
- payments to private health operators due to the first full year of operation of the Northern Beaches hospital.
- The Ambulance Service of NSW (NSW Ambulance) continued to report higher overtime payments than other health entities. However, despite the response to the 2019–20 bushfire season, their overtime payments were lower than last year. NSW Ambulance paid $79.7 million in overtime payments in 2019–20 ($83.1 million in 2018–19).
- A qualified audit opinion was issued for the Ministry of Health’s Annual Prudential Compliance Statement for aged care facilities operated by NSW Health. There were 18 instances of material non-compliance with the Fees and Payments Principles 2014 (No. 2) (the Principles) in 2019–20 (30 in 2018–19)
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
The primary impact of the COVID-19 pandemic on the effectiveness of the internal controls of NSW Health and health entities relates to the effectiveness of controls implemented by HealthShare relating to the stocktake of personal protective equipment inventories. Inventory managed by HealthShare increased by 2,746 per cent during 2019–20. HealthShare’s inventory controls did not maintain pace with the sudden, significant increase.
The impacts of NSW Health’s response to the COVID-19 pandemic are outlined in chapter one. This chapter outlines other observations and insights from our financial statement audits of agencies in the Health cluster.
Section highlights
- The number of internal control deficiencies has increased since 2018–19. More than a third of control deficiencies are repeat issues.
- Control deficiencies that relate to managing employees’ leave and employee’s time recording continue to be difficult for entities to resolve, particularly during the ongoing response to the COVID-19 pandemic.
- Several key agreements were undocumented. These included agreements between the Ministry and the health entities, between health entities, and between the Ministry and entities in other clusters and jurisdictions. These related to:
- a loan arrangement between the Ministry and HealthShare for $319 million.
- Northern Sydney Local Health District's use of land and buildings owned by the Graythwaite Charitable Trust
- agreements for the treatment of New South Wales residents while they are interstate, and interstate residents receiving treatment while they are in New South Wales from Queensland, Victoria, South Australia and the ACT for both 2019–20 and 2018–19.
- NSW Health reported that they completed nine major capital projects during 2019–20. As at 30 June 2020 there were 44 ongoing major capital health projects in NSW. The revised capital budget for these projects in total was $2.0 billion more than the original budget of $10.3 billion. NSW Health reported the budget revisions are largely the result of combining project stages.
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019 recommendations
Appendix three – Financial data
Appendix four – Analysis of financial indicators
Appendix five – Analysis of performance against budget
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Auditor-General’s Report to Parliament
Health 2020
11 December 2020
This corrigendum has been prepared to amend the following text within the Auditor-General’s Report to Parliament on Health 2020, dated 10 December 2020.
NSW Health emergency department treatment times
On page five the original text was as follows:
NSW Health also measures the percentage of patients whose clinical care in emergency departments is completed within four hours. The measure is used as an indicator of accessibility to public hospital services.
NSW Health aims to complete clinical care in the emergency department for 81 per cent of patients within four hours. In 2019–20 NSW Health reports it completed clinical care within four hours for 72.1 per cent of patients (a 7.3 per cent decrease from 2018–19).
At Western Sydney Local Health District, 59 per cent of patients were treated within the targeted timeframe. NSW Health attribute this to the profile of patients presenting in emergency departments and additional time taken processing COVID-19 patients to ensure staff safety.
The original text has now been changed to:
NSW Health also measures the percentage of patients with total time in the emergency department of four hours or less for each local health district. The measure is used as an indicator of accessibility to public hospital services.
| Local Health Districts | Target % (2019–20) | Actual % (2019–20) |
| Central Coast | 77.0 | 59.9 |
| Far West | 90.2 | 86.6 |
| Hunter New England | 81.0 | 72.5 |
| Illawarra Shoalhaven | 79.0 | 60.2 |
| Mid North Coast | 82.0 | 76.7 |
| Murrumbidgee | 85.3 | 81.9 |
| Nepean Blue Mountains | 79.0 | 65.5 |
| Northern NSW | 81.0 | 78.2 |
| Northern Sydney | 79.0 | 73.9 |
| South Eastern Sydney | 78.0 | 70.3 |
| South Western Sydney | 78.0 | 61.2 |
| Southern NSW | 85.0 | 83.0 |
| Sydney | 76.0 | 70.9 |
| Sydney Children’s Hospitals Network | 80.0 | 72.1 |
| Western NSW | 85.9 | 81.0 |
| Western Sydney | 78.0 | 59.0 |
| St Vincent's Health Network* | 75.0 | 65.4 |
The above changes will be reflected in the version of the report published on the Audit Office website and should be considered the true and accurate version.
Transport 2020
1. Financial Reporting |
|
| Audit opinion | Unmodified audit opinions issued for the financial statements of all Transport cluster entities. |
| Quality and timeliness of financial reporting | All cluster agencies met the statutory deadlines for completing the early close and submitting the financial statements. Transport cluster agencies continued to experience some challenges with accounting for land and infrastructure assets. The former Roads and Maritime Services and Sydney Metro recorded prior period corrections to property, plant and equipment balances. |
| Impact of COVID-19 on passenger revenue and patronage | Total patronage and revenue for public transport decreased by approximately 18 per cent in 2019–20 due to COVID-19. The Transport cluster received additional funding from NSW Treasury during the year to support the reduced revenue and additional costs incurred such as cleaning on all modes of public transport and additional staff to manage physical distancing. |
| Completion of the CBD and South East Light Rail | The CBD and South East Light Rail project was completed and commenced operations in this financial year. At 30 June 2020, the total cost of the project related to the CBD and South East Light Rail was $3.3 billion. Of this total cost, $2.6 billion was recorded as assets, whilst $700 million was expensed. |
2. Audit Observations |
|
| Internal control | While internal controls issues raised in management letters in the Transport cluster have decreased compared to the prior year, control weaknesses continue to exist in access security for financial systems. We identified 56 management letter findings across the cluster and 43 per cent of all issues were repeat issues. The majority of the repeat issues relate to information technology controls around user access management. There were three high risk issues identified - two related to financial reporting of assets and one for implementation of TAHE (see below). |
| Agency responses to emergency events | Transport for NSW established the COVID-19 Taskforce in March 2020 to take responsibility for the overall response of planning and coordination for the Transport cluster. It also implemented the COVIDSafe Transport Plan which incorporates guidance on physical distancing, increasing services to support social distancing and cleaning. |
| RailCorp transition to TAHE | On 1 July 2020, RailCorp was renamed Transport Asset Holding Entity of New South Wales (TAHE) and converted to a for-profit statutory State-Owned Corporation. TAHE is a commercial for-profit Public Trading Entity with the intent to provide a commercial return to its shareholders. A plan was established by NSW Treasury to transition RailCorp to TAHE which covered the period 1 July 2015 to 1 July 2019. A large portion of the planned arrangements were not implemented by 1 July 2020. As at the time of this report, the TAHE operating model, Statement of Corporate Intent (SCI) and other key plans and commercial agreements are not finalised. The State Owned Corporations Act 1989 generally requires finalisation of an SCI three months after the commencement of each financial year. However, under the Transport Administration Act 1988, TAHE received an extension from the voting shareholders, the Treasurer and Minister for Finance and Small Business, to submit its first SCI by 31 December 2020. In accordance with the original plan, interim commercial access arrangements were supposed to be in place with RailCorp prior to commencement of TAHE. Under the transitional arrangements, TAHE is continuing to operate in accordance with the asset and safety management plans of RailCorp. The final operating model is expected to include considerations of safety, operational, financial and fiscal risks. This should include a consideration of the potential conflicting objectives of a commercial return, and maintenance and safety measures. This matter has been included as a high risk finding in our management letter due to the significance of the financial reporting impacts and business risks for TAHE. Recommendation: TAHE management should:
Resolution of the above matters are critical as they may significantly impact the financial reporting arrangements for TAHE for 2020–21, in particular, accounting policies adopted as well as measurement principles of its significant infrastructure asset base. |
| Completeness and accuracy of contracts registers | Across the Transport cluster, contracts and agreements are maintained by the transport agencies using disparate registers. Recommendation (repeat): Transport agencies should continue to implement a process to centrally capture all contracts and agreements entered. This will ensure:
|
This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- the impact of emergencies and the pandemic.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statement audits of agencies in the Transport cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.
Section highlights
|
Appendix one – List of 2020 recommendations
Appendix two – Status of 2019, 2018 and 2017 recommendations
Appendix three – Management letter findings
Appendix four – Financial data
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Regional NSW 2020
This report analyses the results of our audits of financial statements of entities within the Regional NSW cluster for the year ended 30 June 2020. The table below summarises our key observations and recommendations.
1. Machinery of Government (MoG) changes |
|
| Creation of Regional NSW cluster | MoG changes on 2 April 2020 created the Department of Regional NSW (the Department). The Department of Planning, Industry and Environment (DPIE) staff employed in the Regions, Industry, Agriculture and Resources Group, together with associated functions, assets and liabilities were transferred to the new Department. A number of agencies moved from the Planning, Industry and Environment cluster to the new Regional NSW cluster. The Department deals with major issues affecting regional communities, including the coordination of support for people, businesses and farmers who have faced drought, bushfires, flood and the COVID-19 pandemic. |
| The Department is still in the process of implementing changes | The Department continues to receive corporate services support from DPIE. The Department has indicated it will transition to its own policies and procedures by June 2021. |
2. Financial reporting |
|
| Audit opinions | Unqualified audit opinions were issued for all cluster agencies' 30 June 2020 financial statements audits. |
| Timeliness of financial reporting | Nine of the ten cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting the financial statements. The Department and a number of cluster agencies obtained NSW Treasury’s approval to delay submission of their 30 June 2020 financial statements due to delays resulting from accounting and administrative complexities created by the Machinery of Government changes that separated the Department from DPIE. The deadlines were moved from 5 August 2020 to either 10 August 2020 or 12 August 2020. New South Wales Rural Assistance Authority missed the revised deadline by one day. All agencies that were required to perform early close procedures had met the revised timeline. Due to issues identified during audit, four financial statements audit were not completed and audit opinions issued by the statutory deadline. |
| New accounting standards |
Agencies implemented three new accounting standards during the year. Our audit of the Department identified there was a lack of quality assurance over the accuracy of lease information provided by Property NSW. Recommendation: The Department should:
|
3. Audit observations |
|
| Internal control deficiencies |
We identified 30 internal control issues, including 16 findings that were raised with former agencies in previous years. Two matters from previous years have been elevated to high risk during 2019–20. Both matters related to Local Land Services:
Recommendation: Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high-risk and repeat issues. |
| Agency responses to emergency events | The Department's executive leadership committee along with support from DPIE crisis management team managed the recovery from the bushfires and impact of COVID-19. Social distancing and other infection control measures were put in place. The Forestry Corporation of New South Wales accelerated a fire salvage timber program in response to the bushfire emergency. The Department and cluster agencies received additional funding for bushfire recovery and COVID-19 pandemic response. |
The Regional NSW cluster aims to respond to regional issues, creating and preserving regional jobs, driving regional economy, growing existing and supporting emerging industries. The key areas of focus across the New South Wales (NSW) State is shown below:
MoG changes impact on Department of Regional NSW
The Department was created as result of the MoG changes during 2019–20. The Administrative Arrangements Order 2020, effective on 2 April 2020 created the Department of Regional NSW. These changes had a significant administrative impact on the cluster agencies. The MoG change resulted in a transfer of net assets ($446 million) and budget ($284 million) from DPIE to the newly created Department of Regional NSW on 2 April 2020. A summary of the MoG impacts on the Regional NSW cluster is shown below.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The COVID-19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID-19 pandemic. These amendments:
- allowed the Treasurer to authorise payments from the consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
- revised budgetary and financial and annual reporting time frames – impacting the timeliness of financial reporting
- exempted certain statutory bodies and departments from preparing financial statements.
This chapter outlines our audit observations related to the financial reporting of agencies in the Regional NSW cluster for 2020, including any financial implications from the recent emergency events.
|
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statement audits of agencies in the Regional NSW cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.
|
Section highlights
|
Appendix one - List of 2020 recommendations
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Planning, Industry and Environment 2020
This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2020. The table below summarises our key observations.
1. Financial reporting
|
Audit opinions |
There are 45 separate entities in the cluster. Unqualified audit opinions were issued for 38 cluster agencies' 30 June 2020 financial statements audits. Four financial statements audits are still ongoing, and three agencies were not subject to audit due to NSW Treasury reporting exemptions. |
|
Timeliness of financial reporting |
The majority of cluster agencies subject to statutory reporting deadlines met the revised timeline for submitting financial statements. Twenty‑four of the 26 cluster agencies required to submit early close financial statements met the revised timeframe. Due to issues identified during the audit, 13 financial statements audits were not completed and audit opinions not issued by the statutory deadline. |
|
Implementation of AASB 16 'Leases' |
Significant deficiencies were identified in Property NSW's lease data maintenance and lease calculations. Recommendation (partially repeat): Property NSW should:
Our audits of the cluster agencies identified there was a lack of thorough quality assurance over the accuracy of lease information provided by Property NSW. Recommendation: The Department and cluster agencies should:
|
|
Unprocessed Aboriginal land claims continued to increase |
In 2019–20, the Department resolved an additional 468 Aboriginal land claims compared to the prior year. However, the total number of unprocessed Aboriginal land claims increased by 914 to 36,769 at 30 June 2020. The number of claims remaining unprocessed for more than ten years after lodgement increased by 10.9 per cent from last year. Until claims are resolved, there is an uncertainty over who is entitled to the land and the uses and activities that can be carried out on the land. Auditor-General's Reports to Parliament since 2007 have recommended action to address the increasing number of unprocessed claims. To date, the Department has not been able to resolve this issue. During 2020–21, a performance audit will assess the effectiveness and efficiency of the administration of Aboriginal land claims. |
|
Financial reporting of Crown land managers |
The Department will need to provide additional support and guidance to help Crown land managers (CLMs) meet their financial reporting obligations. Recommendation: The Department should:
During 2019–20, NSW Treasury established the reporting exemption criteria for the CLMs. Based on available information, the Department determined 31 CLMs would not meet the exemption criteria and therefore are required to prepare annual financial statements. |
2. Audit observations
|
Internal controls |
Six high‑risk issues were identified across the cluster in 2019–20:
One in three internal control issues identified and reported to management in 2019–20 were repeat issues. Recommendation: Management letter recommendations to address internal control weaknesses should be actioned promptly, with a focus on addressing high‑risk and repeat issues. |
|
Agencies response to recent emergencies |
The unprecedented bushfires and COVID‑19 pandemic presented challenges for the cluster. Agencies established taskforces or response teams to respond to these emergencies. With more staff working from home, agencies implemented protocols and procedures to manage risks associated with the remote working arrangements, and also needed to address certain technology issues. The Department is responsible for the new Planning System Acceleration Program, which aims to fast‑track planning assessments, boost the State's economy and keep people in jobs during COVID‑19 pandemic. Between April and October 2020, the Department announced and determined 101 major projects and planning proposals. |
|
Recognition of Crown land |
Crown land is an important asset of the State. Management and recognition of Crown land assets is weakened when there is confusion over who is responsible for a particular Crown land parcel. Auditor-General's Reports to Parliament since 2017 have recommended that the Department should ensure the database of Crown land is complete and accurate. Whilst the Department has commenced actions to improve the database, this remained an issue in 2019–20. Recommendation (repeat issue): The Department should prioritise action to ensure the Crown land database is complete and accurate. This allows state agencies and local councils to be better informed about the Crown land they control. |
|
Implementation of Machinery of Government (MoG) changes |
Since its creation on 1 July 2019, the Department has largely established its governance arrangements, including setting up the Audit and Risk Committee and internal audit function for the Department and relevant cluster agencies. The Department still operated three main financial reporting systems in 2019–20, and has commenced the process to consolidate some of the systems. The recent Regional NSW MoG change led to the transfer of $446 million net assets and $284 million 2019–20 budget from the Department to the newly created Department of Regional NSW on 2 April 2020. |
This report provides parliament and other users of the Planning, Industry and Environment cluster agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations
- the impact of emergencies and the pandemic.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
The COVID‑19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID‑19 pandemic. These amendments:
- allowed the Treasurer to authorise payments from the Consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
- revised budgetary, financial and annual reporting time frames – impacting the timeliness of financial reporting
- exempted certain statutory bodies and departments from preparing financial statements.
This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster for 2020, including any financial implications from the recent emergency events.
Section highlights
The Department has not yet developed a statutory reporting framework for Crown land managers and will need to provide additional resources to help Crown land managers meet their financial reporting obligations. |
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our:
- observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster
- assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
- review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.
Cluster agencies experienced a range of control and governance related issues in recent years. An increased number of high risk issues and greater proportion of repeat issues were identified as part of our audits. It is important for cluster agencies to promptly address these issues.
Section highlights
|
